diff --git a/Dockerfile b/Dockerfile index b16abcb0..275c27d1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,19 @@ ADD . /go/src/github.com/devtron-labs/image-scanner RUN GOOS=linux make FROM alpine:3.17 +RUN apk update && apk add --no-cache --virtual .build-deps && apk add bash && apk add make && apk add curl && apk add git && apk add zip && apk add jq COPY --from=aquasec/trivy:0.46.1 /usr/local/bin/trivy /usr/local/bin/trivy RUN apk add --no-cache ca-certificates RUN mkdir -p /security RUN adduser -D devtron + +COPY ./git-ask-pass.sh /git-ask-pass.sh +RUN chmod +x /git-ask-pass.sh + COPY --from=build-env /go/src/github.com/devtron-labs/image-scanner/image-scanner . +COPY ./ssh-config /root/.ssh/config +RUN chmod 644 /root/.ssh/config + RUN chown -R devtron:devtron ./image-scanner RUN chmod +x ./image-scanner RUN chown -R devtron:devtron ./security diff --git a/Wire.go b/Wire.go index 747e309c..825f9b35 100644 --- a/Wire.go +++ b/Wire.go @@ -7,6 +7,7 @@ import ( "github.com/devtron-labs/common-lib/monitoring" client "github.com/devtron-labs/common-lib/pubsub-lib" "github.com/devtron-labs/image-scanner/api" + "github.com/devtron-labs/image-scanner/helper" "github.com/devtron-labs/image-scanner/internal/logger" "github.com/devtron-labs/image-scanner/internal/sql" "github.com/devtron-labs/image-scanner/internal/sql/repository" @@ -37,8 +38,8 @@ func InitializeApp() (*App, error) { pubsub.NewNatSubscription, grafeasService.NewKlarServiceImpl, wire.Bind(new(grafeasService.GrafeasService), new(*grafeasService.GrafeasServiceImpl)), - pubsub.NewTestPublishImpl, - wire.Bind(new(pubsub.TestPublish), new(*pubsub.TestPublishImpl)), + //pubsub.NewTestPublishImpl, + //wire.Bind(new(pubsub.TestPublish), new(*pubsub.TestPublishImpl)), clairService.GetClairConfig, clairService.NewClairServiceImpl, @@ -80,6 +81,15 @@ func InitializeApp() (*App, error) { repository.NewScanToolExecutionHistoryMappingRepositoryImpl, wire.Bind(new(repository.ScanToolExecutionHistoryMappingRepository), new(*repository.ScanToolExecutionHistoryMappingRepositoryImpl)), monitoring.NewMonitoringRouter, + helper.NewGitManagerImpl, + helper.NewGitCliManager, + wire.Bind(new(helper.GitCliManager), new(*helper.GitCliManagerImpl)), + + security.NewCodeScanServiceImpl, + wire.Bind(new(security.CodeScanService), new(*security.CodeScanServiceImpl)), + + repository.NewResourceScanResultRepositoryImpl, + wire.Bind(new(repository.ResourceScanResultRepository), new(*repository.ResourceScanResultRepositoryImpl)), ) return &App{}, nil } diff --git a/api/RestHandler.go b/api/RestHandler.go index e2bbdec6..725df8fb 100644 --- a/api/RestHandler.go +++ b/api/RestHandler.go @@ -9,7 +9,7 @@ import ( "github.com/devtron-labs/image-scanner/pkg/klarService" "github.com/devtron-labs/image-scanner/pkg/security" "github.com/devtron-labs/image-scanner/pkg/user" - "github.com/devtron-labs/image-scanner/pubsub" + //"github.com/devtron-labs/image-scanner/pubsub" "go.uber.org/zap" "net/http" "os" @@ -20,33 +20,37 @@ type RestHandler interface { } func NewRestHandlerImpl(logger *zap.SugaredLogger, - testPublish pubsub.TestPublish, + //testPublish pubsub.TestPublish, grafeasService grafeasService.GrafeasService, userService user.UserService, imageScanService security.ImageScanService, klarService klarService.KlarService, clairService clairService.ClairService, - imageScanConfig *security.ImageScanConfig) *RestHandlerImpl { + imageScanConfig *security.ImageScanConfig, + codeScanService security.CodeScanService, +) *RestHandlerImpl { return &RestHandlerImpl{ - logger: logger, - testPublish: testPublish, + logger: logger, + //testPublish: testPublish, grafeasService: grafeasService, userService: userService, imageScanService: imageScanService, klarService: klarService, clairService: clairService, imageScanConfig: imageScanConfig, + codeScanService: codeScanService, } } type RestHandlerImpl struct { - logger *zap.SugaredLogger - testPublish pubsub.TestPublish + logger *zap.SugaredLogger + //testPublish pubsub.TestPublish grafeasService grafeasService.GrafeasService userService user.UserService imageScanService security.ImageScanService klarService klarService.KlarService clairService clairService.ClairService imageScanConfig *security.ImageScanConfig + codeScanService security.CodeScanService } type Response struct { Code int `json:"code,omitempty"` @@ -76,6 +80,17 @@ func (impl *RestHandlerImpl) ScanForVulnerability(w http.ResponseWriter, r *http writeJsonResp(w, err, nil, http.StatusBadRequest) return } + result, err := impl.ScanForVulnerabilityEvent(&scanConfig) + if err != nil { + writeJsonResp(w, err, nil, http.StatusInternalServerError) + return + } + impl.logger.Debugw("save", "status", result) + writeJsonResp(w, err, result, http.StatusOK) +} + +func (impl *RestHandlerImpl) ScanForVulnerabilityEvent(scanConfig *common.ImageScanEvent) (*common.ScanEventResponse, error) { + if scanConfig.UserId == 0 { scanConfig.UserId = 1 //setting user as system user in case of empty user data } @@ -84,45 +99,47 @@ func (impl *RestHandlerImpl) ScanForVulnerability(w http.ResponseWriter, r *http tool, err := impl.imageScanService.GetActiveTool() if err != nil { impl.logger.Errorw("err in image scanning", "err", err) - writeJsonResp(w, err, nil, http.StatusInternalServerError) - return + return nil, err } - executionHistory, executionHistoryDirPath, err := impl.imageScanService.RegisterScanExecutionHistoryAndState(&scanConfig, tool) + executionHistory, executionHistoryDirPath, err := impl.imageScanService.RegisterScanExecutionHistoryAndState(scanConfig, tool) if err != nil { impl.logger.Errorw("service err, RegisterScanExecutionHistoryAndState", "err", err) - writeJsonResp(w, err, nil, http.StatusInternalServerError) - return + return nil, err } - if tool.Name == bean.ScanToolClair && tool.Version == bean.ScanToolVersion2 { - result, err = impl.klarService.Process(&scanConfig, executionHistory) - if err != nil { - impl.logger.Errorw("err in process msg", "err", err) - writeJsonResp(w, err, nil, http.StatusInternalServerError) - return - } - } else if tool.Name == bean.ScanToolClair && tool.Version == bean.ScanToolVersion4 { - result, err = impl.clairService.ScanImage(&scanConfig, tool, executionHistory) + + if scanConfig.SourceType == common.SourceTypeCode { + err = impl.codeScanService.ScanCode(scanConfig, tool, executionHistory, executionHistoryDirPath) if err != nil { - impl.logger.Errorw("err in process msg", "err", err) - writeJsonResp(w, err, nil, http.StatusInternalServerError) - return + impl.logger.Errorw("Error scanning code", "err", err) + } } else { - err = impl.imageScanService.ScanImage(&scanConfig, tool, executionHistory, executionHistoryDirPath) - if err != nil { - impl.logger.Errorw("err in process msg", "err", err) - writeJsonResp(w, err, nil, http.StatusInternalServerError) - return + if tool.Name == bean.ScanToolClair && tool.Version == bean.ScanToolVersion2 { + result, err = impl.klarService.Process(scanConfig, executionHistory) + if err != nil { + impl.logger.Errorw("err in process msg", "err", err) + return nil, err + } + } else if tool.Name == bean.ScanToolClair && tool.Version == bean.ScanToolVersion4 { + result, err = impl.clairService.ScanImage(scanConfig, tool, executionHistory) + if err != nil { + impl.logger.Errorw("err in process msg", "err", err) + return nil, err + } + } else { + err = impl.imageScanService.ScanImage(scanConfig, tool, executionHistory, executionHistoryDirPath) + if err != nil { + impl.logger.Errorw("err in process msg", "err", err) + return nil, err + } } } + //deleting executionDirectoryPath with files as well err = os.RemoveAll(executionHistoryDirPath) if err != nil { impl.logger.Errorw("error in deleting executionHistoryDirectory", "err", err) - writeJsonResp(w, err, nil, http.StatusInternalServerError) - return + return nil, err } - - impl.logger.Debugw("save", "status", result) - writeJsonResp(w, err, result, http.StatusOK) + return result, nil } diff --git a/cicodescan.json b/cicodescan.json new file mode 100644 index 00000000..957b05a0 --- /dev/null +++ b/cicodescan.json @@ -0,0 +1,130 @@ +{ + "SchemaVersion": 2, + "CreatedAt": "2024-04-15T22:03:08.717492+05:30", + "ArtifactName": "/tmp/security/devtronimagescan/211/code", + "ArtifactType": "filesystem", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": "Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 24, + "Failures": 3, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS001", + "AVDID": "AVD-DS-0001", + "Title": "':latest' tag used", + "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", + "Message": "Specify a tag in the 'FROM' statement for image 'nginx'", + "Namespace": "builtin.dockerfile.DS001", + "Query": "data.builtin.dockerfile.DS001.deny", + "Resolution": "Add a tag to the image in the 'FROM' statement", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", + "References": [ + "https://avd.aquasec.com/misconfig/ds001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 1, + "EndLine": 1, + "Code": { + "Lines": [ + { + "Number": 1, + "Content": "FROM nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m nginx", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "OS Packages", + "Class": "license" + }, + { + "Target": "Loose File License(s)", + "Class": "license-file" + } + ] +} diff --git a/common/bean.go b/common/bean.go index 5ee4af83..dd8588f5 100644 --- a/common/bean.go +++ b/common/bean.go @@ -1,6 +1,8 @@ package common import ( + "github.com/devtron-labs/image-scanner/helper" + //"github.com/devtron-labs/image-scanner/internal/sql/repository" "github.com/optiopay/klar/clair" "github.com/quay/claircore" "strings" @@ -16,6 +18,7 @@ const ( GCR_FILE_PATH = "FILE_PATH" IMAGE_NAME = "IMAGE_NAME" OUTPUT_FILE_PATH = "OUTPUT_FILE_PATH" + EXTRA_ARGS = "EXTRA_ARGS" ) const ( @@ -49,6 +52,13 @@ type ImageScanEvent struct { Token string `json:"token"` AwsRegion string `json:"awsRegion"` DockerRegistryId string `json:"dockerRegistryId"` + //ScanHistoryId int `json:"scanHistoryId"` + CiProjectDetails []helper.CiProjectDetails `json:"ciProjectDetails"` + SourceType SourceType `json:"sourceType"` + SourceSubType SourceSubType `json:"sourceSubType"` + CiWorkflowId int `json:"ciWorkflowId"` + CdWorkflowId int `json:"cdWorkflowId"` + ChartHistoryId int `json:"chartHistoryId"` } type ScanEventResponse struct { @@ -132,3 +142,19 @@ func RemoveTrailingComma(jsonString string) string { } return jsonString } + +// multiple history rows for one source event +type SourceType int + +const ( + SourceTypeImage SourceType = 1 + SourceTypeCode SourceType = 2 + SourceTypeSbom SourceType = 3 // can be used in future for direct sbom scanning +) + +type SourceSubType int + +const ( + SourceSubTypeCi SourceSubType = 1 // relevant for ci code(2,1) or ci built image(1,1) + SourceSubTypeManifest SourceSubType = 2 // relevant for devtron app deployment manifest/helm app manifest(2,2) or images retrieved from manifest(1,2)) +) diff --git a/cyclonedx.json b/cyclonedx.json new file mode 100644 index 00000000..073b7ae6 --- /dev/null +++ b/cyclonedx.json @@ -0,0 +1,10990 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:1898de1c-81ca-42ce-a35c-151bcccb9adc", + "version": 1, + "metadata": { + "timestamp": "2024-04-15T11:45:45+00:00", + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "0.50.1" + } + ] + }, + "component": { + "bom-ref": "pkg:oci/myrepo@sha256%3Ac24e8d746bb4d4ee807aeec23f3cd42fb1e24b9cd21168074a23d67d8be96e95?arch=amd64&repository_url=index.docker.io%2Flaeeqa222%2Fmyrepo", + "type": "container", + "name": "laeeqa222/myrepo:4a6bb4fb-218-89", + "purl": "pkg:oci/myrepo@sha256%3Ac24e8d746bb4d4ee807aeec23f3cd42fb1e24b9cd21168074a23d67d8be96e95?arch=amd64&repository_url=index.docker.io%2Flaeeqa222%2Fmyrepo", + "properties": [ + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:2ee294939e65b5486fa823365302c086df8a03ac6064c8a58ebcbb81a85baf86" + }, + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:4a4c3fe4d6e7c639c58d864abd3321ff89e06ed9fe0dda9cffa38cf75c279872" + }, + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:75960f7ec704b1afc47685bd8ae9be781c3c507d4b827e82f668ed63f1912703" + }, + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:b5865eae8a402dda5afa36594da78dd3f9e27e97f8a81b56ae4d9d7e10a80478" + }, + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:c4484f227d5e1d3074ee6a30ffaa0bc67a13a1b83f5f198b5369be17ee07870f" + }, + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:fc62225e78901f7a6467f5844a42282275276096a98fcbd94371a8118db23b40" + }, + { + "name": "aquasecurity:trivy:ImageID", + "value": "sha256:deb4f785df881894c58716aae454277acef6f37aedf1ff90a766aebd4c2b712c" + }, + { + "name": "aquasecurity:trivy:RepoDigest", + "value": "laeeqa222/myrepo@sha256:c24e8d746bb4d4ee807aeec23f3cd42fb1e24b9cd21168074a23d67d8be96e95" + }, + { + "name": "aquasecurity:trivy:RepoTag", + "value": "laeeqa222/myrepo:4a6bb4fb-218-89" + }, + { + "name": "aquasecurity:trivy:SchemaVersion", + "value": "2" + } + ] + } + }, + "components": [ + { + "bom-ref": "7a2313d2-c780-465f-8d38-ca5272578372", + "type": "operating-system", + "name": "debian", + "version": "12.5", + "properties": [ + { + "name": "aquasecurity:trivy:Class", + "value": "os-pkgs" + }, + { + "name": "aquasecurity:trivy:Type", + "value": "debian" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/adduser@3.134?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Adduser Developers " + }, + "name": "adduser", + "version": "3.134", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/adduser@3.134?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "adduser@3.134" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "adduser" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.134" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/apt@2.6.1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "APT Development Team " + }, + "name": "apt", + "version": "2.6.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Expat" + } + } + ], + "purl": "pkg:deb/debian/apt@2.6.1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "apt@2.6.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "apt" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.6.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/base-files@12.4%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Santiago Vila " + }, + "name": "base-files", + "version": "12.4+deb12u5", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/base-files@12.4%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "base-files@12.4+deb12u5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "base-files" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.4+deb12u5" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/base-passwd@3.6.1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Colin Watson " + }, + "name": "base-passwd", + "version": "3.6.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/debian/base-passwd@3.6.1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "base-passwd@3.6.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "base-passwd" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.6.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/bash@5.2.15-2%2Bb2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Matthias Klose " + }, + "name": "bash", + "version": "5.2.15-2+b2", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3+ with Bison exception" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GFDL-NIV-1.3" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + }, + { + "license": { + "name": "Latex2e" + } + }, + { + "license": { + "name": "BSD-4-clause-UC" + } + }, + { + "license": { + "name": "MIT-like" + } + }, + { + "license": { + "name": "permissive" + } + } + ], + "purl": "pkg:deb/debian/bash@5.2.15-2%2Bb2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "bash@5.2.15-2+b2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "bash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.2.15" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/bsdutils@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "util-linux packagers " + }, + "name": "bsdutils", + "version": "1:2.38.1-5+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSLA" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/bsdutils@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "bsdutils@1:2.38.1-5+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.38.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/ca-certificates@20230311?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Julien Cristau " + }, + "name": "ca-certificates", + "version": "20230311", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "MPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/ca-certificates@20230311?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ca-certificates@20230311" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ca-certificates" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "20230311" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/coreutils@9.1-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Michael Stone " + }, + "name": "coreutils", + "version": "9.1-1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "BSD-4-clause-UC" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "GFDL-NIV-1.3" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/debian/coreutils@9.1-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "coreutils@9.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "coreutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "9.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Alessandro Ghedini " + }, + "name": "curl", + "version": "7.88.1-10+deb12u5", + "licenses": [ + { + "license": { + "name": "curl" + } + }, + { + "license": { + "name": "OLDAP-2.8" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "GPL-2+ with Autoconf-data exception" + } + }, + { + "license": { + "name": "GPL-3+ with Autoconf-data exception" + } + }, + { + "license": { + "name": "GPL-2+ with Libtool exception" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSD-4-Clause-UC" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "curl@7.88.1-10+deb12u5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "curl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "10+deb12u5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "7.88.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/dash@0.5.12-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Andrej Shadura " + }, + "name": "dash", + "version": "0.5.12-2", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/dash@0.5.12-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "dash@0.5.12-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "dash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.5.12" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debconf Developers " + }, + "name": "debconf", + "version": "1.5.82", + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + } + ], + "purl": "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "debconf@1.5.82" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "debconf" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.5.82" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/debian-archive-keyring@2023.3%2Bdeb12u1?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Release Team " + }, + "name": "debian-archive-keyring", + "version": "2023.3+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/debian-archive-keyring@2023.3%2Bdeb12u1?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "debian-archive-keyring@2023.3+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "debian-archive-keyring" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2023.3+deb12u1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/debianutils@5.7-0.5~deb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Clint Adams " + }, + "name": "debianutils", + "version": "5.7-0.5~deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "SMAIL-GPL" + } + } + ], + "purl": "pkg:deb/debian/debianutils@5.7-0.5~deb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "debianutils@5.7-0.5~deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "debianutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0.5~deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.7" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/diffutils@3.8-4?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Santiago Vila " + }, + "name": "diffutils", + "version": "1:3.8-4", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "GPL-3+ with texinfo exception" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "FSFAP" + } + }, + { + "license": { + "name": "GFDL-NIV-1.3" + } + }, + { + "license": { + "name": "LGPL-3.0+" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/debian/diffutils@3.8-4?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "diffutils@1:3.8-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "diffutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.8" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/dpkg@1.21.22?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Dpkg Developers " + }, + "name": "dpkg", + "version": "1.21.22", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "public-domain-s-s-d" + } + } + ], + "purl": "pkg:deb/debian/dpkg@1.21.22?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "dpkg@1.21.22" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "dpkg" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.21.22" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/e2fsprogs@1.47.0-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Theodore Y. Ts'o " + }, + "name": "e2fsprogs", + "version": "1.47.0-2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Apache-2" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "MIT-US-export" + } + }, + { + "license": { + "name": "Kazlib" + } + }, + { + "license": { + "name": "Latex2e" + } + }, + { + "license": { + "name": "GPL-2+ with Texinfo exception" + } + }, + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:deb/debian/e2fsprogs@1.47.0-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "e2fsprogs@1.47.0-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.47.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/findutils@4.9.0-4?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Andreas Metzler " + }, + "name": "findutils", + "version": "4.9.0-4", + "licenses": [ + { + "license": { + "name": "GFDL-NIV-1.3+" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "FSFAP" + } + }, + { + "license": { + "name": "GPL-3+ with Autoconf-data exception" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "GPL-2+ with Autoconf-data exception" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GPL with automake exception" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "BSD-3-clause and/or GPL-3+" + } + }, + { + "license": { + "name": "GPL-3+ with Bison-2.2 exception" + } + }, + { + "license": { + "name": "ISC and/or LGPL-2.1+" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + }, + { + "license": { + "name": "ISC" + } + } + ], + "purl": "pkg:deb/debian/findutils@4.9.0-4?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "findutils@4.9.0-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "findutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.9.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/fontconfig-config@2.14.1-4?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian freedesktop.org maintainers " + }, + "name": "fontconfig-config", + "version": "2.14.1-4", + "purl": "pkg:deb/debian/fontconfig-config@2.14.1-4?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "fontconfig-config@2.14.1-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "fontconfig" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.14.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/fonts-dejavu-core@2.37-6?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Fonts Task Force " + }, + "name": "fonts-dejavu-core", + "version": "2.37-6", + "licenses": [ + { + "license": { + "name": "bitstream-vera" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/fonts-dejavu-core@2.37-6?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "fonts-dejavu-core@2.37-6" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "fonts-dejavu" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.37" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/gcc-12-base@12.2.0-14?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GCC Maintainers " + }, + "name": "gcc-12-base", + "version": "12.2.0-14", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.2" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/gcc-12-base@12.2.0-14?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gcc-12-base@12.2.0-14" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "14" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.2.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/gettext-base@0.21-12?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Santiago Vila " + }, + "name": "gettext-base", + "version": "0.21-12", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GFDL" + } + } + ], + "purl": "pkg:deb/debian/gettext-base@0.21-12?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gettext-base@0.21-12" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gettext" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "12" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.21" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/gpgv@2.2.40-1.1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GnuPG Maintainers " + }, + "name": "gpgv", + "version": "2.2.40-1.1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "permissive" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "RFC-Reference" + } + }, + { + "license": { + "name": "TinySCHEME" + } + }, + { + "license": { + "name": "CC0-1.0" + } + } + ], + "purl": "pkg:deb/debian/gpgv@2.2.40-1.1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gpgv@2.2.40-1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gnupg2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.2.40" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/grep@3.8-5?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Anibal Monsalve Salazar " + }, + "name": "grep", + "version": "3.8-5", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/grep@3.8-5?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "grep@3.8-5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "grep" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.8" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/gzip@1.12-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Milan Kupcevic " + }, + "name": "gzip", + "version": "1.12-1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3+-no-invariant" + } + }, + { + "license": { + "name": "FSF-manpages" + } + }, + { + "license": { + "name": "GFDL-3" + } + } + ], + "purl": "pkg:deb/debian/gzip@1.12-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "gzip@1.12-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gzip" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.12" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/hostname@3.23%2Bnmu1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Michael Meskes " + }, + "name": "hostname", + "version": "3.23+nmu1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/hostname@3.23%2Bnmu1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "hostname@3.23+nmu1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "hostname" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.23+nmu1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/init-system-helpers@1.65.2?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian systemd Maintainers " + }, + "name": "init-system-helpers", + "version": "1.65.2", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/init-system-helpers@1.65.2?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "init-system-helpers@1.65.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "init-system-helpers" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.65.2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libabsl20220623@20220623.1-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Benjamin Barenblat " + }, + "name": "libabsl20220623", + "version": "20220623.1-1", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:deb/debian/libabsl20220623@20220623.1-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libabsl20220623@20220623.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "abseil" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "20220623.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libacl1@2.3.1-3?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Guillem Jover " + }, + "name": "libacl1", + "version": "2.3.1-3", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/debian/libacl1@2.3.1-3?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libacl1@2.3.1-3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "acl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.3.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libaom3", + "version": "3.6.0-1", + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "public-domain-md5" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "Expat" + } + } + ], + "purl": "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libaom3@3.6.0-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "aom" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.6.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libapt-pkg6.0@2.6.1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "APT Development Team " + }, + "name": "libapt-pkg6.0", + "version": "2.6.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Expat" + } + } + ], + "purl": "pkg:deb/debian/libapt-pkg6.0@2.6.1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libapt-pkg6.0@2.6.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "apt" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.6.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libattr1@2.5.1-4?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Guillem Jover " + }, + "name": "libattr1", + "version": "1:2.5.1-4", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/debian/libattr1@2.5.1-4?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libattr1@1:2.5.1-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "attr" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.5.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libaudit-common@3.0.9-1?arch=all&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Laurent Bigonville " + }, + "name": "libaudit-common", + "version": "1:3.0.9-1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/debian/libaudit-common@3.0.9-1?arch=all&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libaudit-common@1:3.0.9-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "audit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.9" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Laurent Bigonville " + }, + "name": "libaudit1", + "version": "1:3.0.9-1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libaudit1@1:3.0.9-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "audit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.9" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libavif15@0.11.1-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libavif15", + "version": "0.11.1-1", + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "custom-1" + } + } + ], + "purl": "pkg:deb/debian/libavif15@0.11.1-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libavif15@0.11.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libavif" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.11.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libblkid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "util-linux packagers " + }, + "name": "libblkid1", + "version": "2.38.1-5+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSLA" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libblkid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libblkid1@2.38.1-5+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.38.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libbrotli1@1.0.9-2%2Bb6?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Tomasz Buchert " + }, + "name": "libbrotli1", + "version": "1.0.9-2+b6", + "licenses": [ + { + "license": { + "name": "MIT" + } + } + ], + "purl": "pkg:deb/debian/libbrotli1@1.0.9-2%2Bb6?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libbrotli1@1.0.9-2+b6" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "brotli" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0.9" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libbsd0@0.11.7-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Guillem Jover " + }, + "name": "libbsd0", + "version": "0.11.7-2", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSD-4-clause-Niels-Provos" + } + }, + { + "license": { + "name": "BSD-3-clause-Regents" + } + }, + { + "license": { + "name": "BSD-2-clause-NetBSD" + } + }, + { + "license": { + "name": "BSD-3-clause-author" + } + }, + { + "license": { + "name": "BSD-3-clause-John-Birrell" + } + }, + { + "license": { + "name": "libutil-David-Nugent" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-2-clause-verbatim" + } + }, + { + "license": { + "name": "BSD-2-clause-author" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "ISC-Original" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "Beerware" + } + } + ], + "purl": "pkg:deb/debian/libbsd0@0.11.7-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libbsd0@0.11.7-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libbsd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.11.7" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libbz2-1.0@1.0.8-5%2Bb1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Anibal Monsalve Salazar " + }, + "name": "libbz2-1.0", + "version": "1.0.8-5+b1", + "licenses": [ + { + "license": { + "name": "BSD-variant" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libbz2-1.0@1.0.8-5%2Bb1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libbz2-1.0@1.0.8-5+b1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "bzip2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0.8" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "GNU Libc Maintainers " + }, + "name": "libc-bin", + "version": "2.36-9+deb12u4", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libc-bin@2.36-9+deb12u4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "glibc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "9+deb12u4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.36" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "GNU Libc Maintainers " + }, + "name": "libc6", + "version": "2.36-9+deb12u4", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libc6@2.36-9+deb12u4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "glibc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "9+deb12u4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.36" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libcap-ng0@0.8.3-1%2Bb3?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Håvard F. Aasen " + }, + "name": "libcap-ng0", + "version": "0.8.3-1+b3", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libcap-ng0@0.8.3-1%2Bb3?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcap-ng0@0.8.3-1+b3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libcap-ng" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.8.3" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libcap2@2.66-4?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Christian Kastner " + }, + "name": "libcap2", + "version": "1:2.66-4", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libcap2@2.66-4?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcap2@1:2.66-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libcap2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.66" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libcom-err2@1.47.0-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Theodore Y. Ts'o " + }, + "name": "libcom-err2", + "version": "1.47.0-2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Apache-2" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "MIT-US-export" + } + }, + { + "license": { + "name": "Kazlib" + } + }, + { + "license": { + "name": "Latex2e" + } + }, + { + "license": { + "name": "GPL-2+ with Texinfo exception" + } + }, + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:deb/debian/libcom-err2@1.47.0-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcom-err2@1.47.0-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.47.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libcrypt1@4.4.33-2?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Marco d'Itri " + }, + "name": "libcrypt1", + "version": "1:4.4.33-2", + "purl": "pkg:deb/debian/libcrypt1@4.4.33-2?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcrypt1@1:4.4.33-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxcrypt" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.4.33" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libcurl4@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Alessandro Ghedini " + }, + "name": "libcurl4", + "version": "7.88.1-10+deb12u5", + "licenses": [ + { + "license": { + "name": "curl" + } + }, + { + "license": { + "name": "OLDAP-2.8" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "GPL-2+ with Autoconf-data exception" + } + }, + { + "license": { + "name": "GPL-3+ with Autoconf-data exception" + } + }, + { + "license": { + "name": "GPL-2+ with Libtool exception" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSD-4-Clause-UC" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libcurl4@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcurl4@7.88.1-10+deb12u5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "curl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "10+deb12u5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "7.88.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libdav1d6@1.0.0-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libdav1d6", + "version": "1.0.0-2", + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "ISC" + } + } + ], + "purl": "pkg:deb/debian/libdav1d6@1.0.0-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libdav1d6@1.0.0-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "dav1d" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg2-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Bastian Germann " + }, + "name": "libdb5.3", + "version": "5.3.28+dfsg2-1", + "licenses": [ + { + "license": { + "name": "Sleepycat" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Ms-PL" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "MIT-old" + } + }, + { + "license": { + "name": "TCL-like" + } + }, + { + "license": { + "name": "BSD-3-clause-fjord" + } + }, + { + "license": { + "name": "Zlib" + } + } + ], + "purl": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg2-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libdb5.3@5.3.28+dfsg2-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "db5.3" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.3.28+dfsg2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libde265-0@1.0.11-1%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libde265-0", + "version": "1.0.11-1+deb12u2", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "public-domain-1" + } + }, + { + "license": { + "name": "other-1" + } + } + ], + "purl": "pkg:deb/debian/libde265-0@1.0.11-1%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libde265-0@1.0.11-1+deb12u2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libde265" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1+deb12u2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0.11" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libdebconfclient0@0.270?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Install System Team " + }, + "name": "libdebconfclient0", + "version": "0.270", + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libdebconfclient0@0.270?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libdebconfclient0@0.270" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "cdebconf" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.270" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libdeflate0@1.14-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Med Packaging Team " + }, + "name": "libdeflate0", + "version": "1.14-1", + "licenses": [ + { + "license": { + "name": "Expat" + } + } + ], + "purl": "pkg:deb/debian/libdeflate0@1.14-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libdeflate0@1.14-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libdeflate" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.14" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libedit2@3.1-20221030-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "LLVM Packaging Team " + }, + "name": "libedit2", + "version": "3.1-20221030-2", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/debian/libedit2@3.1-20221030-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libedit2@3.1-20221030-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libedit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.1-20221030" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libexpat1@2.5.0-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Laszlo Boszormenyi (GCS) " + }, + "name": "libexpat1", + "version": "2.5.0-1", + "licenses": [ + { + "license": { + "name": "MIT" + } + } + ], + "purl": "pkg:deb/debian/libexpat1@2.5.0-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libexpat1@2.5.0-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "expat" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.5.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libext2fs2@1.47.0-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Theodore Y. Ts'o " + }, + "name": "libext2fs2", + "version": "1.47.0-2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Apache-2" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "MIT-US-export" + } + }, + { + "license": { + "name": "Kazlib" + } + }, + { + "license": { + "name": "Latex2e" + } + }, + { + "license": { + "name": "GPL-2+ with Texinfo exception" + } + }, + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:deb/debian/libext2fs2@1.47.0-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libext2fs2@1.47.0-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.47.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libffi8@3.4.4-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GCC Maintainers " + }, + "name": "libffi8", + "version": "3.4.4-1", + "licenses": [ + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "MPL-1.1" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/debian/libffi8@3.4.4-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libffi8@3.4.4-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libffi" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libfontconfig1@2.14.1-4?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian freedesktop.org maintainers " + }, + "name": "libfontconfig1", + "version": "2.14.1-4", + "purl": "pkg:deb/debian/libfontconfig1@2.14.1-4?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libfontconfig1@2.14.1-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "fontconfig" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.14.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libfreetype6@2.12.1%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Hugh McMaster " + }, + "name": "libfreetype6", + "version": "2.12.1+dfsg-5", + "licenses": [ + { + "license": { + "name": "FTL" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "FSFAP" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Public-Domain" + } + }, + { + "license": { + "name": "BSL-1.0" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "OpenGroup-BSD-like" + } + } + ], + "purl": "pkg:deb/debian/libfreetype6@2.12.1%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libfreetype6@2.12.1+dfsg-5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "freetype" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.12.1+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgav1-1@0.18.0-1%2Bb1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libgav1-1", + "version": "0.18.0-1+b1", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/debian/libgav1-1@0.18.0-1%2Bb1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgav1-1@0.18.0-1+b1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libgav1" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.18.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GCC Maintainers " + }, + "name": "libgcc-s1", + "version": "12.2.0-14", + "purl": "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgcc-s1@12.2.0-14" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "14" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.2.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GnuTLS Maintainers " + }, + "name": "libgcrypt20", + "version": "1.10.1-3", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgcrypt20@1.10.1-3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libgcrypt20" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.10.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgd3@2.3.3-9?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "GD Team " + }, + "name": "libgd3", + "version": "2.3.3-9", + "licenses": [ + { + "license": { + "name": "GD" + } + }, + { + "license": { + "name": "GAP~Makefile.in" + } + }, + { + "license": { + "name": "GPL-2.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GAP~configure" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "HPND" + } + }, + { + "license": { + "name": "XFIG" + } + }, + { + "license": { + "name": "WEBP" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libgd3@2.3.3-9?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgd3@2.3.3-9" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libgd2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "9" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgeoip1@1.6.12-10?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Patrick Matthäi " + }, + "name": "libgeoip1", + "version": "1.6.12-10", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "ISC" + } + } + ], + "purl": "pkg:deb/debian/libgeoip1@1.6.12-10?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgeoip1@1.6.12-10" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "geoip" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "10" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.6.12" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64&distro=debian-12.5&epoch=2", + "type": "library", + "supplier": { + "name": "Debian Science Team " + }, + "name": "libgmp10", + "version": "2:6.2.1+dfsg1-1.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3+ with Bison exception" + } + } + ], + "purl": "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64&distro=debian-12.5&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgmp10@2:6.2.1+dfsg1-1.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gmp" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.2.1+dfsg1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GnuTLS Maintainers " + }, + "name": "libgnutls30", + "version": "3.7.9-2+deb12u2", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + }, + { + "license": { + "name": "CC0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "LGPLv3+" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgnutls30@3.7.9-2+deb12u2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gnutls28" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2+deb12u2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.7.9" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgpg-error0@1.46-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GnuPG Maintainers " + }, + "name": "libgpg-error0", + "version": "1.46-1", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "g10-permissive" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libgpg-error0@1.46-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgpg-error0@1.46-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libgpg-error" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.46" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Sam Hartman " + }, + "name": "libgssapi-krb5-2", + "version": "1.20.1-2+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libgssapi-krb5-2@1.20.1-2+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.20.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libheif1", + "version": "1.15.1-1", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BOOST-1.0" + } + } + ], + "purl": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libheif1@1.15.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libheif" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.15.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libhogweed6@3.8.1-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Magnus Holmgren " + }, + "name": "libhogweed6", + "version": "3.8.1-2", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GAP" + } + } + ], + "purl": "pkg:deb/debian/libhogweed6@3.8.1-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libhogweed6@3.8.1-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nettle" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libicu72@72.1-3?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Laszlo Boszormenyi (GCS) " + }, + "name": "libicu72", + "version": "72.1-3", + "licenses": [ + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libicu72@72.1-3?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libicu72@72.1-3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "icu" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "72.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libidn2-0@2.3.3-1%2Bb1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Libidn team " + }, + "name": "libidn2-0", + "version": "2.3.3-1+b1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Unicode" + } + } + ], + "purl": "pkg:deb/debian/libidn2-0@2.3.3-1%2Bb1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libidn2-0@2.3.3-1+b1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libidn2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.3.3" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libjbig0@2.1-6.1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Michael van der Kolff " + }, + "name": "libjbig0", + "version": "2.1-6.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libjbig0@2.1-6.1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libjbig0@2.1-6.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "jbigkit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libjpeg62-turbo@2.1.5-2?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Ondřej Surý " + }, + "name": "libjpeg62-turbo", + "version": "1:2.1.5-2", + "licenses": [ + { + "license": { + "name": "BSD-BY-LC-NE" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "NTP" + } + } + ], + "purl": "pkg:deb/debian/libjpeg62-turbo@2.1.5-2?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libjpeg62-turbo@1:2.1.5-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libjpeg-turbo" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.1.5" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Sam Hartman " + }, + "name": "libk5crypto3", + "version": "1.20.1-2+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libk5crypto3@1.20.1-2+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.20.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libkeyutils1@1.6.3-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Christian Kastner " + }, + "name": "libkeyutils1", + "version": "1.6.3-2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libkeyutils1@1.6.3-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkeyutils1@1.6.3-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "keyutils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.6.3" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Sam Hartman " + }, + "name": "libkrb5-3", + "version": "1.20.1-2+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkrb5-3@1.20.1-2+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.20.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Sam Hartman " + }, + "name": "libkrb5support0", + "version": "1.20.1-2+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libkrb5support0@1.20.1-2+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "krb5" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.20.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian OpenLDAP Maintainers " + }, + "name": "libldap-2.5-0", + "version": "2.5.13+dfsg-5", + "licenses": [ + { + "license": { + "name": "OpenLDAP-2.8" + } + }, + { + "license": { + "name": "FSF-unlimited" + } + }, + { + "license": { + "name": "GPL-2.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "GPL-2+ with Libtool exception" + } + }, + { + "license": { + "name": "GPL-3+ with Libtool exception" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "UMich" + } + }, + { + "license": { + "name": "F5" + } + }, + { + "license": { + "name": "JCG" + } + }, + { + "license": { + "name": "MIT-XC" + } + }, + { + "license": { + "name": "NeoSoft-permissive" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Beerware" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-clause-California" + } + }, + { + "license": { + "name": "BSD-3-clause-variant" + } + }, + { + "license": { + "name": "Expat-ISC" + } + }, + { + "license": { + "name": "Expat-UNM" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "BSD-3-clause-California" + } + } + ], + "purl": "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libldap-2.5-0@2.5.13+dfsg-5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "openldap" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.5.13+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/liblerc4@4.0.0%2Bds-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GIS Project " + }, + "name": "liblerc4", + "version": "4.0.0+ds-2", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:deb/debian/liblerc4@4.0.0%2Bds-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "liblerc4@4.0.0+ds-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "lerc" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.0.0+ds" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/liblz4-1@1.9.4-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Nobuhiro Iwamatsu " + }, + "name": "liblz4-1", + "version": "1.9.4-1", + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/liblz4-1@1.9.4-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "liblz4-1@1.9.4-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "lz4" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.9.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/liblzma5@5.4.1-0.2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Jonathan Nieder " + }, + "name": "liblzma5", + "version": "5.4.1-0.2", + "licenses": [ + { + "license": { + "name": "PD" + } + }, + { + "license": { + "name": "probably-PD" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "permissive-fsf" + } + }, + { + "license": { + "name": "Autoconf" + } + }, + { + "license": { + "name": "permissive-nowarranty" + } + }, + { + "license": { + "name": "none" + } + }, + { + "license": { + "name": "config-h" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "noderivs" + } + }, + { + "license": { + "name": "PD-debian" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/liblzma5@5.4.1-0.2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "liblzma5@5.4.1-0.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "xz-utils" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0.2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.4.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libmd0@1.0.4-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Guillem Jover " + }, + "name": "libmd0", + "version": "1.0.4-2", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSD-3-clause-Aaron-D-Gifford" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-2-clause-NetBSD" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "Beerware" + } + }, + { + "license": { + "name": "public-domain-md4" + } + }, + { + "license": { + "name": "public-domain-md5" + } + }, + { + "license": { + "name": "public-domain-sha1" + } + } + ], + "purl": "pkg:deb/debian/libmd0@1.0.4-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libmd0@1.0.4-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libmd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libmount1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "util-linux packagers " + }, + "name": "libmount1", + "version": "2.38.1-5+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSLA" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libmount1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libmount1@2.38.1-5+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.38.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libnettle8@3.8.1-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Magnus Holmgren " + }, + "name": "libnettle8", + "version": "3.8.1-2", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GAP" + } + } + ], + "purl": "pkg:deb/debian/libnettle8@3.8.1-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libnettle8@3.8.1-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nettle" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libnghttp2-14@1.52.0-1%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Tomasz Buchert " + }, + "name": "libnghttp2-14", + "version": "1.52.0-1+deb12u1", + "licenses": [ + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "all-permissive" + } + }, + { + "license": { + "name": "GPL-3.0-with-autoconf-exception" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libnghttp2-14@1.52.0-1%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libnghttp2-14@1.52.0-1+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nghttp2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.52.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libnuma1@2.0.16-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Ian Wienand " + }, + "name": "libnuma1", + "version": "2.0.16-1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libnuma1@2.0.16-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libnuma1@2.0.16-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "numactl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.0.16" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libp11-kit0@0.24.1-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GnuTLS Maintainers " + }, + "name": "libp11-kit0", + "version": "0.24.1-2", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "permissive-like-automake-output" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "ISC+IBM" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "same-as-rest-of-p11kit" + } + } + ], + "purl": "pkg:deb/debian/libp11-kit0@0.24.1-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libp11-kit0@0.24.1-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "p11-kit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.24.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libpam-modules-bin@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Sam Hartman " + }, + "name": "libpam-modules-bin", + "version": "1.5.2-6+deb12u1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3+ with Bison exception" + } + }, + { + "license": { + "name": "BSD-tcp_wrappers" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "Beerware" + } + } + ], + "purl": "pkg:deb/debian/libpam-modules-bin@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-modules-bin@1.5.2-6+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.5.2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libpam-modules@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Sam Hartman " + }, + "name": "libpam-modules", + "version": "1.5.2-6+deb12u1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3+ with Bison exception" + } + }, + { + "license": { + "name": "BSD-tcp_wrappers" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "Beerware" + } + } + ], + "purl": "pkg:deb/debian/libpam-modules@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-modules@1.5.2-6+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.5.2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libpam-runtime@1.5.2-6%2Bdeb12u1?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Sam Hartman " + }, + "name": "libpam-runtime", + "version": "1.5.2-6+deb12u1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3+ with Bison exception" + } + }, + { + "license": { + "name": "BSD-tcp_wrappers" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "Beerware" + } + } + ], + "purl": "pkg:deb/debian/libpam-runtime@1.5.2-6%2Bdeb12u1?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam-runtime@1.5.2-6+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.5.2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libpam0g@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Sam Hartman " + }, + "name": "libpam0g", + "version": "1.5.2-6+deb12u1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3+ with Bison exception" + } + }, + { + "license": { + "name": "BSD-tcp_wrappers" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "Beerware" + } + } + ], + "purl": "pkg:deb/debian/libpam0g@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpam0g@1.5.2-6+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pam" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.5.2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Matthew Vernon " + }, + "name": "libpcre2-8-0", + "version": "10.42-1", + "licenses": [ + { + "license": { + "name": "BSD-3-clause-Cambridge with BINARY LIBRARY-LIKE PACKAGES exception" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpcre2-8-0@10.42-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pcre2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "10.42" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libpng16-16@1.6.39-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Maintainers of libpng1.6 packages " + }, + "name": "libpng16-16", + "version": "1.6.39-2", + "licenses": [ + { + "license": { + "name": "libpng" + } + }, + { + "license": { + "name": "expat" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "BSD-like-with-advertising-clause" + } + }, + { + "license": { + "name": "libpng OR Apache-2.0 OR BSD-3-clause" + } + }, + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/debian/libpng16-16@1.6.39-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpng16-16@1.6.39-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libpng1.6" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.6.39" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libpsl5@0.21.2-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Tim Rühsen " + }, + "name": "libpsl5", + "version": "0.21.2-1", + "licenses": [ + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "gnulib" + } + }, + { + "license": { + "name": "Chromium" + } + } + ], + "purl": "pkg:deb/debian/libpsl5@0.21.2-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libpsl5@0.21.2-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libpsl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.21.2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/librav1e0@0.5.1-6?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Rust Maintainers " + }, + "name": "librav1e0", + "version": "0.5.1-6", + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "ISC" + } + } + ], + "purl": "pkg:deb/debian/librav1e0@0.5.1-6?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "librav1e0@0.5.1-6" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "rust-rav1e" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.5.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/librtmp1@2.4%2B20151223.gitfa8646d.1-2%2Bb2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "librtmp1", + "version": "2.4+20151223.gitfa8646d.1-2+b2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/debian/librtmp1@2.4%2B20151223.gitfa8646d.1-2%2Bb2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "librtmp1@2.4+20151223.gitfa8646d.1-2+b2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "rtmpdump" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.4+20151223.gitfa8646d.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libsasl2-2@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Cyrus Team " + }, + "name": "libsasl2-2", + "version": "2.1.28+dfsg-10", + "licenses": [ + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "OpenSSL" + } + }, + { + "license": { + "name": "SSLeay" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "BSD-4-clause-UC" + } + }, + { + "license": { + "name": "RSA-MD" + } + }, + { + "license": { + "name": "BSD-4-clause-KTH" + } + }, + { + "license": { + "name": "IBM-as-is" + } + }, + { + "license": { + "name": "BSD-3-clause-JANET" + } + }, + { + "license": { + "name": "BSD-3-clause-PADL" + } + }, + { + "license": { + "name": "MIT-OpenVision" + } + }, + { + "license": { + "name": "OpenLDAP" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "MIT-CMU" + } + }, + { + "license": { + "name": "MIT-Export" + } + }, + { + "license": { + "name": "BSD-2.2-clause" + } + } + ], + "purl": "pkg:deb/debian/libsasl2-2@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsasl2-2@2.1.28+dfsg-10" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "cyrus-sasl2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "10" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.1.28+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libsasl2-modules-db@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Cyrus Team " + }, + "name": "libsasl2-modules-db", + "version": "2.1.28+dfsg-10", + "licenses": [ + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "OpenSSL" + } + }, + { + "license": { + "name": "SSLeay" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "BSD-4-clause-UC" + } + }, + { + "license": { + "name": "RSA-MD" + } + }, + { + "license": { + "name": "BSD-4-clause-KTH" + } + }, + { + "license": { + "name": "IBM-as-is" + } + }, + { + "license": { + "name": "BSD-3-clause-JANET" + } + }, + { + "license": { + "name": "BSD-3-clause-PADL" + } + }, + { + "license": { + "name": "MIT-OpenVision" + } + }, + { + "license": { + "name": "OpenLDAP" + } + }, + { + "license": { + "name": "FSFULLR" + } + }, + { + "license": { + "name": "MIT-CMU" + } + }, + { + "license": { + "name": "MIT-Export" + } + }, + { + "license": { + "name": "BSD-2.2-clause" + } + } + ], + "purl": "pkg:deb/debian/libsasl2-modules-db@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsasl2-modules-db@2.1.28+dfsg-10" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "cyrus-sasl2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "10" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.1.28+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libseccomp2@2.5.4-1%2Bb3?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Kees Cook " + }, + "name": "libseccomp2", + "version": "2.5.4-1+b3", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + } + ], + "purl": "pkg:deb/debian/libseccomp2@2.5.4-1%2Bb3?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libseccomp2@2.5.4-1+b3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libseccomp" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.5.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian SELinux maintainers " + }, + "name": "libselinux1", + "version": "3.4-1+b6", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libselinux1@3.4-1+b6" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libselinux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libsemanage-common@3.4-1?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian SELinux maintainers " + }, + "name": "libsemanage-common", + "version": "3.4-1", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libsemanage-common@3.4-1?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsemanage-common@3.4-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsemanage" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libsemanage2@3.4-1%2Bb5?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian SELinux maintainers " + }, + "name": "libsemanage2", + "version": "3.4-1+b5", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libsemanage2@3.4-1%2Bb5?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsemanage2@3.4-1+b5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsemanage" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libsepol2@3.4-2.1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian SELinux maintainers " + }, + "name": "libsepol2", + "version": "3.4-2.1", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libsepol2@3.4-2.1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsepol2@3.4-2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libsepol" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libsmartcols1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "util-linux packagers " + }, + "name": "libsmartcols1", + "version": "2.38.1-5+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSLA" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libsmartcols1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsmartcols1@2.38.1-5+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.38.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libss2@1.47.0-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Theodore Y. Ts'o " + }, + "name": "libss2", + "version": "1.47.0-2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Apache-2" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "MIT-US-export" + } + }, + { + "license": { + "name": "Kazlib" + } + }, + { + "license": { + "name": "Latex2e" + } + }, + { + "license": { + "name": "GPL-2+ with Texinfo exception" + } + }, + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:deb/debian/libss2@1.47.0-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libss2@1.47.0-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.47.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libssh2-1@1.10.0-3%2Bb1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Nicolas Mora " + }, + "name": "libssh2-1", + "version": "1.10.0-3+b1", + "licenses": [ + { + "license": { + "name": "BSD3" + } + } + ], + "purl": "pkg:deb/debian/libssh2-1@1.10.0-3%2Bb1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libssh2-1@1.10.0-3+b1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libssh2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.10.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian OpenSSL Team " + }, + "name": "libssl3", + "version": "3.0.11-1~deb12u2", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libssl3@3.0.11-1~deb12u2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "openssl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~deb12u2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.11" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GCC Maintainers " + }, + "name": "libstdc++6", + "version": "12.2.0-14", + "purl": "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libstdc++6@12.2.0-14" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "gcc-12" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "14" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "12.2.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libsvtav1enc1@1.4.1%2Bdfsg-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libsvtav1enc1", + "version": "1.4.1+dfsg-1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause-Clear" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/debian/libsvtav1enc1@1.4.1%2Bdfsg-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsvtav1enc1@1.4.1+dfsg-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "svt-av1" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.4.1+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian systemd Maintainers " + }, + "name": "libsystemd0", + "version": "252.22-1~deb12u1", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "GPL-2 with Linux-syscall-note exception" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libsystemd0@252.22-1~deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "systemd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "252.22" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libtasn1-6@4.19.0-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian GnuTLS Maintainers " + }, + "name": "libtasn1-6", + "version": "4.19.0-2", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + } + ], + "purl": "pkg:deb/debian/libtasn1-6@4.19.0-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtasn1-6@4.19.0-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libtasn1-6" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.19.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Laszlo Boszormenyi (GCS) " + }, + "name": "libtiff6", + "version": "4.5.0-6+deb12u1", + "licenses": [ + { + "license": { + "name": "Hylafax" + } + } + ], + "purl": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtiff6@4.5.0-6+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "tiff" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "6+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.5.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libtinfo6@6.4-4?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Craig Small " + }, + "name": "libtinfo6", + "version": "6.4-4", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/debian/libtinfo6@6.4-4?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libtinfo6@6.4-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian systemd Maintainers " + }, + "name": "libudev1", + "version": "252.22-1~deb12u1", + "licenses": [ + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "GPL-2 with Linux-syscall-note exception" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libudev1@252.22-1~deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "systemd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "252.22" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libunistring2@1.0-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Jörg Frings-Fürst " + }, + "name": "libunistring2", + "version": "1.0-2", + "licenses": [ + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "FreeSoftware" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GFDL-1.2+" + } + }, + { + "license": { + "name": "GPL-2+ with distribution exception" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "GFDL-1.2" + } + } + ], + "purl": "pkg:deb/debian/libunistring2@1.0-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libunistring2@1.0-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libunistring" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libuuid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "util-linux packagers " + }, + "name": "libuuid1", + "version": "2.38.1-5+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSLA" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/libuuid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libuuid1@2.38.1-5+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.38.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libwebp7@1.2.4-0.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Jeff Breidenbach " + }, + "name": "libwebp7", + "version": "1.2.4-0.2+deb12u1", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:deb/debian/libwebp7@1.2.4-0.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libwebp7@1.2.4-0.2+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libwebp" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0.2+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.2.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libx11-6@1.8.4-2%2Bdeb12u2?arch=amd64&distro=debian-12.5&epoch=2", + "type": "library", + "supplier": { + "name": "Debian X Strike Force " + }, + "name": "libx11-6", + "version": "2:1.8.4-2+deb12u2", + "purl": "pkg:deb/debian/libx11-6@1.8.4-2%2Bdeb12u2?arch=amd64&distro=debian-12.5&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libx11-6@2:1.8.4-2+deb12u2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libx11" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2+deb12u2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.8.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libx11-data@1.8.4-2%2Bdeb12u2?arch=all&distro=debian-12.5&epoch=2", + "type": "library", + "supplier": { + "name": "Debian X Strike Force " + }, + "name": "libx11-data", + "version": "2:1.8.4-2+deb12u2", + "purl": "pkg:deb/debian/libx11-data@1.8.4-2%2Bdeb12u2?arch=all&distro=debian-12.5&epoch=2", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libx11-data@2:1.8.4-2+deb12u2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libx11" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2+deb12u2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.8.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libx265-199@3.5-2%2Bb1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libx265-199", + "version": "3.5-2+b1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "ISC" + } + } + ], + "purl": "pkg:deb/debian/libx265-199@3.5-2%2Bb1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libx265-199@3.5-2+b1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "x265" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.5" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libxau6@1.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Debian X Strike Force " + }, + "name": "libxau6", + "version": "1:1.0.9-1", + "purl": "pkg:deb/debian/libxau6@1.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxau6@1:1.0.9-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxau" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.0.9" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libxcb1@1.15-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian X Strike Force " + }, + "name": "libxcb1", + "version": "1.15-1", + "purl": "pkg:deb/debian/libxcb1@1.15-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxcb1@1.15-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxcb" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.15" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libxdmcp6@1.1.2-3?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Debian X Strike Force " + }, + "name": "libxdmcp6", + "version": "1:1.1.2-3", + "purl": "pkg:deb/debian/libxdmcp6@1.1.2-3?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxdmcp6@1:1.1.2-3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxdmcp" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.1.2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian XML/SGML Group " + }, + "name": "libxml2", + "version": "2.9.14+dfsg-1.3~deb12u1", + "licenses": [ + { + "license": { + "name": "MIT-1" + } + }, + { + "license": { + "name": "ISC" + } + } + ], + "purl": "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxml2@2.9.14+dfsg-1.3~deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxml2" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1.3~deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.9.14+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libxpm4@3.5.12-1.1%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Debian X Strike Force " + }, + "name": "libxpm4", + "version": "1:3.5.12-1.1+deb12u1", + "purl": "pkg:deb/debian/libxpm4@3.5.12-1.1%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxpm4@1:3.5.12-1.1+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxpm" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1.1+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.5.12" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libxslt1.1@1.1.35-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian XML/SGML Group " + }, + "name": "libxslt1.1", + "version": "1.1.35-1", + "purl": "pkg:deb/debian/libxslt1.1@1.1.35-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxslt1.1@1.1.35-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libxslt" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.1.35" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libxxhash0@0.8.1-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Josue Ortega " + }, + "name": "libxxhash0", + "version": "0.8.1-1", + "licenses": [ + { + "license": { + "name": "BSD-2-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/libxxhash0@0.8.1-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libxxhash0@0.8.1-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "xxhash" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.8.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libyuv0@0.0~git20230123.b2528b0-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian Multimedia Maintainers " + }, + "name": "libyuv0", + "version": "0.0~git20230123.b2528b0-1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/debian/libyuv0@0.0~git20230123.b2528b0-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libyuv0@0.0~git20230123.b2528b0-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libyuv" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.0~git20230123.b2528b0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "RPM packaging team " + }, + "name": "libzstd1", + "version": "1.5.4+dfsg2-5", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "Expat" + } + } + ], + "purl": "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libzstd1@1.5.4+dfsg2-5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libzstd" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.5.4+dfsg2" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Shadow package maintainers " + }, + "name": "login", + "version": "1:4.13+dfsg1-1+b1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-1.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "login@1:4.13+dfsg1-1+b1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "shadow" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.13+dfsg1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/logsave@1.47.0-2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Theodore Y. Ts'o " + }, + "name": "logsave", + "version": "1.47.0-2", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "Apache-2" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "MIT-US-export" + } + }, + { + "license": { + "name": "Kazlib" + } + }, + { + "license": { + "name": "Latex2e" + } + }, + { + "license": { + "name": "GPL-2+ with Texinfo exception" + } + }, + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:deb/debian/logsave@1.47.0-2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "logsave@1.47.0-2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "e2fsprogs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.47.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/mawk@1.3.4.20200120-3.1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Boyuan Yang " + }, + "name": "mawk", + "version": "1.3.4.20200120-3.1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "CC-BY-3.0" + } + } + ], + "purl": "pkg:deb/debian/mawk@1.3.4.20200120-3.1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "mawk@1.3.4.20200120-3.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "mawk" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "3.1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.4.20200120" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/mount@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "util-linux packagers " + }, + "name": "mount", + "version": "2.38.1-5+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSLA" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/mount@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "mount@2.38.1-5+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.38.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/ncurses-base@6.4-4?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Craig Small " + }, + "name": "ncurses-base", + "version": "6.4-4", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/debian/ncurses-base@6.4-4?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ncurses-base@6.4-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/ncurses-bin@6.4-4?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Craig Small " + }, + "name": "ncurses-bin", + "version": "6.4-4", + "licenses": [ + { + "license": { + "name": "MIT/X11" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:deb/debian/ncurses-bin@6.4-4?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ncurses-bin@6.4-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ncurses" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "6.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/nginx-module-geoip@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "NGINX Packaging " + }, + "name": "nginx-module-geoip", + "version": "1.25.4-1~bookworm", + "purl": "pkg:deb/debian/nginx-module-geoip@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "nginx-module-geoip@1.25.4-1~bookworm" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nginx-module-geoip" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~bookworm" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.25.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/nginx-module-image-filter@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "NGINX Packaging " + }, + "name": "nginx-module-image-filter", + "version": "1.25.4-1~bookworm", + "purl": "pkg:deb/debian/nginx-module-image-filter@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "nginx-module-image-filter@1.25.4-1~bookworm" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nginx-module-image-filter" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~bookworm" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.25.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/nginx-module-njs@1.25.4%2B0.8.3-1~bookworm?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "NGINX Packaging " + }, + "name": "nginx-module-njs", + "version": "1.25.4+0.8.3-1~bookworm", + "purl": "pkg:deb/debian/nginx-module-njs@1.25.4%2B0.8.3-1~bookworm?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "nginx-module-njs@1.25.4+0.8.3-1~bookworm" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nginx-module-njs" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~bookworm" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.25.4+0.8.3" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/nginx-module-xslt@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "NGINX Packaging " + }, + "name": "nginx-module-xslt", + "version": "1.25.4-1~bookworm", + "purl": "pkg:deb/debian/nginx-module-xslt@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "nginx-module-xslt@1.25.4-1~bookworm" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nginx-module-xslt" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~bookworm" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.25.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/nginx@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "NGINX Packaging " + }, + "name": "nginx", + "version": "1.25.4-1~bookworm", + "purl": "pkg:deb/debian/nginx@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "nginx@1.25.4-1~bookworm" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "nginx" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~bookworm" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.25.4" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian OpenSSL Team " + }, + "name": "openssl", + "version": "3.0.11-1~deb12u2", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "GPL-1.0" + } + } + ], + "purl": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "openssl@3.0.11-1~deb12u2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "openssl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1~deb12u2" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.11" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Shadow package maintainers " + }, + "name": "passwd", + "version": "1:4.13+dfsg1-1+b1", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "GPL-1.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "passwd@1:4.13+dfsg1-1+b1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "shadow" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.13+dfsg1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/perl-base@5.36.0-7%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Niko Tyni " + }, + "name": "perl-base", + "version": "5.36.0-7+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-1.0" + } + }, + { + "license": { + "name": "Artistic" + } + }, + { + "license": { + "name": "Expat" + } + }, + { + "license": { + "name": "REGCOMP" + } + }, + { + "license": { + "name": "GPL-2.0-with-bison-exception" + } + }, + { + "license": { + "name": "Unicode" + } + }, + { + "license": { + "name": "BZIP" + } + }, + { + "license": { + "name": "Zlib" + } + }, + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "RRA-KEEP-THIS-NOTICE" + } + }, + { + "license": { + "name": "BSD-3-clause-with-weird-numbering" + } + }, + { + "license": { + "name": "CC0-1.0" + } + }, + { + "license": { + "name": "TEXT-TABS" + } + }, + { + "license": { + "name": "BSD-4-clause-POWERDOG" + } + }, + { + "license": { + "name": "BSD-3-clause-GENERIC" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "SDBM-PUBLIC-DOMAIN" + } + }, + { + "license": { + "name": "DONT-CHANGE-THE-GPL" + } + }, + { + "license": { + "name": "Artistic-dist" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "Artistic-2" + } + }, + { + "license": { + "name": "HSIEH-DERIVATIVE" + } + }, + { + "license": { + "name": "HSIEH-BSD" + } + } + ], + "purl": "pkg:deb/debian/perl-base@5.36.0-7%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "perl-base@5.36.0-7+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "perl" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "7+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "5.36.0" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/sed@4.9-1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Clint Adams " + }, + "name": "sed", + "version": "4.9-1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "X11" + } + }, + { + "license": { + "name": "GFDL-NIV-1.3+" + } + }, + { + "license": { + "name": "GFDL-1.3" + } + }, + { + "license": { + "name": "ISC" + } + }, + { + "license": { + "name": "BSD-4-clause-UC" + } + }, + { + "license": { + "name": "BSL-1" + } + }, + { + "license": { + "name": "pcre" + } + } + ], + "purl": "pkg:deb/debian/sed@4.9-1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "sed@4.9-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "sed" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "4.9" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/sysvinit-utils@3.06-4?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Debian sysvinit maintainers " + }, + "name": "sysvinit-utils", + "version": "3.06-4", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/sysvinit-utils@3.06-4?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "sysvinit-utils@3.06-4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "sysvinit" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "4" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.06" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Janos Lenart " + }, + "name": "tar", + "version": "1.34+dfsg-1.2+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "GPL-3+ with Bison exception" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + }, + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "tar@1.34+dfsg-1.2+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "tar" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1.2+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.34+dfsg" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "GNU Libc Maintainers " + }, + "name": "tzdata", + "version": "2024a-0+deb12u1", + "licenses": [ + { + "license": { + "name": "public-domain" + } + } + ], + "purl": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "tzdata@2024a-0+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "tzdata" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "0+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2024a" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/usr-is-merged@37~deb12u1?arch=all&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "Marco d'Itri " + }, + "name": "usr-is-merged", + "version": "37~deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + } + ], + "purl": "pkg:deb/debian/usr-is-merged@37~deb12u1?arch=all&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "usr-is-merged@37~deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "usrmerge" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "37~deb12u1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/util-linux-extra@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "util-linux packagers " + }, + "name": "util-linux-extra", + "version": "2.38.1-5+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSLA" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/util-linux-extra@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "util-linux-extra@2.38.1-5+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.38.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "type": "library", + "supplier": { + "name": "util-linux packagers " + }, + "name": "util-linux", + "version": "2.38.1-5+deb12u1", + "licenses": [ + { + "license": { + "name": "GPL-2.0" + } + }, + { + "license": { + "name": "GPL-3.0" + } + }, + { + "license": { + "name": "public-domain" + } + }, + { + "license": { + "name": "BSD-4-Clause" + } + }, + { + "license": { + "name": "MIT" + } + }, + { + "license": { + "name": "BSD-3-Clause" + } + }, + { + "license": { + "name": "BSLA" + } + }, + { + "license": { + "name": "LGPL-2.0" + } + }, + { + "license": { + "name": "LGPL-2.1" + } + }, + { + "license": { + "name": "LGPL-3.0" + } + } + ], + "purl": "pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "util-linux@2.38.1-5+deb12u1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "util-linux" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "5+deb12u1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.38.1" + } + ] + }, + { + "bom-ref": "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1", + "type": "library", + "supplier": { + "name": "Mark Brown " + }, + "name": "zlib1g", + "version": "1:1.2.13.dfsg-1", + "licenses": [ + { + "license": { + "name": "Zlib" + } + } + ], + "purl": "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "zlib1g@1:1.2.13.dfsg-1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "debian" + }, + { + "name": "aquasecurity:trivy:SrcEpoch", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "zlib" + }, + { + "name": "aquasecurity:trivy:SrcRelease", + "value": "1" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.2.13.dfsg" + } + ] + } + ], + "dependencies": [ + { + "ref": "7a2313d2-c780-465f-8d38-ca5272578372", + "dependsOn": [ + "pkg:deb/debian/adduser@3.134?arch=all&distro=debian-12.5", + "pkg:deb/debian/apt@2.6.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/base-files@12.4%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/base-passwd@3.6.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/bash@5.2.15-2%2Bb2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/bsdutils@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/ca-certificates@20230311?arch=all&distro=debian-12.5", + "pkg:deb/debian/coreutils@9.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/dash@0.5.12-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5", + "pkg:deb/debian/debian-archive-keyring@2023.3%2Bdeb12u1?arch=all&distro=debian-12.5", + "pkg:deb/debian/debianutils@5.7-0.5~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/diffutils@3.8-4?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/dpkg@1.21.22?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/e2fsprogs@1.47.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/findutils@4.9.0-4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/fontconfig-config@2.14.1-4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/fonts-dejavu-core@2.37-6?arch=all&distro=debian-12.5", + "pkg:deb/debian/gcc-12-base@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/gettext-base@0.21-12?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/gpgv@2.2.40-1.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/grep@3.8-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/gzip@1.12-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/hostname@3.23%2Bnmu1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/init-system-helpers@1.65.2?arch=all&distro=debian-12.5", + "pkg:deb/debian/libabsl20220623@20220623.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libacl1@2.3.1-3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libapt-pkg6.0@2.6.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libattr1@2.5.1-4?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libaudit-common@3.0.9-1?arch=all&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libavif15@0.11.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libblkid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libbrotli1@1.0.9-2%2Bb6?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libbsd0@0.11.7-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libbz2-1.0@1.0.8-5%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcap-ng0@0.8.3-1%2Bb3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcap2@2.66-4?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libcom-err2@1.47.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcrypt1@4.4.33-2?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libcurl4@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdav1d6@1.0.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg2-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libde265-0@1.0.11-1%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdebconfclient0@0.270?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdeflate0@1.14-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libedit2@3.1-20221030-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libexpat1@2.5.0-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libext2fs2@1.47.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libffi8@3.4.4-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libfontconfig1@2.14.1-4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libfreetype6@2.12.1%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgav1-1@0.18.0-1%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgd3@2.3.3-9?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgeoip1@1.6.12-10?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64&distro=debian-12.5&epoch=2", + "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgpg-error0@1.46-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libhogweed6@3.8.1-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libicu72@72.1-3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libidn2-0@2.3.3-1%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libjbig0@2.1-6.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libjpeg62-turbo@2.1.5-2?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libkeyutils1@1.6.3-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblerc4@4.0.0%2Bds-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblz4-1@1.9.4-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblzma5@5.4.1-0.2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libmd0@1.0.4-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libmount1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libnettle8@3.8.1-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libnghttp2-14@1.52.0-1%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libnuma1@2.0.16-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libp11-kit0@0.24.1-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpam-modules-bin@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpam-modules@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpam-runtime@1.5.2-6%2Bdeb12u1?arch=all&distro=debian-12.5", + "pkg:deb/debian/libpam0g@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpng16-16@1.6.39-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpsl5@0.21.2-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/librav1e0@0.5.1-6?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/librtmp1@2.4%2B20151223.gitfa8646d.1-2%2Bb2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsasl2-2@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsasl2-modules-db@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libseccomp2@2.5.4-1%2Bb3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsemanage-common@3.4-1?arch=all&distro=debian-12.5", + "pkg:deb/debian/libsemanage2@3.4-1%2Bb5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsepol2@3.4-2.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsmartcols1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libss2@1.47.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssh2-1@1.10.0-3%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsvtav1enc1@1.4.1%2Bdfsg-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libtasn1-6@4.19.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libtinfo6@6.4-4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libunistring2@1.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libuuid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libwebp7@1.2.4-0.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libx11-6@1.8.4-2%2Bdeb12u2?arch=amd64&distro=debian-12.5&epoch=2", + "pkg:deb/debian/libx11-data@1.8.4-2%2Bdeb12u2?arch=all&distro=debian-12.5&epoch=2", + "pkg:deb/debian/libx265-199@3.5-2%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxau6@1.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libxcb1@1.15-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxdmcp6@1.1.2-3?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxpm4@3.5.12-1.1%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libxslt1.1@1.1.35-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxxhash0@0.8.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libyuv0@0.0~git20230123.b2528b0-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/logsave@1.47.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/mawk@1.3.4.20200120-3.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/mount@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/ncurses-base@6.4-4?arch=all&distro=debian-12.5", + "pkg:deb/debian/ncurses-bin@6.4-4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/nginx-module-geoip@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/nginx-module-image-filter@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/nginx-module-njs@1.25.4%2B0.8.3-1~bookworm?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/nginx-module-xslt@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/nginx@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/perl-base@5.36.0-7%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/sed@4.9-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/sysvinit-utils@3.06-4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all&distro=debian-12.5", + "pkg:deb/debian/usr-is-merged@37~deb12u1?arch=all&distro=debian-12.5", + "pkg:deb/debian/util-linux-extra@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/adduser@3.134?arch=all&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/apt@2.6.1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/adduser@3.134?arch=all&distro=debian-12.5", + "pkg:deb/debian/debian-archive-keyring@2023.3%2Bdeb12u1?arch=all&distro=debian-12.5", + "pkg:deb/debian/gpgv@2.2.40-1.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libapt-pkg6.0@2.6.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libseccomp2@2.5.4-1%2Bb3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/base-files@12.4%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/base-passwd@3.6.1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdebconfclient0@0.270?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/bash@5.2.15-2%2Bb2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/base-files@12.4%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/debianutils@5.7-0.5~deb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/bsdutils@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/ca-certificates@20230311?arch=all&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5", + "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/coreutils@9.1-1?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcurl4@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/dash@0.5.12-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/debianutils@5.7-0.5~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/dpkg@1.21.22?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/debian-archive-keyring@2023.3%2Bdeb12u1?arch=all&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/debianutils@5.7-0.5~deb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/diffutils@3.8-4?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/dpkg@1.21.22?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/e2fsprogs@1.47.0-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/logsave@1.47.0-2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/findutils@4.9.0-4?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/fontconfig-config@2.14.1-4?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5", + "pkg:deb/debian/fonts-dejavu-core@2.37-6?arch=all&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/fonts-dejavu-core@2.37-6?arch=all&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/gcc-12-base@12.2.0-14?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/gettext-base@0.21-12?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/gpgv@2.2.40-1.1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libbz2-1.0@1.0.8-5%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgpg-error0@1.46-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/grep@3.8-5?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/dpkg@1.21.22?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/gzip@1.12-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/dpkg@1.21.22?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/hostname@3.23%2Bnmu1?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/init-system-helpers@1.65.2?arch=all&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/usr-is-merged@37~deb12u1?arch=all&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libabsl20220623@20220623.1-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libacl1@2.3.1-3?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libapt-pkg6.0@2.6.1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libbz2-1.0@1.0.8-5%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblz4-1@1.9.4-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblzma5@5.4.1-0.2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxxhash0@0.8.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libattr1@2.5.1-4?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libaudit-common@3.0.9-1?arch=all&distro=debian-12.5&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libaudit-common@3.0.9-1?arch=all&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcap-ng0@0.8.3-1%2Bb3?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libavif15@0.11.1-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdav1d6@1.0.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgav1-1@0.18.0-1%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/librav1e0@0.5.1-6?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsvtav1enc1@1.4.1%2Bdfsg-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libyuv0@0.0~git20230123.b2528b0-1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libblkid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libbrotli1@1.0.9-2%2Bb6?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libbsd0@0.11.7-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libmd0@1.0.4-2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libbz2-1.0@1.0.8-5%2Bb1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libcap-ng0@0.8.3-1%2Bb3?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libcap2@2.66-4?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libcom-err2@1.47.0-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libcrypt1@4.4.33-2?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libcurl4@7.88.1-10%2Bdeb12u5?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libbrotli1@1.0.9-2%2Bb6?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libidn2-0@2.3.3-1%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libnghttp2-14@1.52.0-1%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpsl5@0.21.2-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/librtmp1@2.4%2B20151223.gitfa8646d.1-2%2Bb2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssh2-1@1.10.0-3%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libdav1d6@1.0.0-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg2-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libde265-0@1.0.11-1%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libdebconfclient0@0.270?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libdeflate0@1.14-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libedit2@3.1-20221030-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libbsd0@0.11.7-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libtinfo6@6.4-4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libexpat1@2.5.0-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libext2fs2@1.47.0-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libffi8@3.4.4-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libfontconfig1@2.14.1-4?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/fontconfig-config@2.14.1-4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libexpat1@2.5.0-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libfreetype6@2.12.1%2Bdfsg-5?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libfreetype6@2.12.1%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libbrotli1@1.0.9-2%2Bb6?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpng16-16@1.6.39-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libgav1-1@0.18.0-1%2Bb1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libabsl20220623@20220623.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/gcc-12-base@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgpg-error0@1.46-1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libgd3@2.3.3-9?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libavif15@0.11.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libfontconfig1@2.14.1-4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libfreetype6@2.12.1%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libjpeg62-turbo@2.1.5-2?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libpng16-16@1.6.39-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libwebp7@1.2.4-0.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxpm4@3.5.12-1.1%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libgeoip1@1.6.12-10?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64&distro=debian-12.5&epoch=2", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64&distro=debian-12.5&epoch=2", + "pkg:deb/debian/libhogweed6@3.8.1-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libidn2-0@2.3.3-1%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libnettle8@3.8.1-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libp11-kit0@0.24.1-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libtasn1-6@4.19.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libunistring2@1.0-2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libgpg-error0@1.46-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcom-err2@1.47.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdav1d6@1.0.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libde265-0@1.0.11-1%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libx265-199@3.5-2%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libhogweed6@3.8.1-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64&distro=debian-12.5&epoch=2", + "pkg:deb/debian/libnettle8@3.8.1-2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libicu72@72.1-3?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libidn2-0@2.3.3-1%2Bb1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libunistring2@1.0-2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libjbig0@2.1-6.1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libjpeg62-turbo@2.1.5-2?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libkeyutils1@1.6.3-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcom-err2@1.47.0-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libkeyutils1@1.6.3-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsasl2-2@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/liblerc4@4.0.0%2Bds-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/liblz4-1@1.9.4-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/liblzma5@5.4.1-0.2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libmd0@1.0.4-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libmount1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libblkid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libnettle8@3.8.1-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libnghttp2-14@1.52.0-1%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libnuma1@2.0.16-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libp11-kit0@0.24.1-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libffi8@3.4.4-1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libpam-modules-bin@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcrypt1@4.4.33-2?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libpam0g@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libpam-modules@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/libpam-runtime@1.5.2-6%2Bdeb12u1?arch=all&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5", + "pkg:deb/debian/libpam-modules@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libpam0g@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5", + "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libpng16-16@1.6.39-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libpsl5@0.21.2-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libidn2-0@2.3.3-1%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libunistring2@1.0-2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/librav1e0@0.5.1-6?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/librtmp1@2.4%2B20151223.gitfa8646d.1-2%2Bb2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgmp10@6.2.1%2Bdfsg1-1.1?arch=amd64&distro=debian-12.5&epoch=2", + "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libhogweed6@3.8.1-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libnettle8@3.8.1-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libsasl2-2@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsasl2-modules-db@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libsasl2-modules-db@2.1.28%2Bdfsg-10?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg2-1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libseccomp2@2.5.4-1%2Bb3?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libsemanage-common@3.4-1?arch=all&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/libsemanage2@3.4-1%2Bb5?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libbz2-1.0@1.0.8-5%2Bb1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsemanage-common@3.4-1?arch=all&distro=debian-12.5", + "pkg:deb/debian/libsepol2@3.4-2.1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libsepol2@3.4-2.1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libsmartcols1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libss2@1.47.0-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcom-err2@1.47.0-2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libssh2-1@1.10.0-3%2Bb1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/gcc-12-base@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libsvtav1enc1@1.4.1%2Bdfsg-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcap2@2.66-4?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblz4-1@1.9.4-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblzma5@5.4.1-0.2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libtasn1-6@4.19.0-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libdeflate0@1.14-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libjbig0@2.1-6.1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libjpeg62-turbo@2.1.5-2?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/liblerc4@4.0.0%2Bds-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblzma5@5.4.1-0.2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libwebp7@1.2.4-0.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libtinfo6@6.4-4?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libunistring2@1.0-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libuuid1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libwebp7@1.2.4-0.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libx11-6@1.8.4-2%2Bdeb12u2?arch=amd64&distro=debian-12.5&epoch=2", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libx11-data@1.8.4-2%2Bdeb12u2?arch=all&distro=debian-12.5&epoch=2", + "pkg:deb/debian/libxcb1@1.15-1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libx11-data@1.8.4-2%2Bdeb12u2?arch=all&distro=debian-12.5&epoch=2", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/libx265-199@3.5-2%2Bb1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libnuma1@2.0.16-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libxau6@1.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libxcb1@1.15-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxau6@1.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libxdmcp6@1.1.2-3?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libxdmcp6@1.1.2-3?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libbsd0@0.11.7-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libicu72@72.1-3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/liblzma5@5.4.1-0.2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/libxpm4@3.5.12-1.1%2Bdeb12u1?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libx11-6@1.8.4-2%2Bdeb12u2?arch=amd64&distro=debian-12.5&epoch=2" + ] + }, + { + "ref": "pkg:deb/debian/libxslt1.1@1.1.35-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libxxhash0@0.8.1-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libyuv0@0.0~git20230123.b2528b0-1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libjpeg62-turbo@2.1.5-2?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/libzstd1@1.5.4%2Bdfsg2-5?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/logsave@1.47.0-2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/mawk@1.3.4.20200120-3.1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/mount@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/ncurses-base@6.4-4?arch=all&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/ncurses-bin@6.4-4?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/nginx-module-geoip@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgeoip1@1.6.12-10?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/nginx-module-image-filter@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libgd3@2.3.3-9?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/nginx-module-njs@1.25.4%2B0.8.3-1~bookworm?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libedit2@3.1-20221030-2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/nginx-module-xslt@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libxslt1.1@1.1.35-1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/nginx@1.25.4-1~bookworm?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcrypt1@4.4.33-2?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libpcre2-8-0@10.42-1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1" + ] + }, + { + "ref": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libcrypt1@4.4.33-2?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libpam-modules@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libpam0g@1.5.2-6%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libselinux1@3.4-1%2Bb6?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsemanage2@3.4-1%2Bb5?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/perl-base@5.36.0-7%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/sed@4.9-1?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/sysvinit-utils@3.06-4?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/tzdata@2024a-0%2Bdeb12u1?arch=all&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/debconf@1.5.82?arch=all&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/usr-is-merged@37~deb12u1?arch=all&distro=debian-12.5", + "dependsOn": [] + }, + { + "ref": "pkg:deb/debian/util-linux-extra@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/libaudit1@3.0.9-1?arch=amd64&distro=debian-12.5&epoch=1", + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5", + "pkg:deb/debian/libsmartcols1@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5", + "dependsOn": [ + "pkg:deb/debian/util-linux-extra@2.38.1-5%2Bdeb12u1?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64&distro=debian-12.5&epoch=1", + "dependsOn": [ + "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64&distro=debian-12.5" + ] + }, + { + "ref": "pkg:oci/myrepo@sha256%3Ac24e8d746bb4d4ee807aeec23f3cd42fb1e24b9cd21168074a23d67d8be96e95?arch=amd64&repository_url=index.docker.io%2Flaeeqa222%2Fmyrepo", + "dependsOn": [ + "7a2313d2-c780-465f-8d38-ca5272578372" + ] + } + ], + "vulnerabilities": [] +} diff --git a/git-ask-pass.sh b/git-ask-pass.sh new file mode 100755 index 00000000..4e34efe2 --- /dev/null +++ b/git-ask-pass.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# This script is used as the command supplied to GIT_ASKPASS as a way to supply username/password +# credentials to git, without having to use git credentials helpers, or having on-disk config. +case "$1" in +Username*) echo "${GIT_USERNAME}" ;; +Password*) echo "${GIT_PASSWORD}" ;; +esac diff --git a/helper/Bean.go b/helper/Bean.go new file mode 100644 index 00000000..d3ac62f1 --- /dev/null +++ b/helper/Bean.go @@ -0,0 +1,48 @@ +package helper + +import ( + "log" + "time" +) + +type CiProjectDetails struct { + GitRepository string `json:"gitRepository"` + FetchSubmodules bool `json:"fetchSubmodules"` + MaterialName string `json:"materialName"` + CheckoutPath string `json:"checkoutPath"` + CommitHash string `json:"commitHash"` + GitTag string `json:"gitTag"` + CommitTime time.Time `json:"commitTime"` + SourceType SourceType `json:"sourceType"` + SourceValue string `json:"sourceValue"` + Type string `json:"type"` + Message string `json:"message"` + Author string `json:"author"` + GitOptions GitOptions `json:"gitOptions"` + WebhookData WebhookData `json:"webhookData"` + CloningMode string `json:"cloningMode"` +} + +func (prj *CiProjectDetails) GetCheckoutBranchName() string { + var checkoutBranch string + if prj.SourceType == SOURCE_TYPE_WEBHOOK { + webhookData := prj.WebhookData + webhookDataData := webhookData.Data + + checkoutBranch = webhookDataData[WEBHOOK_SELECTOR_TARGET_CHECKOUT_BRANCH_NAME] + if len(checkoutBranch) == 0 { + //webhook type is tag based + checkoutBranch = webhookDataData[WEBHOOK_SELECTOR_TARGET_CHECKOUT_NAME] + } + } else { + if len(prj.SourceValue) == 0 { + checkoutBranch = "main" + } else { + checkoutBranch = prj.SourceValue + } + } + if len(checkoutBranch) == 0 { + log.Fatal("could not get target checkout from request data") + } + return checkoutBranch +} diff --git a/helper/GitCliManager.go b/helper/GitCliManager.go new file mode 100644 index 00000000..8d17584e --- /dev/null +++ b/helper/GitCliManager.go @@ -0,0 +1,255 @@ +package helper + +import ( + "fmt" + "github.com/devtron-labs/image-scanner/helper/util" + "log" + "os" + "os/exec" + "path/filepath" + "strings" +) + +type GitCliManager interface { + Fetch(gitContext GitContext, rootDir string) (response, errMsg string, err error) + Checkout(gitContext GitContext, rootDir string, checkout string) (response, errMsg string, err error) + RunCommandWithCred(cmd *exec.Cmd, userName, password string) (response, errMsg string, err error) + RunCommand(cmd *exec.Cmd) (response, errMsg string, err error) + runCommandForSuppliedNullifiedEnv(cmd *exec.Cmd, setHomeEnvToNull bool) (response, errMsg string, err error) + Init(rootDir string, remoteUrl string, isBare bool) error + Clone(gitContext GitContext, prj CiProjectDetails) (response, errMsg string, err error) + Merge(rootDir string, commit string) (response, errMsg string, err error) + RecursiveFetchSubmodules(rootDir string) (response, errMsg string, error error) + UpdateCredentialHelper(rootDir string) (response, errMsg string, error error) + UnsetCredentialHelper(rootDir string) (response, errMsg string, error error) + GitCheckout(gitContext GitContext, checkoutPath string, targetCheckout string, authMode AuthMode, fetchSubmodules bool, gitRepository string) (errMsg string, error error) +} + +type GitCliManagerImpl struct { +} + +func NewGitCliManager() *GitCliManagerImpl { + return &GitCliManagerImpl{} +} + +const GIT_AKS_PASS = "/git-ask-pass.sh" +const DefaultRemoteName = "origin" + +func (impl *GitCliManagerImpl) Fetch(gitContext GitContext, rootDir string) (response, errMsg string, err error) { + log.Println(util.DEVTRON, "git fetch ", "location", rootDir) + cmd := exec.Command("git", "-C", rootDir, "fetch", "origin", "--tags", "--force") + output, errMsg, err := impl.RunCommandWithCred(cmd, gitContext.Auth.Username, gitContext.Auth.Password) + log.Println(util.DEVTRON, "fetch output", "root", rootDir, "opt", output, "errMsg", errMsg, "error", err) + return output, "", nil +} + +func (impl *GitCliManagerImpl) Checkout(gitContext GitContext, rootDir string, checkout string) (response, errMsg string, err error) { + log.Println(util.DEVTRON, "git checkout ", "location", rootDir) + cmd := exec.Command("git", "-C", rootDir, "checkout", checkout, "--force") + output, errMsg, err := impl.RunCommandWithCred(cmd, gitContext.Auth.Username, gitContext.Auth.Password) + log.Println(util.DEVTRON, "checkout output", "root", rootDir, "opt", output, "errMsg", errMsg, "error", err) + return output, "", nil +} + +func (impl *GitCliManagerImpl) RunCommandWithCred(cmd *exec.Cmd, userName, password string) (response, errMsg string, err error) { + cmd.Env = append(os.Environ(), + fmt.Sprintf("GIT_ASKPASS=%s", GIT_AKS_PASS), + fmt.Sprintf("GIT_USERNAME=%s", userName), // ignored + fmt.Sprintf("GIT_PASSWORD=%s", password), // this value is used + ) + return impl.RunCommand(cmd) +} + +func (impl *GitCliManagerImpl) RunCommand(cmd *exec.Cmd) (response, errMsg string, err error) { + return impl.runCommandForSuppliedNullifiedEnv(cmd, true) +} + +func (impl *GitCliManagerImpl) runCommandForSuppliedNullifiedEnv(cmd *exec.Cmd, setHomeEnvToNull bool) (response, errMsg string, err error) { + if setHomeEnvToNull { + cmd.Env = append(cmd.Env, "HOME=/dev/null") + } + // https://stackoverflow.com/questions/18159704/how-to-debug-exit-status-1-error-when-running-exec-command-in-golang + // in CombinedOutput, both stdOut and stdError are returned in single output + outBytes, err := cmd.CombinedOutput() + output := string(outBytes) + output = strings.Replace(output, "\n", "", -1) + output = strings.TrimSpace(output) + if err != nil { + exErr, ok := err.(*exec.ExitError) + if !ok { + return "", output, err + } + errOutput := string(exErr.Stderr) + return "", fmt.Sprintf("%s\n%s", output, errOutput), err + } + return output, "", nil +} + +func (impl *GitCliManagerImpl) Init(rootDir string, remoteUrl string, isBare bool) error { + + //----------------- + + err := os.MkdirAll(rootDir, 0755) + if err != nil { + return err + } + err = impl.AddRepo(rootDir, remoteUrl) + return err +} +func (impl *GitCliManagerImpl) AddRepo(rootDir string, remoteUrl string) error { + err := impl.gitInit(rootDir) + if err != nil { + return err + } + return impl.gitCreateRemote(rootDir, remoteUrl) +} + +func (impl *GitCliManagerImpl) gitInit(rootDir string) error { + log.Println(util.DEVTRON, "git", "-C", rootDir, "init") + cmd := exec.Command("git", "-C", rootDir, "init") + output, errMsg, err := impl.RunCommand(cmd) + log.Println(util.DEVTRON, "root", rootDir, "opt", output, "errMsg", errMsg, "error", err) + return err +} + +func (impl *GitCliManagerImpl) gitCreateRemote(rootDir string, url string) error { + log.Println(util.DEVTRON, "git", "-C", rootDir, "remote", "add", DefaultRemoteName, url) + cmd := exec.Command("git", "-C", rootDir, "remote", "add", DefaultRemoteName, url) + output, errMsg, err := impl.RunCommand(cmd) + log.Println(util.DEVTRON, "url", url, "opt", output, "errMsg", errMsg, "error", err) + return err +} + +// setting user.name and user.email as for non-fast-forward merge, git ask for user.name and email +func (impl *GitCliManagerImpl) Merge(rootDir string, commit string) (response, errMsg string, err error) { + log.Println(util.DEVTRON, "git merge ", "location", rootDir) + command := "cd " + rootDir + " && git config user.email git@devtron.com && git config user.name Devtron && git merge " + commit + " --no-commit" + cmd := exec.Command("/bin/sh", "-c", command) + output, errMsg, err := impl.RunCommand(cmd) + log.Println(util.DEVTRON, "merge output", "root", rootDir, "opt", output, "errMsg", errMsg, "error", err) + return output, errMsg, err +} + +func (impl *GitCliManagerImpl) RecursiveFetchSubmodules(rootDir string) (response, errMsg string, error error) { + log.Println(util.DEVTRON, "git recursive fetch submodules ", "location", rootDir) + cmd := exec.Command("git", "-C", rootDir, "submodule", "update", "--init", "--recursive") + output, eMsg, err := impl.runCommandForSuppliedNullifiedEnv(cmd, false) + log.Println(util.DEVTRON, "recursive fetch submodules output", "root", rootDir, "opt", output, "errMsg", errMsg, "error", err) + return output, eMsg, err +} + +func (impl *GitCliManagerImpl) UpdateCredentialHelper(rootDir string) (response, errMsg string, error error) { + log.Println(util.DEVTRON, "git credential helper store ", "location", rootDir) + cmd := exec.Command("git", "-C", rootDir, "config", "--global", "credential.helper", "store") + output, eMsg, err := impl.runCommandForSuppliedNullifiedEnv(cmd, false) + log.Println(util.DEVTRON, "git credential helper store output", "root", rootDir, "opt", output, "errMsg", errMsg, "error", err) + return output, eMsg, err +} + +func (impl *GitCliManagerImpl) UnsetCredentialHelper(rootDir string) (response, errMsg string, error error) { + log.Println(util.DEVTRON, "git credential helper unset ", "location", rootDir) + cmd := exec.Command("git", "-C", rootDir, "config", "--global", "--unset", "credential.helper") + output, eMsg, err := impl.runCommandForSuppliedNullifiedEnv(cmd, false) + log.Println(util.DEVTRON, "git credential helper unset output", "root", rootDir, "opt", output, "errMsg", errMsg, "error", err) + return output, eMsg, err +} + +func (impl *GitCliManagerImpl) GitCheckout(gitContext GitContext, checkoutPath string, targetCheckout string, authMode AuthMode, fetchSubmodules bool, gitRepository string) (errMsg string, error error) { + + rootDir := filepath.Join(gitContext.WorkingDir, checkoutPath) + + // checkout target hash + _, eMsg, cErr := impl.Checkout(gitContext, rootDir, targetCheckout) + if cErr != nil { + return eMsg, cErr + } + + log.Println(util.DEVTRON, " fetchSubmodules ", fetchSubmodules, " authMode ", authMode) + + if fetchSubmodules { + httpsAuth := (authMode == AUTH_MODE_USERNAME_PASSWORD) || (authMode == AUTH_MODE_ACCESS_TOKEN) + if httpsAuth { + // first remove protocol + modifiedUrl := strings.ReplaceAll(gitRepository, "https://", "") + // for bitbucket - if git repo url is started with username, then we need to remove username + if strings.Contains(modifiedUrl, "bitbucket.org") && !strings.HasPrefix(modifiedUrl, "bitbucket.org") { + modifiedUrl = modifiedUrl[strings.Index(modifiedUrl, "bitbucket.org"):] + } + // build url + modifiedUrl = "https://" + gitContext.Auth.Username + ":" + gitContext.Auth.Password + "@" + modifiedUrl + + _, errMsg, cErr = impl.UpdateCredentialHelper(rootDir) + if cErr != nil { + return errMsg, cErr + } + + cErr = util.CreateGitCredentialFileAndWriteData(modifiedUrl) + if cErr != nil { + return "Error in creating git credential file", cErr + } + + } + + _, errMsg, cErr = impl.RecursiveFetchSubmodules(rootDir) + if cErr != nil { + return errMsg, cErr + } + + // cleanup + + if httpsAuth { + _, errMsg, cErr = impl.UnsetCredentialHelper(rootDir) + if cErr != nil { + return errMsg, cErr + } + + // delete file (~/.git-credentials) (which was created above) + cErr = util.CleanupAfterFetchingHttpsSubmodules() + if cErr != nil { + return "", cErr + } + } + } + + return "", nil + +} + +func (impl *GitCliManagerImpl) shallowClone(gitContext GitContext, rootDir string, remoteUrl string, sourceBranch string) (response, errMsg string, err error) { + log.Println(util.DEVTRON, "git shallow clone ", "location", rootDir) + cmd := exec.Command("git", "-C", rootDir, "clone", "--filter=tree:0", "--single-branch", "-b", sourceBranch, remoteUrl, "--no-checkout") + output, errMsg, err := impl.RunCommandWithCred(cmd, gitContext.Auth.Username, gitContext.Auth.Password) + log.Println(util.DEVTRON, "shallow clone output", "root", rootDir, "opt", output, "errMsg", errMsg, "error", err) + return output, errMsg, err +} + +func (impl *GitCliManagerImpl) moveFilesFromSourceToDestination(scrDir, dest string) (response, errMsg string, err error) { + cmd := exec.Command("mv", scrDir+"/.git", dest+"/") + output, errMsg, err := impl.RunCommand(cmd) + log.Println(util.DEVTRON, "moving files from: ", scrDir+"/.git", " to: ", dest+"/", "opt: ", output, "errMsg: ", errMsg, "error: ", err) + return output, errMsg, err +} + +func (impl *GitCliManagerImpl) Clone(gitContext GitContext, prj CiProjectDetails) (response, errMsg string, err error) { + var msgMsg string + var checkoutPath string + var cErr error + checkoutBranch := prj.GetCheckoutBranchName() + checkoutPath = filepath.Join(gitContext.WorkingDir, prj.CheckoutPath) + err = os.MkdirAll(checkoutPath, 0755) + if err != nil { + return "", "", err + } + _, msgMsg, cErr = impl.shallowClone(gitContext, checkoutPath, prj.GitRepository, checkoutBranch) + if cErr != nil { + log.Fatal("could not clone repo ", " err: ", cErr, "msgMsg: ", msgMsg) + } + projectName := util.GetProjectName(prj.GitRepository) + projRootDir := filepath.Join(checkoutPath, projectName) + + _, msgMsg, cErr = impl.moveFilesFromSourceToDestination(projRootDir, checkoutPath) + if cErr != nil { + log.Fatal("could not move files between files ", "err: ", cErr, "msgMsg: ", msgMsg) + } + return response, msgMsg, cErr +} diff --git a/helper/GitManager.go b/helper/GitManager.go new file mode 100644 index 00000000..4f0256f7 --- /dev/null +++ b/helper/GitManager.go @@ -0,0 +1,188 @@ +/* + * Copyright 2020 Devtron Labs + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package helper + +import ( + "context" + "github.com/devtron-labs/image-scanner/helper/util" + "log" + "os" + "path/filepath" +) + +type GitOptions struct { + UserName string `json:"userName"` + Password string `json:"password"` + SshPrivateKey string `json:"sshPrivateKey"` + AccessToken string `json:"accessToken"` + AuthMode AuthMode `json:"authMode"` +} + +type WebhookData struct { + Id int `json:"id"` + EventActionType string `json:"eventActionType"` + Data map[string]string `json:"data"` +} + +type GitContext struct { + context.Context // Embedding original Go context + Auth *BasicAuth + WorkingDir string +} +type BasicAuth struct { + Username, Password string +} + +type AuthMode string + +const ( + AUTH_MODE_USERNAME_PASSWORD AuthMode = "USERNAME_PASSWORD" + AUTH_MODE_SSH AuthMode = "SSH" + AUTH_MODE_ACCESS_TOKEN AuthMode = "ACCESS_TOKEN" + AUTH_MODE_ANONYMOUS AuthMode = "ANONYMOUS" +) + +type SourceType string + +const ( + SOURCE_TYPE_BRANCH_FIXED SourceType = "SOURCE_TYPE_BRANCH_FIXED" + SOURCE_TYPE_WEBHOOK SourceType = "WEBHOOK" +) + +const ( + WEBHOOK_SELECTOR_TARGET_CHECKOUT_NAME string = "target checkout" + WEBHOOK_SELECTOR_SOURCE_CHECKOUT_NAME string = "source checkout" + WEBHOOK_SELECTOR_TARGET_CHECKOUT_BRANCH_NAME string = "target branch name" + + WEBHOOK_EVENT_MERGED_ACTION_TYPE string = "merged" + WEBHOOK_EVENT_NON_MERGED_ACTION_TYPE string = "non-merged" +) + +type GitManager struct { + gitCliManager GitCliManager +} + +func NewGitManagerImpl(gitCliManager GitCliManager) *GitManager { + return &GitManager{ + gitCliManager: gitCliManager, + } +} + +func (impl *GitManager) CloneAndCheckout(ciProjectDetails []CiProjectDetails, workingDir string) error { + for index, prj := range ciProjectDetails { + // git clone + + log.Println("-----> git " + prj.CloningMode + " cloning " + prj.GitRepository) + + if prj.CheckoutPath != "./" { + if _, err := os.Stat(workingDir + prj.CheckoutPath); os.IsNotExist(err) { + _ = os.Mkdir(workingDir+prj.CheckoutPath, os.ModeDir) + } + } + var cErr error + var auth *BasicAuth + authMode := prj.GitOptions.AuthMode + switch authMode { + case AUTH_MODE_USERNAME_PASSWORD: + auth = &BasicAuth{Password: prj.GitOptions.Password, Username: prj.GitOptions.UserName} + case AUTH_MODE_ACCESS_TOKEN: + auth = &BasicAuth{Password: prj.GitOptions.AccessToken, Username: prj.GitOptions.UserName} + default: + auth = &BasicAuth{} + } + + gitContext := GitContext{ + Auth: auth, + WorkingDir: workingDir, + } + // create ssh private key on disk + if authMode == AUTH_MODE_SSH { + cErr = util.CreateSshPrivateKeyOnDisk(index, prj.GitOptions.SshPrivateKey) + cErr = util.CreateSshPrivateKeyOnDisk(index, prj.GitOptions.SshPrivateKey) + if cErr != nil { + log.Fatal("could not create ssh private key on disk ", " err ", cErr) + } + } + + _, msgMsg, cErr := impl.gitCliManager.Clone(gitContext, prj) + if cErr != nil { + log.Fatal("could not clone repo ", " err ", cErr, "msgMsg", msgMsg) + } + + // checkout code + if prj.SourceType == SOURCE_TYPE_BRANCH_FIXED { + // checkout incoming commit hash or branch name + checkoutSource := "" + if len(prj.CommitHash) > 0 { + checkoutSource = prj.CommitHash + } else { + if len(prj.SourceValue) == 0 { + prj.SourceValue = "main" + } + checkoutSource = prj.SourceValue + } + log.Println("checkout commit in branch fix : ", checkoutSource) + msgMsg, cErr = impl.gitCliManager.GitCheckout(gitContext, prj.CheckoutPath, checkoutSource, authMode, prj.FetchSubmodules, prj.GitRepository) + if cErr != nil { + log.Fatal("could not checkout hash ", " err ", cErr, "msgMsg", msgMsg) + } + + } else if prj.SourceType == SOURCE_TYPE_WEBHOOK { + + webhookData := prj.WebhookData + webhookDataData := webhookData.Data + + targetCheckout := webhookDataData[WEBHOOK_SELECTOR_TARGET_CHECKOUT_NAME] + if len(targetCheckout) == 0 { + log.Fatal("could not get target checkout from request data") + } + + log.Println("checkout commit in webhook : ", targetCheckout) + + // checkout target hash + msgMsg, cErr = impl.gitCliManager.GitCheckout(gitContext, prj.CheckoutPath, targetCheckout, authMode, prj.FetchSubmodules, prj.GitRepository) + if cErr != nil { + log.Fatal("could not checkout ", "targetCheckout ", targetCheckout, " err ", cErr, " msgMsg", msgMsg) + return cErr + } + + // merge source if action type is merged + if webhookData.EventActionType == WEBHOOK_EVENT_MERGED_ACTION_TYPE { + sourceCheckout := webhookDataData[WEBHOOK_SELECTOR_SOURCE_CHECKOUT_NAME] + + // throw error if source checkout is empty + if len(sourceCheckout) == 0 { + log.Fatal("sourceCheckout is empty") + } + + log.Println("merge commit in webhook : ", sourceCheckout) + + // merge source + _, msgMsg, cErr = impl.gitCliManager.Merge(filepath.Join(gitContext.WorkingDir, prj.CheckoutPath), sourceCheckout) + if cErr != nil { + log.Fatal("could not merge ", "sourceCheckout ", sourceCheckout, " err ", cErr, " msgMsg", msgMsg) + return cErr + } + + } + + } + + } + return nil +} diff --git a/helper/util/Util.go b/helper/util/Util.go new file mode 100644 index 00000000..facf8dd1 --- /dev/null +++ b/helper/util/Util.go @@ -0,0 +1,151 @@ +/* + * Copyright (c) 2020 Devtron Labs + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package util + +import ( + "errors" + "fmt" + "io/ioutil" + "log" + "math/rand" + "net/url" + "os" + "path" + "strings" + "time" +) + +const ( + SSH_PRIVATE_KEY_DIR = ".ssh" + SSH_PRIVATE_KEY_FILE_NAME = "id_rsa" + GIT_CREDENTIAL_FILE_NAME = ".git-credentials" +) + +func CreateSshPrivateKeyOnDisk(fileId int, sshPrivateKeyContent string) error { + + userHomeDirectory, err := os.UserHomeDir() + if err != nil { + return err + } + + sshPrivateKeyFilePath := path.Join(userHomeDirectory, SSH_PRIVATE_KEY_DIR, SSH_PRIVATE_KEY_FILE_NAME) + + // if file exists then delete file + if _, err := os.Stat(sshPrivateKeyFilePath); os.IsExist(err) { + os.Remove(sshPrivateKeyFilePath) + } + + // create file with content + err = ioutil.WriteFile(sshPrivateKeyFilePath, []byte(sshPrivateKeyContent), 0600) + if err != nil { + return err + } + + return nil +} + +func CreateGitCredentialFileAndWriteData(data string) error { + + userHomeDirectory, err := os.UserHomeDir() + if err != nil { + return err + } + + fileName := path.Join(userHomeDirectory, GIT_CREDENTIAL_FILE_NAME) + + // if file exists then delete file + if _, err := os.Stat(fileName); os.IsExist(err) { + os.Remove(fileName) + } + + // create file with content + err = ioutil.WriteFile(fileName, []byte(data), 0600) + if err != nil { + return err + } + + return nil +} + +func CleanupAfterFetchingHttpsSubmodules() error { + + userHomeDirectory, err := os.UserHomeDir() + if err != nil { + return err + } + + // remove ~/.git-credentials + gitCredentialsFile := path.Join(userHomeDirectory, GIT_CREDENTIAL_FILE_NAME) + if _, err := os.Stat(gitCredentialsFile); os.IsExist(err) { + os.Remove(gitCredentialsFile) + } + + return nil +} + +func LogStage(name string) { + stageTemplate := ` +------------------------------------------------------------------------------------------------------------------------ +STAGE: %s +------------------------------------------------------------------------------------------------------------------------` + log.Println(fmt.Sprintf(stageTemplate, name)) +} + +var chars = []rune("abcdefghijklmnopqrstuvwxyz0123456789") + +// Generates random string +func Generate(size int) string { + rand.Seed(time.Now().UnixNano()) + var b strings.Builder + for i := 0; i < size; i++ { + b.WriteRune(chars[rand.Intn(len(chars))]) + } + str := b.String() + return str +} + +// CheckFileExists returns boolean value of file existence else error (ignoring file does not exist error) +func CheckFileExists(filename string) (bool, error) { + if _, err := os.Stat(filename); err == nil { + // exists + return true, nil + } else if errors.Is(err, os.ErrNotExist) { + // not exists + return false, nil + } else { + // Some other error + return false, err + } +} +func ParseUrl(rawURL string) (parsedURL *url.URL, err error) { + parsedURL, err = url.Parse(rawURL) + if err != nil || parsedURL.Host == "" { + parsedURL, err = url.Parse("//" + rawURL) + } + return parsedURL, err +} + +// GetProjectName this function has been designed for returning project name of git-lab and git-hub providers only +// do not remove this function +func GetProjectName(url string) string { + //if url = https://github.com/devtron-labs/git-sensor.git then it will return git-sensor + projName := strings.Split(url, ".")[1] + projectName := projName[strings.LastIndex(projName, "/")+1:] + return projectName +} + +const DEVTRON = "DEVTRON" diff --git a/imagesscan.json b/imagesscan.json new file mode 100644 index 00000000..466ddf0d --- /dev/null +++ b/imagesscan.json @@ -0,0 +1,15212 @@ +{ + "SchemaVersion": 2, + "CreatedAt": "2024-04-15T17:44:56.140093+05:30", + "ArtifactName": "laeeqa222/myrepo:4a6bb4fb-218-93", + "ArtifactType": "container_image", + "Metadata": { + "OS": { + "Family": "debian", + "Name": "12.5" + }, + "ImageID": "sha256:570a3479abbbd3d53a236c2cfe5d1839401a2fc6cade76cb0050a3d4b58b076b", + "DiffIDs": [ + "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f", + "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b", + "sha256:2ee294939e65b5486fa823365302c086df8a03ac6064c8a58ebcbb81a85baf86", + "sha256:c4484f227d5e1d3074ee6a30ffaa0bc67a13a1b83f5f198b5369be17ee07870f", + "sha256:4a4c3fe4d6e7c639c58d864abd3321ff89e06ed9fe0dda9cffa38cf75c279872", + "sha256:75960f7ec704b1afc47685bd8ae9be781c3c507d4b827e82f668ed63f1912703", + "sha256:fc62225e78901f7a6467f5844a42282275276096a98fcbd94371a8118db23b40", + "sha256:0341dc8fe5ffd6462b0e91883506f9377e67d63714b2f71bbc0ee11108a04abb" + ], + "RepoTags": [ + "laeeqa222/myrepo:4a6bb4fb-218-93" + ], + "RepoDigests": [ + "laeeqa222/myrepo@sha256:10f8ae8d1d4b0d19bb7cca7a93c44b3d7aa7f9009da05bd096f6771d397c44e9" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2024-04-15T12:12:48.165523396Z", + "docker_version": "20.10.24", + "history": [ + { + "created": "2024-02-14T18:24:57Z", + "created_by": "/bin/sh -c #(nop) ADD file:d4bb05cb4d403a78b4ab5cd8d620330659d5aeb25f847d104ebc02c3a0f32624 in / " + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "/bin/sh -c #(nop) CMD [\"bash\"]", + "empty_layer": true + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "LABEL maintainer=NGINX Docker Maintainers \u003cdocker-maint@nginx.com\u003e", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "ENV NGINX_VERSION=1.25.4", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "ENV NJS_VERSION=0.8.3", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "ENV PKG_RELEASE=1~bookworm", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "RUN /bin/sh -c set -x \u0026\u0026 groupadd --system --gid 101 nginx \u0026\u0026 useradd --system --gid nginx --no-create-home --home /nonexistent --comment \"nginx user\" --shell /bin/false --uid 101 nginx \u0026\u0026 apt-get update \u0026\u0026 apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \u0026\u0026 NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; export GNUPGHOME=\"$(mktemp -d)\"; found=''; for server in hkp://keyserver.ubuntu.com:80 pgp.mit.edu ; do echo \"Fetching GPG key $NGINX_GPGKEY from $server\"; gpg1 --keyserver \"$server\" --keyserver-options timeout=10 --recv-keys \"$NGINX_GPGKEY\" \u0026\u0026 found=yes \u0026\u0026 break; done; test -z \"$found\" \u0026\u0026 echo \u003e\u00262 \"error: failed to fetch GPG key $NGINX_GPGKEY\" \u0026\u0026 exit 1; gpg1 --export \"$NGINX_GPGKEY\" \u003e \"$NGINX_GPGKEY_PATH\" ; rm -rf \"$GNUPGHOME\"; apt-get remove --purge --auto-remove -y gnupg1 \u0026\u0026 rm -rf /var/lib/apt/lists/* \u0026\u0026 dpkgArch=\"$(dpkg --print-architecture)\" \u0026\u0026 nginxPackages=\" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \" \u0026\u0026 case \"$dpkgArch\" in amd64|arm64) echo \"deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx\" \u003e\u003e /etc/apt/sources.list.d/nginx.list \u0026\u0026 apt-get update ;; *) echo \"deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx\" \u003e\u003e /etc/apt/sources.list.d/nginx.list \u0026\u0026 tempDir=\"$(mktemp -d)\" \u0026\u0026 chmod 777 \"$tempDir\" \u0026\u0026 savedAptMark=\"$(apt-mark showmanual)\" \u0026\u0026 apt-get update \u0026\u0026 apt-get build-dep -y $nginxPackages \u0026\u0026 ( cd \"$tempDir\" \u0026\u0026 DEB_BUILD_OPTIONS=\"nocheck parallel=$(nproc)\" apt-get source --compile $nginxPackages ) \u0026\u0026 apt-mark showmanual | xargs apt-mark auto \u003e /dev/null \u0026\u0026 { [ -z \"$savedAptMark\" ] || apt-mark manual $savedAptMark; } \u0026\u0026 ls -lAFh \"$tempDir\" \u0026\u0026 ( cd \"$tempDir\" \u0026\u0026 dpkg-scanpackages . \u003e Packages ) \u0026\u0026 grep '^Package: ' \"$tempDir/Packages\" \u0026\u0026 echo \"deb [ trusted=yes ] file://$tempDir ./\" \u003e /etc/apt/sources.list.d/temp.list \u0026\u0026 apt-get -o Acquire::GzipIndexes=false update ;; esac \u0026\u0026 apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base curl \u0026\u0026 apt-get remove --purge --auto-remove -y \u0026\u0026 rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \u0026\u0026 if [ -n \"$tempDir\" ]; then apt-get purge -y --auto-remove \u0026\u0026 rm -rf \"$tempDir\" /etc/apt/sources.list.d/temp.list; fi \u0026\u0026 ln -sf /dev/stdout /var/log/nginx/access.log \u0026\u0026 ln -sf /dev/stderr /var/log/nginx/error.log \u0026\u0026 mkdir /docker-entrypoint.d # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "COPY docker-entrypoint.sh / # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "COPY 15-local-resolvers.envsh /docker-entrypoint.d # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "COPY 20-envsubst-on-templates.sh /docker-entrypoint.d # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "COPY 30-tune-worker-processes.sh /docker-entrypoint.d # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "ENTRYPOINT [\"/docker-entrypoint.sh\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "EXPOSE map[80/tcp:{}]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "STOPSIGNAL SIGQUIT", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-02-14T18:24:57Z", + "created_by": "CMD [\"nginx\" \"-g\" \"daemon off;\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2024-04-15T12:12:48.165523396Z", + "created_by": "/bin/sh -c #(nop) COPY dir:ee4c53aecffa59a7232a5285bb31df74cf2b0e21a91da30c635664498667ed56 in /usr/share/nginx/html " + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f", + "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b", + "sha256:2ee294939e65b5486fa823365302c086df8a03ac6064c8a58ebcbb81a85baf86", + "sha256:c4484f227d5e1d3074ee6a30ffaa0bc67a13a1b83f5f198b5369be17ee07870f", + "sha256:4a4c3fe4d6e7c639c58d864abd3321ff89e06ed9fe0dda9cffa38cf75c279872", + "sha256:75960f7ec704b1afc47685bd8ae9be781c3c507d4b827e82f668ed63f1912703", + "sha256:fc62225e78901f7a6467f5844a42282275276096a98fcbd94371a8118db23b40", + "sha256:0341dc8fe5ffd6462b0e91883506f9377e67d63714b2f71bbc0ee11108a04abb" + ] + }, + "config": { + "Cmd": [ + "nginx", + "-g", + "daemon off;" + ], + "Entrypoint": [ + "/docker-entrypoint.sh" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "NGINX_VERSION=1.25.4", + "NJS_VERSION=0.8.3", + "PKG_RELEASE=1~bookworm" + ], + "Image": "sha256:c613f16b664244b150d1c3644cbc387ec1fe8376377f9419992280eb4a82ff3b", + "Labels": { + "maintainer": "NGINX Docker Maintainers \u003cdocker-maint@nginx.com\u003e" + }, + "ExposedPorts": { + "80/tcp": {} + }, + "ArgsEscaped": true, + "StopSignal": "SIGQUIT" + } + } + }, + "Results": [ + { + "Target": "laeeqa222/myrepo:4a6bb4fb-218-93 (debian 12.5)", + "Class": "os-pkgs", + "Type": "debian", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2011-3374", + "PkgID": "apt@2.6.1", + "PkgName": "apt", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/apt@2.6.1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.6.1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2011-3374", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "It was found that apt-key in apt, all versions, do not correctly valid ...", + "Description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "Severity": "LOW", + "CweIDs": [ + "CWE-347" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 4.3, + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://seclists.org/fulldisclosure/2011/Sep/221", + "https://security-tracker.debian.org/tracker/CVE-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518", + "https://ubuntu.com/security/CVE-2011-3374" + ], + "PublishedDate": "2019-11-26T00:15:11.03Z", + "LastModifiedDate": "2021-02-09T16:08:18.683Z" + }, + { + "VulnerabilityID": "TEMP-0841856-B18BAF", + "PkgID": "bash@5.2.15-2+b2", + "PkgName": "bash", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/bash@5.2.15-2%2Bb2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "5.2.15-2+b2", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "[Privilege escalation possible to other user than root]", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1 + } + }, + { + "VulnerabilityID": "CVE-2022-0563", + "PkgID": "bsdutils@1:2.38.1-5+deb12u1", + "PkgName": "bsdutils", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/bsdutils@2.38.1-5%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:2.38.1-5+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", + "Description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "Severity": "LOW", + "CweIDs": [ + "CWE-209" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0563", + "https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", + "https://security.gentoo.org/glsa/202401-08", + "https://security.netapp.com/advisory/ntap-20220331-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-0563" + ], + "PublishedDate": "2022-02-21T19:15:08.393Z", + "LastModifiedDate": "2024-01-07T09:15:08.713Z" + }, + { + "VulnerabilityID": "CVE-2016-2781", + "PkgID": "coreutils@9.1-1", + "PkgName": "coreutils", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/coreutils@9.1-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "9.1-1", + "Status": "will_not_fix", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-2781", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", + "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Severity": "LOW", + "CweIDs": [ + "CWE-20" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", + "V2Score": 2.1, + "V3Score": 6.5 + }, + "redhat": { + "V2Vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C", + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "V2Score": 6.2, + "V3Score": 8.6 + } + }, + "References": [ + "http://seclists.org/oss-sec/2016/q1/452", + "http://www.openwall.com/lists/oss-security/2016/02/28/2", + "http://www.openwall.com/lists/oss-security/2016/02/28/3", + "https://access.redhat.com/security/cve/CVE-2016-2781", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://lore.kernel.org/patchwork/patch/793178/", + "https://nvd.nist.gov/vuln/detail/CVE-2016-2781", + "https://www.cve.org/CVERecord?id=CVE-2016-2781" + ], + "PublishedDate": "2017-02-07T15:59:00.333Z", + "LastModifiedDate": "2023-11-07T02:32:03.347Z" + }, + { + "VulnerabilityID": "CVE-2017-18018", + "PkgID": "coreutils@9.1-1", + "PkgName": "coreutils", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/coreutils@9.1-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "9.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-18018", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "coreutils: race condition vulnerability in chown and chgrp", + "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", + "Severity": "LOW", + "CweIDs": [ + "CWE-362" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 1.9, + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 4.2 + } + }, + "References": [ + "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html", + "https://access.redhat.com/security/cve/CVE-2017-18018", + "https://nvd.nist.gov/vuln/detail/CVE-2017-18018", + "https://www.cve.org/CVERecord?id=CVE-2017-18018" + ], + "PublishedDate": "2018-01-04T04:29:00.19Z", + "LastModifiedDate": "2018-01-19T15:46:46.05Z" + }, + { + "VulnerabilityID": "CVE-2024-2398", + "PkgID": "curl@7.88.1-10+deb12u5", + "PkgName": "curl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "7.88.1-10+deb12u5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2398", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "curl: HTTP/2 push headers memory-leak", + "Description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "Severity": "HIGH", + "VendorSeverity": { + "photon": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2398", + "https://curl.se/docs/CVE-2024-2398.html", + "https://curl.se/docs/CVE-2024-2398.json", + "https://hackerone.com/reports/2402845", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2398", + "https://ubuntu.com/security/notices/USN-6718-1", + "https://ubuntu.com/security/notices/USN-6718-2", + "https://www.cve.org/CVERecord?id=CVE-2024-2398" + ], + "PublishedDate": "2024-03-27T08:15:41.283Z", + "LastModifiedDate": "2024-03-27T12:29:30.307Z" + }, + { + "VulnerabilityID": "CVE-2024-2004", + "PkgID": "curl@7.88.1-10+deb12u5", + "PkgName": "curl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "7.88.1-10+deb12u5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2004", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "curl: Usage of disabled protocol", + "Description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", + "Severity": "MEDIUM", + "VendorSeverity": { + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2004", + "https://curl.se/docs/CVE-2024-2004.html", + "https://curl.se/docs/CVE-2024-2004.json", + "https://hackerone.com/reports/2384833", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2004", + "https://ubuntu.com/security/notices/USN-6718-1", + "https://www.cve.org/CVERecord?id=CVE-2024-2004" + ], + "PublishedDate": "2024-03-27T08:15:41.173Z", + "LastModifiedDate": "2024-03-27T12:29:30.307Z" + }, + { + "VulnerabilityID": "CVE-2024-2379", + "PkgID": "curl@7.88.1-10+deb12u5", + "PkgName": "curl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "7.88.1-10+deb12u5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2379", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "curl: QUIC certificate check bypass with wolfSSL", + "Description": "libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "redhat": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 5.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2379", + "https://curl.se/docs/CVE-2024-2379.html", + "https://curl.se/docs/CVE-2024-2379.json", + "https://hackerone.com/reports/2410774", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2379", + "https://www.cve.org/CVERecord?id=CVE-2024-2379" + ], + "PublishedDate": "2024-03-27T08:15:41.23Z", + "LastModifiedDate": "2024-03-27T12:29:30.307Z" + }, + { + "VulnerabilityID": "CVE-2023-4039", + "PkgID": "gcc-12-base@12.2.0-14", + "PkgName": "gcc-12-base", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/gcc-12-base@12.2.0-14?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "12.2.0-14", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4039", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "gcc: -fstack-protector fails to guard dynamic stack allocations on ARM64", + "Description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-693" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 1, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 4.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-4039", + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://gcc.gnu.org/git/?p=gcc.git;a=blob_plain;f=SECURITY.txt", + "https://gcc.gnu.org/pipermail/gcc-patches/2023-October/634066.html", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "https://inbox.sourceware.org/gcc-patches/46cfa37b-56eb-344d-0745-e0d35393392d@gotplt.org", + "https://linux.oracle.com/cve/CVE-2023-4039.html", + "https://linux.oracle.com/errata/ELSA-2023-28766.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4039" + ], + "PublishedDate": "2023-09-13T09:15:15.69Z", + "LastModifiedDate": "2024-02-19T23:15:07.68Z" + }, + { + "VulnerabilityID": "CVE-2022-27943", + "PkgID": "gcc-12-base@12.2.0-14", + "PkgName": "gcc-12-base", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/gcc-12-base@12.2.0-14?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "12.2.0-14", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27943", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const", + "Description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "amazon": 1, + "debian": 1, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-27943", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=1a770b01ef415e114164b6151d1e55acdee09371", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=fc968115a742d9e4674d9725ce9c2106b91b6ead", + "https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995", + "https://www.cve.org/CVERecord?id=CVE-2022-27943" + ], + "PublishedDate": "2022-03-26T13:15:07.9Z", + "LastModifiedDate": "2023-11-07T03:45:32.64Z" + }, + { + "VulnerabilityID": "CVE-2022-3219", + "PkgID": "gpgv@2.2.40-1.1", + "PkgName": "gpgv", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/gpgv@2.2.40-1.1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.2.40-1.1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3219", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "denial of service issue (resource consumption) using compressed packets", + "Description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "Severity": "LOW", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 1, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security\u0026m=165696590211434\u0026w=4", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "https://security.netapp.com/advisory/ntap-20230324-0001/", + "https://www.cve.org/CVERecord?id=CVE-2022-3219" + ], + "PublishedDate": "2023-02-23T20:15:12.393Z", + "LastModifiedDate": "2023-05-26T16:31:34.07Z" + }, + { + "VulnerabilityID": "CVE-2023-6879", + "PkgID": "libaom3@3.6.0-1", + "PkgName": "libaom3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.6.0-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6879", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "aom: heap-buffer-overflow on frame size change", + "Description": "Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().\n\n", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-787", + "CWE-20" + ], + "VendorSeverity": { + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-6879", + "https://aomedia.googlesource.com/aom/+/refs/tags/v3.7.1", + "https://crbug.com/aomedia/3491", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6879", + "https://www.cve.org/CVERecord?id=CVE-2023-6879" + ], + "PublishedDate": "2023-12-27T23:15:07.53Z", + "LastModifiedDate": "2024-02-02T02:27:15.863Z" + }, + { + "VulnerabilityID": "CVE-2023-39616", + "PkgID": "libaom3@3.6.0-1", + "PkgName": "libaom3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.6.0-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-39616", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ...", + "Description": "AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read memory access via the component assign_frame_buffer_p in av1/common/av1_common_int.h.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "nvd": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://bugs.chromium.org/p/aomedia/issues/detail?id=3372#c3" + ], + "PublishedDate": "2023-08-29T17:15:12.633Z", + "LastModifiedDate": "2023-08-31T20:23:23.827Z" + }, + { + "VulnerabilityID": "CVE-2011-3374", + "PkgID": "libapt-pkg6.0@2.6.1", + "PkgName": "libapt-pkg6.0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libapt-pkg6.0@2.6.1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.6.1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2011-3374", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "It was found that apt-key in apt, all versions, do not correctly valid ...", + "Description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "Severity": "LOW", + "CweIDs": [ + "CWE-347" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 4.3, + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://seclists.org/fulldisclosure/2011/Sep/221", + "https://security-tracker.debian.org/tracker/CVE-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518", + "https://ubuntu.com/security/CVE-2011-3374" + ], + "PublishedDate": "2019-11-26T00:15:11.03Z", + "LastModifiedDate": "2021-02-09T16:08:18.683Z" + }, + { + "VulnerabilityID": "CVE-2022-0563", + "PkgID": "libblkid1@2.38.1-5+deb12u1", + "PkgName": "libblkid1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libblkid1@2.38.1-5%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.38.1-5+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", + "Description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "Severity": "LOW", + "CweIDs": [ + "CWE-209" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0563", + "https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", + "https://security.gentoo.org/glsa/202401-08", + "https://security.netapp.com/advisory/ntap-20220331-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-0563" + ], + "PublishedDate": "2022-02-21T19:15:08.393Z", + "LastModifiedDate": "2024-01-07T09:15:08.713Z" + }, + { + "VulnerabilityID": "CVE-2010-4756", + "PkgID": "libc-bin@2.36-9+deb12u4", + "PkgName": "libc-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-4756", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", + "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "Severity": "LOW", + "CweIDs": [ + "CWE-399" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "V2Score": 4 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V2Score": 5 + } + }, + "References": [ + "http://cxib.net/stuff/glob-0day.c", + "http://securityreason.com/achievement_securityalert/89", + "http://securityreason.com/exploitalert/9223", + "https://access.redhat.com/security/cve/CVE-2010-4756", + "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", + "https://www.cve.org/CVERecord?id=CVE-2010-4756" + ], + "PublishedDate": "2011-03-02T20:00:01.037Z", + "LastModifiedDate": "2021-09-01T12:15:07.193Z" + }, + { + "VulnerabilityID": "CVE-2018-20796", + "PkgID": "libc-bin@2.36-9+deb12u4", + "PkgName": "libc-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20796", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://access.redhat.com/security/cve/CVE-2018-20796", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", + "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", + "https://nvd.nist.gov/vuln/detail/CVE-2018-20796", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2018-20796" + ], + "PublishedDate": "2019-02-26T02:29:00.45Z", + "LastModifiedDate": "2023-11-07T02:56:20.983Z" + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgID": "libc-bin@2.36-9+deb12u4", + "PkgName": "libc-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010022", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 4 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010022", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", + "https://security-tracker.debian.org/tracker/CVE-2019-1010022", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", + "https://ubuntu.com/security/CVE-2019-1010022", + "https://www.cve.org/CVERecord?id=CVE-2019-1010022" + ], + "PublishedDate": "2019-07-15T04:15:13.317Z", + "LastModifiedDate": "2024-04-11T01:03:18.89Z" + }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgID": "libc-bin@2.36-9+deb12u4", + "PkgName": "libc-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010023", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://access.redhat.com/security/cve/CVE-2019-1010023", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023", + "https://security-tracker.debian.org/tracker/CVE-2019-1010023", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010023", + "https://www.cve.org/CVERecord?id=CVE-2019-1010023" + ], + "PublishedDate": "2019-07-15T04:15:13.397Z", + "LastModifiedDate": "2024-04-11T01:03:18.97Z" + }, + { + "VulnerabilityID": "CVE-2019-1010024", + "PkgID": "libc-bin@2.36-9+deb12u4", + "PkgName": "libc-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010024", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: ASLR bypass using cache of thread stack and heap", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109162", + "https://access.redhat.com/security/cve/CVE-2019-1010024", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024", + "https://security-tracker.debian.org/tracker/CVE-2019-1010024", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010024", + "https://www.cve.org/CVERecord?id=CVE-2019-1010024" + ], + "PublishedDate": "2019-07-15T04:15:13.473Z", + "LastModifiedDate": "2024-04-11T01:03:19.04Z" + }, + { + "VulnerabilityID": "CVE-2019-1010025", + "PkgID": "libc-bin@2.36-9+deb12u4", + "PkgName": "libc-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010025", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: information disclosure of heap addresses of pthread_created thread", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.", + "Severity": "LOW", + "CweIDs": [ + "CWE-330" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010025", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025", + "https://security-tracker.debian.org/tracker/CVE-2019-1010025", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010025", + "https://www.cve.org/CVERecord?id=CVE-2019-1010025" + ], + "PublishedDate": "2019-07-15T04:15:13.537Z", + "LastModifiedDate": "2024-04-11T01:03:19.103Z" + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgID": "libc-bin@2.36-9+deb12u4", + "PkgName": "libc-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc-bin@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9192", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 2.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-9192", + "https://nvd.nist.gov/vuln/detail/CVE-2019-9192", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-9192" + ], + "PublishedDate": "2019-02-26T18:29:00.34Z", + "LastModifiedDate": "2024-04-11T01:06:17.28Z" + }, + { + "VulnerabilityID": "CVE-2010-4756", + "PkgID": "libc6@2.36-9+deb12u4", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-4756", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", + "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "Severity": "LOW", + "CweIDs": [ + "CWE-399" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "V2Score": 4 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V2Score": 5 + } + }, + "References": [ + "http://cxib.net/stuff/glob-0day.c", + "http://securityreason.com/achievement_securityalert/89", + "http://securityreason.com/exploitalert/9223", + "https://access.redhat.com/security/cve/CVE-2010-4756", + "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", + "https://www.cve.org/CVERecord?id=CVE-2010-4756" + ], + "PublishedDate": "2011-03-02T20:00:01.037Z", + "LastModifiedDate": "2021-09-01T12:15:07.193Z" + }, + { + "VulnerabilityID": "CVE-2018-20796", + "PkgID": "libc6@2.36-9+deb12u4", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20796", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://access.redhat.com/security/cve/CVE-2018-20796", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", + "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", + "https://nvd.nist.gov/vuln/detail/CVE-2018-20796", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2018-20796" + ], + "PublishedDate": "2019-02-26T02:29:00.45Z", + "LastModifiedDate": "2023-11-07T02:56:20.983Z" + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgID": "libc6@2.36-9+deb12u4", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010022", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 4 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010022", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", + "https://security-tracker.debian.org/tracker/CVE-2019-1010022", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", + "https://ubuntu.com/security/CVE-2019-1010022", + "https://www.cve.org/CVERecord?id=CVE-2019-1010022" + ], + "PublishedDate": "2019-07-15T04:15:13.317Z", + "LastModifiedDate": "2024-04-11T01:03:18.89Z" + }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgID": "libc6@2.36-9+deb12u4", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010023", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://access.redhat.com/security/cve/CVE-2019-1010023", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023", + "https://security-tracker.debian.org/tracker/CVE-2019-1010023", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010023", + "https://www.cve.org/CVERecord?id=CVE-2019-1010023" + ], + "PublishedDate": "2019-07-15T04:15:13.397Z", + "LastModifiedDate": "2024-04-11T01:03:18.97Z" + }, + { + "VulnerabilityID": "CVE-2019-1010024", + "PkgID": "libc6@2.36-9+deb12u4", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010024", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: ASLR bypass using cache of thread stack and heap", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109162", + "https://access.redhat.com/security/cve/CVE-2019-1010024", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024", + "https://security-tracker.debian.org/tracker/CVE-2019-1010024", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010024", + "https://www.cve.org/CVERecord?id=CVE-2019-1010024" + ], + "PublishedDate": "2019-07-15T04:15:13.473Z", + "LastModifiedDate": "2024-04-11T01:03:19.04Z" + }, + { + "VulnerabilityID": "CVE-2019-1010025", + "PkgID": "libc6@2.36-9+deb12u4", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010025", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: information disclosure of heap addresses of pthread_created thread", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.", + "Severity": "LOW", + "CweIDs": [ + "CWE-330" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010025", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025", + "https://security-tracker.debian.org/tracker/CVE-2019-1010025", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010025", + "https://www.cve.org/CVERecord?id=CVE-2019-1010025" + ], + "PublishedDate": "2019-07-15T04:15:13.537Z", + "LastModifiedDate": "2024-04-11T01:03:19.103Z" + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgID": "libc6@2.36-9+deb12u4", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.36-9%2Bdeb12u4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.36-9+deb12u4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9192", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 2.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-9192", + "https://nvd.nist.gov/vuln/detail/CVE-2019-9192", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-9192" + ], + "PublishedDate": "2019-02-26T18:29:00.34Z", + "LastModifiedDate": "2024-04-11T01:06:17.28Z" + }, + { + "VulnerabilityID": "CVE-2024-2398", + "PkgID": "libcurl4@7.88.1-10+deb12u5", + "PkgName": "libcurl4", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libcurl4@7.88.1-10%2Bdeb12u5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "7.88.1-10+deb12u5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2398", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "curl: HTTP/2 push headers memory-leak", + "Description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "Severity": "HIGH", + "VendorSeverity": { + "photon": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2398", + "https://curl.se/docs/CVE-2024-2398.html", + "https://curl.se/docs/CVE-2024-2398.json", + "https://hackerone.com/reports/2402845", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2398", + "https://ubuntu.com/security/notices/USN-6718-1", + "https://ubuntu.com/security/notices/USN-6718-2", + "https://www.cve.org/CVERecord?id=CVE-2024-2398" + ], + "PublishedDate": "2024-03-27T08:15:41.283Z", + "LastModifiedDate": "2024-03-27T12:29:30.307Z" + }, + { + "VulnerabilityID": "CVE-2024-2004", + "PkgID": "libcurl4@7.88.1-10+deb12u5", + "PkgName": "libcurl4", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libcurl4@7.88.1-10%2Bdeb12u5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "7.88.1-10+deb12u5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2004", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "curl: Usage of disabled protocol", + "Description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", + "Severity": "MEDIUM", + "VendorSeverity": { + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2004", + "https://curl.se/docs/CVE-2024-2004.html", + "https://curl.se/docs/CVE-2024-2004.json", + "https://hackerone.com/reports/2384833", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2004", + "https://ubuntu.com/security/notices/USN-6718-1", + "https://www.cve.org/CVERecord?id=CVE-2024-2004" + ], + "PublishedDate": "2024-03-27T08:15:41.173Z", + "LastModifiedDate": "2024-03-27T12:29:30.307Z" + }, + { + "VulnerabilityID": "CVE-2024-2379", + "PkgID": "libcurl4@7.88.1-10+deb12u5", + "PkgName": "libcurl4", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libcurl4@7.88.1-10%2Bdeb12u5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "7.88.1-10+deb12u5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2379", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "curl: QUIC certificate check bypass with wolfSSL", + "Description": "libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "redhat": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 5.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2379", + "https://curl.se/docs/CVE-2024-2379.html", + "https://curl.se/docs/CVE-2024-2379.json", + "https://hackerone.com/reports/2410774", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2379", + "https://www.cve.org/CVERecord?id=CVE-2024-2379" + ], + "PublishedDate": "2024-03-27T08:15:41.23Z", + "LastModifiedDate": "2024-03-27T12:29:30.307Z" + }, + { + "VulnerabilityID": "CVE-2023-32570", + "PkgID": "libdav1d6@1.0.0-2", + "PkgName": "libdav1d6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libdav1d6@1.0.0-2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.0.0-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-32570", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that ca ...", + "Description": "VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-362" + ], + "VendorSeverity": { + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://code.videolan.org/videolan/dav1d/-/commit/cf617fdae0b9bfabd27282854c8e81450d955efa", + "https://code.videolan.org/videolan/dav1d/-/tags/1.2.0", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WGSO7UMOF4MVLQ5H6KIV7OG6ONS377B/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXZ6CUNJFDJLCFOZHY2TIGMCAEITLCRP/", + "https://security.gentoo.org/glsa/202310-05" + ], + "PublishedDate": "2023-05-10T05:15:12.19Z", + "LastModifiedDate": "2023-11-07T04:14:35.38Z" + }, + { + "VulnerabilityID": "CVE-2024-1580", + "PkgID": "libdav1d6@1.0.0-2", + "PkgName": "libdav1d6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libdav1d6@1.0.0-2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.0.0-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-1580", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "An integer overflow in dav1d AV1 decoder that can occur when decoding ...", + "Description": "An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.\n\n\n\n", + "Severity": "UNKNOWN", + "CweIDs": [ + "CWE-190" + ], + "References": [ + "http://seclists.org/fulldisclosure/2024/Mar/36", + "http://seclists.org/fulldisclosure/2024/Mar/37", + "http://seclists.org/fulldisclosure/2024/Mar/38", + "http://seclists.org/fulldisclosure/2024/Mar/39", + "http://seclists.org/fulldisclosure/2024/Mar/40", + "http://seclists.org/fulldisclosure/2024/Mar/41", + "https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS", + "https://code.videolan.org/videolan/dav1d/-/releases/1.4.0", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EPMUNDMEBGESOJ2ZNCWYEAYOOEKNWOO/", + "https://support.apple.com/kb/HT214093", + "https://support.apple.com/kb/HT214094", + "https://support.apple.com/kb/HT214095", + "https://support.apple.com/kb/HT214096", + "https://support.apple.com/kb/HT214097", + "https://support.apple.com/kb/HT214098" + ], + "PublishedDate": "2024-02-19T11:15:08.817Z", + "LastModifiedDate": "2024-03-27T18:15:09.063Z" + }, + { + "VulnerabilityID": "CVE-2023-52425", + "PkgID": "libexpat1@2.5.0-1", + "PkgName": "libexpat1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libexpat1@2.5.0-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.5.0-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-52425", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "expat: parsing large tokens can trigger a denial of service", + "Description": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 2, + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:1530", + "https://access.redhat.com/security/cve/CVE-2023-52425", + "https://bugzilla.redhat.com/2262877", + "https://bugzilla.redhat.com/2268766", + "https://bugzilla.redhat.com/show_bug.cgi?id=2262877", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425", + "https://errata.almalinux.org/9/ALSA-2024-1530.html", + "https://errata.rockylinux.org/RLSA-2024:1615", + "https://github.com/libexpat/libexpat/pull/789", + "https://linux.oracle.com/cve/CVE-2023-52425.html", + "https://linux.oracle.com/errata/ELSA-2024-1615.html", + "https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-52425", + "https://ubuntu.com/security/notices/USN-6694-1", + "https://www.cve.org/CVERecord?id=CVE-2023-52425" + ], + "PublishedDate": "2024-02-04T20:15:46.063Z", + "LastModifiedDate": "2024-04-09T06:15:07.55Z" + }, + { + "VulnerabilityID": "CVE-2023-52426", + "PkgID": "libexpat1@2.5.0-1", + "PkgName": "libexpat1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libexpat1@2.5.0-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.5.0-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-52426", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "expat: recursive XML entity expansion vulnerability", + "Description": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.", + "Severity": "LOW", + "CweIDs": [ + "CWE-776" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-52426", + "https://cwe.mitre.org/data/definitions/776.html", + "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404", + "https://github.com/libexpat/libexpat/pull/777", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-52426", + "https://security.netapp.com/advisory/ntap-20240307-0005/", + "https://www.cve.org/CVERecord?id=CVE-2023-52426" + ], + "PublishedDate": "2024-02-04T20:15:46.12Z", + "LastModifiedDate": "2024-03-07T17:15:11.893Z" + }, + { + "VulnerabilityID": "CVE-2024-28757", + "PkgID": "libexpat1@2.5.0-1", + "PkgName": "libexpat1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libexpat1@2.5.0-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.5.0-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28757", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "expat: XML Entity Expansion", + "Description": "libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).", + "Severity": "LOW", + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "cbl-mariner": 3, + "debian": 1, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:1530", + "https://access.redhat.com/security/cve/CVE-2024-28757", + "https://bugzilla.redhat.com/2262877", + "https://bugzilla.redhat.com/2268766", + "https://errata.almalinux.org/9/ALSA-2024-1530.html", + "https://github.com/libexpat/libexpat/issues/839", + "https://github.com/libexpat/libexpat/pull/842", + "https://linux.oracle.com/cve/CVE-2024-28757.html", + "https://linux.oracle.com/errata/ELSA-2024-1530.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28757", + "https://security.netapp.com/advisory/ntap-20240322-0001/", + "https://ubuntu.com/security/notices/USN-6694-1", + "https://www.cve.org/CVERecord?id=CVE-2024-28757" + ], + "PublishedDate": "2024-03-10T05:15:06.57Z", + "LastModifiedDate": "2024-03-23T03:15:11.92Z" + }, + { + "VulnerabilityID": "CVE-2023-4039", + "PkgID": "libgcc-s1@12.2.0-14", + "PkgName": "libgcc-s1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "12.2.0-14", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4039", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "gcc: -fstack-protector fails to guard dynamic stack allocations on ARM64", + "Description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-693" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 1, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 4.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-4039", + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://gcc.gnu.org/git/?p=gcc.git;a=blob_plain;f=SECURITY.txt", + "https://gcc.gnu.org/pipermail/gcc-patches/2023-October/634066.html", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "https://inbox.sourceware.org/gcc-patches/46cfa37b-56eb-344d-0745-e0d35393392d@gotplt.org", + "https://linux.oracle.com/cve/CVE-2023-4039.html", + "https://linux.oracle.com/errata/ELSA-2023-28766.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4039" + ], + "PublishedDate": "2023-09-13T09:15:15.69Z", + "LastModifiedDate": "2024-02-19T23:15:07.68Z" + }, + { + "VulnerabilityID": "CVE-2022-27943", + "PkgID": "libgcc-s1@12.2.0-14", + "PkgName": "libgcc-s1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgcc-s1@12.2.0-14?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "12.2.0-14", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27943", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const", + "Description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "amazon": 1, + "debian": 1, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-27943", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=1a770b01ef415e114164b6151d1e55acdee09371", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=fc968115a742d9e4674d9725ce9c2106b91b6ead", + "https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995", + "https://www.cve.org/CVERecord?id=CVE-2022-27943" + ], + "PublishedDate": "2022-03-26T13:15:07.9Z", + "LastModifiedDate": "2023-11-07T03:45:32.64Z" + }, + { + "VulnerabilityID": "CVE-2024-2236", + "PkgID": "libgcrypt20@1.10.1-3", + "PkgName": "libgcrypt20", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.10.1-3", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2236", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libgcrypt: vulnerable to Marvin Attack", + "Description": "A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-208" + ], + "VendorSeverity": { + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2236", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268268", + "https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2236", + "https://www.cve.org/CVERecord?id=CVE-2024-2236" + ], + "PublishedDate": "2024-03-06T22:15:57.977Z", + "LastModifiedDate": "2024-03-07T13:52:27.11Z" + }, + { + "VulnerabilityID": "CVE-2018-6829", + "PkgID": "libgcrypt20@1.10.1-3", + "PkgName": "libgcrypt20", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.10.1-3", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-6829", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", + "Description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "Severity": "LOW", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-6829", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "https://www.cve.org/CVERecord?id=CVE-2018-6829", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ], + "PublishedDate": "2018-02-07T23:29:01.703Z", + "LastModifiedDate": "2020-01-15T20:15:18.557Z" + }, + { + "VulnerabilityID": "CVE-2024-28834", + "PkgID": "libgnutls30@3.7.9-2+deb12u2", + "PkgName": "libgnutls30", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.7.9-2+deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28834", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "gnutls: vulnerable to Minerva side-channel information leak", + "Description": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "alma": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:1784", + "https://access.redhat.com/security/cve/CVE-2024-28834", + "https://bugzilla.redhat.com/2269228", + "https://bugzilla.redhat.com/show_bug.cgi?id=2269228", + "https://errata.almalinux.org/8/ALSA-2024-1784.html", + "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28834", + "https://people.redhat.com/~hkario/marvin/", + "https://www.cve.org/CVERecord?id=CVE-2024-28834", + "https://www.gnutls.org/security-new.html#GNUTLS-SA-2023-12-04" + ], + "PublishedDate": "2024-03-21T14:15:07.547Z", + "LastModifiedDate": "2024-04-11T23:15:09.37Z" + }, + { + "VulnerabilityID": "CVE-2024-28835", + "PkgID": "libgnutls30@3.7.9-2+deb12u2", + "PkgName": "libgnutls30", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.7.9-2+deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28835", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "gnutls: potential crash during chain building/verification", + "Description": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-248" + ], + "VendorSeverity": { + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-28835", + "https://bugzilla.redhat.com/show_bug.cgi?id=2269084", + "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28835", + "https://www.cve.org/CVERecord?id=CVE-2024-28835", + "https://www.gnutls.org/security-new.html#GNUTLS-SA-2024-01-23" + ], + "PublishedDate": "2024-03-21T06:15:45.113Z", + "LastModifiedDate": "2024-03-21T12:58:51.093Z" + }, + { + "VulnerabilityID": "CVE-2011-3389", + "PkgID": "libgnutls30@3.7.9-2+deb12u2", + "PkgName": "libgnutls30", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgnutls30@3.7.9-2%2Bdeb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.7.9-2+deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2011-3389", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", + "Description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", + "Severity": "LOW", + "CweIDs": [ + "CWE-326" + ], + "VendorSeverity": { + "amazon": 4, + "debian": 1, + "nvd": 2, + "oracle-oval": 4, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", + "V2Score": 4.3 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", + "V2Score": 4.3 + } + }, + "References": [ + "http://arcticdog.wordpress.com/2012/08/29/beast-openssl-and-apache/", + "http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/", + "http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx", + "http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx", + "http://curl.haxx.se/docs/adv_20120124B.html", + "http://downloads.asterisk.org/pub/security/AST-2016-001.html", + "http://ekoparty.org/2011/juliano-rizzo.php", + "http://eprint.iacr.org/2004/111", + "http://eprint.iacr.org/2006/136", + "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html", + "http://isc.sans.edu/diary/SSL+TLS+part+3+/11635", + "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html", + "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html", + "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html", + "http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html", + "http://lists.apple.com/archives/security-announce/2012/May/msg00001.html", + "http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html", + "http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html", + "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html", + "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html", + "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html", + "http://marc.info/?l=bugtraq\u0026m=132750579901589\u0026w=2", + "http://marc.info/?l=bugtraq\u0026m=132872385320240\u0026w=2", + "http://marc.info/?l=bugtraq\u0026m=133365109612558\u0026w=2", + "http://marc.info/?l=bugtraq\u0026m=133728004526190\u0026w=2", + "http://marc.info/?l=bugtraq\u0026m=134254866602253\u0026w=2", + "http://marc.info/?l=bugtraq\u0026m=134254957702612\u0026w=2", + "http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue", + "http://osvdb.org/74829", + "http://rhn.redhat.com/errata/RHSA-2012-0508.html", + "http://rhn.redhat.com/errata/RHSA-2013-1455.html", + "http://secunia.com/advisories/45791", + "http://secunia.com/advisories/47998", + "http://secunia.com/advisories/48256", + "http://secunia.com/advisories/48692", + "http://secunia.com/advisories/48915", + "http://secunia.com/advisories/48948", + "http://secunia.com/advisories/49198", + "http://secunia.com/advisories/55322", + "http://secunia.com/advisories/55350", + "http://secunia.com/advisories/55351", + "http://security.gentoo.org/glsa/glsa-201203-02.xml", + "http://security.gentoo.org/glsa/glsa-201406-32.xml", + "http://support.apple.com/kb/HT4999", + "http://support.apple.com/kb/HT5001", + "http://support.apple.com/kb/HT5130", + "http://support.apple.com/kb/HT5281", + "http://support.apple.com/kb/HT5501", + "http://support.apple.com/kb/HT6150", + "http://technet.microsoft.com/security/advisory/2588513", + "http://vnhacker.blogspot.com/2011/09/beast.html", + "http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf", + "http://www.debian.org/security/2012/dsa-2398", + "http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html", + "http://www.ibm.com/developerworks/java/jdk/alerts/", + "http://www.imperialviolet.org/2011/09/23/chromeandbeast.html", + "http://www.insecure.cl/Beast-SSL.rar", + "http://www.kb.cert.org/vuls/id/864643", + "http://www.mandriva.com/security/advisories?name=MDVSA-2012:058", + "http://www.opera.com/docs/changelogs/mac/1151/", + "http://www.opera.com/docs/changelogs/mac/1160/", + "http://www.opera.com/docs/changelogs/unix/1151/", + "http://www.opera.com/docs/changelogs/unix/1160/", + "http://www.opera.com/docs/changelogs/windows/1151/", + "http://www.opera.com/docs/changelogs/windows/1160/", + "http://www.opera.com/support/kb/view/1004/", + "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html", + "http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html", + "http://www.redhat.com/support/errata/RHSA-2011-1384.html", + "http://www.redhat.com/support/errata/RHSA-2012-0006.html", + "http://www.securityfocus.com/bid/49388", + "http://www.securityfocus.com/bid/49778", + "http://www.securitytracker.com/id/1029190", + "http://www.securitytracker.com/id?1025997", + "http://www.securitytracker.com/id?1026103", + "http://www.securitytracker.com/id?1026704", + "http://www.ubuntu.com/usn/USN-1263-1", + "http://www.us-cert.gov/cas/techalerts/TA12-010A.html", + "https://access.redhat.com/security/cve/CVE-2011-3389", + "https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail", + "https://bugzilla.novell.com/show_bug.cgi?id=719047", + "https://bugzilla.redhat.com/show_bug.cgi?id=737506", + "https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf", + "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006", + "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862", + "https://hermes.opensuse.org/messages/13154861", + "https://hermes.opensuse.org/messages/13155432", + "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", + "https://linux.oracle.com/cve/CVE-2011-3389.html", + "https://linux.oracle.com/errata/ELSA-2011-1380.html", + "https://nvd.nist.gov/vuln/detail/CVE-2011-3389", + "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752", + "https://ubuntu.com/security/notices/USN-1263-1", + "https://www.cve.org/CVERecord?id=CVE-2011-3389" + ], + "PublishedDate": "2011-09-06T19:55:03.197Z", + "LastModifiedDate": "2022-11-29T15:56:08.637Z" + }, + { + "VulnerabilityID": "CVE-2024-26462", + "PkgID": "libgssapi-krb5-2@1.20.1-2+deb12u1", + "PkgName": "libgssapi-krb5-2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26462", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/kdc/ndr.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "Severity": "HIGH", + "VendorSeverity": { + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26462", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "https://www.cve.org/CVERecord?id=CVE-2024-26462" + ], + "PublishedDate": "2024-02-29T01:44:18.857Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2024-26458", + "PkgID": "libgssapi-krb5-2@1.20.1-2+deb12u1", + "PkgName": "libgssapi-krb5-2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26458", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "Severity": "MEDIUM", + "VendorSeverity": { + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26458", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "https://www.cve.org/CVERecord?id=CVE-2024-26458" + ], + "PublishedDate": "2024-02-29T01:44:18.78Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2024-26461", + "PkgID": "libgssapi-krb5-2@1.20.1-2+deb12u1", + "PkgName": "libgssapi-krb5-2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26461", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "Severity": "MEDIUM", + "VendorSeverity": { + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26461", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "https://www.cve.org/CVERecord?id=CVE-2024-26461" + ], + "PublishedDate": "2024-02-29T01:44:18.82Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2018-5709", + "PkgID": "libgssapi-krb5-2@1.20.1-2+deb12u1", + "PkgName": "libgssapi-krb5-2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libgssapi-krb5-2@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-5709", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: integer overflow in dbentry-\u003en_key_data in kadmin/dbutil/dump.c", + "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", + "Severity": "LOW", + "CweIDs": [ + "CWE-190" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-5709", + "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2018-5709", + "https://www.cve.org/CVERecord?id=CVE-2018-5709" + ], + "PublishedDate": "2018-01-16T09:29:00.5Z", + "LastModifiedDate": "2023-11-07T02:58:49.07Z" + }, + { + "VulnerabilityID": "CVE-2023-49460", + "PkgID": "libheif1@1.15.1-1", + "PkgName": "libheif1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.15.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-49460", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libheif v1.17.5 was discovered to contain a segmentation violation via ...", + "Description": "libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image.", + "Severity": "HIGH", + "VendorSeverity": { + "nvd": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + } + }, + "References": [ + "https://github.com/strukturag/libheif/issues/1046" + ], + "PublishedDate": "2023-12-07T20:15:38.14Z", + "LastModifiedDate": "2023-12-11T17:32:51.353Z" + }, + { + "VulnerabilityID": "CVE-2023-49462", + "PkgID": "libheif1@1.15.1-1", + "PkgName": "libheif1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.15.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-49462", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libheif v1.17.5 was discovered to contain a segmentation violation via ...", + "Description": "libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.", + "Severity": "HIGH", + "VendorSeverity": { + "nvd": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + } + }, + "References": [ + "https://github.com/strukturag/libheif/issues/1043" + ], + "PublishedDate": "2023-12-07T20:15:38.19Z", + "LastModifiedDate": "2023-12-11T17:32:38.27Z" + }, + { + "VulnerabilityID": "CVE-2023-49463", + "PkgID": "libheif1@1.15.1-1", + "PkgName": "libheif1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.15.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-49463", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libheif v1.17.5 was discovered to contain a segmentation violation via ...", + "Description": "libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.", + "Severity": "HIGH", + "VendorSeverity": { + "nvd": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + } + }, + "References": [ + "https://github.com/strukturag/libheif", + "https://github.com/strukturag/libheif/issues/1042" + ], + "PublishedDate": "2023-12-07T20:15:38.26Z", + "LastModifiedDate": "2023-12-11T17:32:07.403Z" + }, + { + "VulnerabilityID": "CVE-2023-49464", + "PkgID": "libheif1@1.15.1-1", + "PkgName": "libheif1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.15.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-49464", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libheif v1.17.5 was discovered to contain a segmentation violation via ...", + "Description": "libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci.", + "Severity": "HIGH", + "VendorSeverity": { + "nvd": 3 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 8.8 + } + }, + "References": [ + "https://github.com/strukturag/libheif/issues/1044" + ], + "PublishedDate": "2023-12-07T20:15:38.32Z", + "LastModifiedDate": "2023-12-11T17:31:56.9Z" + }, + { + "VulnerabilityID": "CVE-2023-29659", + "PkgID": "libheif1@1.15.1-1", + "PkgName": "libheif1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.15.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-29659", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "A Segmentation fault caused by a floating point exception exists in li ...", + "Description": "A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-369" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "github.com/strukturag/libheif", + "https://github.com/strukturag/libheif/commit/e05e15b57a38ec411cb9acb38512a1c36ff62991", + "https://github.com/strukturag/libheif/issues/794", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAE6NQBA3Q7GS6VTNDZRZZZVPPEFUEZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LGKHDCS4HRZE3UGXYYDYPTIPNIBRLQ5L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAE6NQBA3Q7GS6VTNDZRZZZVPPEFUEZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LGKHDCS4HRZE3UGXYYDYPTIPNIBRLQ5L", + "https://nvd.nist.gov/vuln/detail/CVE-2023-29659" + ], + "PublishedDate": "2023-05-05T16:15:09.387Z", + "LastModifiedDate": "2023-11-07T04:11:21.81Z" + }, + { + "VulnerabilityID": "CVE-2024-25269", + "PkgID": "libheif1@1.15.1-1", + "PkgName": "libheif1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libheif1@1.15.1-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.15.1-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-25269", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libheif \u003c= 1.17.6 contains a memory leak in the function JpegEncoder:: ...", + "Description": "libheif \u003c= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1 + }, + "References": [ + "https://github.com/strukturag/libheif/issues/1073" + ], + "PublishedDate": "2024-03-05T01:15:06.78Z", + "LastModifiedDate": "2024-03-05T13:41:01.9Z" + }, + { + "VulnerabilityID": "CVE-2017-9937", + "PkgID": "libjbig0@2.1-6.1", + "PkgName": "libjbig0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libjbig0@2.1-6.1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.1-6.1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-9937", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: memory malloc failure in tif_jbig.c could cause DOS.", + "Description": "In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.", + "Severity": "LOW", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 3.3 + } + }, + "References": [ + "http://bugzilla.maptools.org/show_bug.cgi?id=2707", + "http://www.securityfocus.com/bid/99304", + "https://access.redhat.com/security/cve/CVE-2017-9937", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2017-9937", + "https://ubuntu.com/security/notices/USN-5742-1", + "https://www.cve.org/CVERecord?id=CVE-2017-9937" + ], + "PublishedDate": "2017-06-26T12:29:00.25Z", + "LastModifiedDate": "2023-11-07T02:50:55.877Z" + }, + { + "VulnerabilityID": "CVE-2024-26462", + "PkgID": "libk5crypto3@1.20.1-2+deb12u1", + "PkgName": "libk5crypto3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26462", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/kdc/ndr.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "Severity": "HIGH", + "VendorSeverity": { + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26462", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "https://www.cve.org/CVERecord?id=CVE-2024-26462" + ], + "PublishedDate": "2024-02-29T01:44:18.857Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2024-26458", + "PkgID": "libk5crypto3@1.20.1-2+deb12u1", + "PkgName": "libk5crypto3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26458", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "Severity": "MEDIUM", + "VendorSeverity": { + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26458", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "https://www.cve.org/CVERecord?id=CVE-2024-26458" + ], + "PublishedDate": "2024-02-29T01:44:18.78Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2024-26461", + "PkgID": "libk5crypto3@1.20.1-2+deb12u1", + "PkgName": "libk5crypto3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26461", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "Severity": "MEDIUM", + "VendorSeverity": { + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26461", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "https://www.cve.org/CVERecord?id=CVE-2024-26461" + ], + "PublishedDate": "2024-02-29T01:44:18.82Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2018-5709", + "PkgID": "libk5crypto3@1.20.1-2+deb12u1", + "PkgName": "libk5crypto3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libk5crypto3@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-5709", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: integer overflow in dbentry-\u003en_key_data in kadmin/dbutil/dump.c", + "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", + "Severity": "LOW", + "CweIDs": [ + "CWE-190" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-5709", + "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2018-5709", + "https://www.cve.org/CVERecord?id=CVE-2018-5709" + ], + "PublishedDate": "2018-01-16T09:29:00.5Z", + "LastModifiedDate": "2023-11-07T02:58:49.07Z" + }, + { + "VulnerabilityID": "CVE-2024-26462", + "PkgID": "libkrb5-3@1.20.1-2+deb12u1", + "PkgName": "libkrb5-3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26462", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/kdc/ndr.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "Severity": "HIGH", + "VendorSeverity": { + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26462", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "https://www.cve.org/CVERecord?id=CVE-2024-26462" + ], + "PublishedDate": "2024-02-29T01:44:18.857Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2024-26458", + "PkgID": "libkrb5-3@1.20.1-2+deb12u1", + "PkgName": "libkrb5-3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26458", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "Severity": "MEDIUM", + "VendorSeverity": { + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26458", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "https://www.cve.org/CVERecord?id=CVE-2024-26458" + ], + "PublishedDate": "2024-02-29T01:44:18.78Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2024-26461", + "PkgID": "libkrb5-3@1.20.1-2+deb12u1", + "PkgName": "libkrb5-3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26461", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "Severity": "MEDIUM", + "VendorSeverity": { + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26461", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "https://www.cve.org/CVERecord?id=CVE-2024-26461" + ], + "PublishedDate": "2024-02-29T01:44:18.82Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2018-5709", + "PkgID": "libkrb5-3@1.20.1-2+deb12u1", + "PkgName": "libkrb5-3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-5709", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: integer overflow in dbentry-\u003en_key_data in kadmin/dbutil/dump.c", + "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", + "Severity": "LOW", + "CweIDs": [ + "CWE-190" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-5709", + "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2018-5709", + "https://www.cve.org/CVERecord?id=CVE-2018-5709" + ], + "PublishedDate": "2018-01-16T09:29:00.5Z", + "LastModifiedDate": "2023-11-07T02:58:49.07Z" + }, + { + "VulnerabilityID": "CVE-2024-26462", + "PkgID": "libkrb5support0@1.20.1-2+deb12u1", + "PkgName": "libkrb5support0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26462", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/kdc/ndr.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "Severity": "HIGH", + "VendorSeverity": { + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26462", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "https://www.cve.org/CVERecord?id=CVE-2024-26462" + ], + "PublishedDate": "2024-02-29T01:44:18.857Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2024-26458", + "PkgID": "libkrb5support0@1.20.1-2+deb12u1", + "PkgName": "libkrb5support0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26458", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "Severity": "MEDIUM", + "VendorSeverity": { + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26458", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "https://www.cve.org/CVERecord?id=CVE-2024-26458" + ], + "PublishedDate": "2024-02-29T01:44:18.78Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2024-26461", + "PkgID": "libkrb5support0@1.20.1-2+deb12u1", + "PkgName": "libkrb5support0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26461", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c", + "Description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "Severity": "MEDIUM", + "VendorSeverity": { + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-26461", + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "https://www.cve.org/CVERecord?id=CVE-2024-26461" + ], + "PublishedDate": "2024-02-29T01:44:18.82Z", + "LastModifiedDate": "2024-02-29T13:49:29.39Z" + }, + { + "VulnerabilityID": "CVE-2018-5709", + "PkgID": "libkrb5support0@1.20.1-2+deb12u1", + "PkgName": "libkrb5support0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libkrb5support0@1.20.1-2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.20.1-2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-5709", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "krb5: integer overflow in dbentry-\u003en_key_data in kadmin/dbutil/dump.c", + "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", + "Severity": "LOW", + "CweIDs": [ + "CWE-190" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-5709", + "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2018-5709", + "https://www.cve.org/CVERecord?id=CVE-2018-5709" + ], + "PublishedDate": "2018-01-16T09:29:00.5Z", + "LastModifiedDate": "2023-11-07T02:58:49.07Z" + }, + { + "VulnerabilityID": "CVE-2023-2953", + "PkgID": "libldap-2.5-0@2.5.13+dfsg-5", + "PkgName": "libldap-2.5-0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.5.13+dfsg-5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-2953", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openldap: null pointer dereference in ber_memalloc_x function", + "Description": "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "amazon": 2, + "bitnami": 3, + "nvd": 3, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", + "V3Score": 7.1 + } + }, + "References": [ + "http://seclists.org/fulldisclosure/2023/Jul/47", + "http://seclists.org/fulldisclosure/2023/Jul/48", + "http://seclists.org/fulldisclosure/2023/Jul/52", + "https://access.redhat.com/security/cve/CVE-2023-2953", + "https://bugs.openldap.org/show_bug.cgi?id=9904", + "https://nvd.nist.gov/vuln/detail/CVE-2023-2953", + "https://security.netapp.com/advisory/ntap-20230703-0005/", + "https://support.apple.com/kb/HT213843", + "https://support.apple.com/kb/HT213844", + "https://support.apple.com/kb/HT213845", + "https://ubuntu.com/security/notices/USN-6197-1", + "https://ubuntu.com/security/notices/USN-6616-1", + "https://www.cve.org/CVERecord?id=CVE-2023-2953" + ], + "PublishedDate": "2023-05-30T22:15:10.613Z", + "LastModifiedDate": "2023-08-02T16:46:03.663Z" + }, + { + "VulnerabilityID": "CVE-2015-3276", + "PkgID": "libldap-2.5-0@2.5.13+dfsg-5", + "PkgName": "libldap-2.5-0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.5.13+dfsg-5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-3276", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "incorrect multi-keyword mode cipherstring parsing", + "Description": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", + "Severity": "LOW", + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V2Score": 4.3 + } + }, + "References": [ + "http://rhn.redhat.com/errata/RHSA-2015-2131.html", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", + "http://www.securitytracker.com/id/1034221", + "https://access.redhat.com/security/cve/CVE-2015-3276", + "https://bugzilla.redhat.com/show_bug.cgi?id=1238322", + "https://linux.oracle.com/cve/CVE-2015-3276.html", + "https://linux.oracle.com/errata/ELSA-2015-2131.html", + "https://nvd.nist.gov/vuln/detail/CVE-2015-3276", + "https://www.cve.org/CVERecord?id=CVE-2015-3276" + ], + "PublishedDate": "2015-12-07T20:59:03.023Z", + "LastModifiedDate": "2023-04-28T18:28:40.45Z" + }, + { + "VulnerabilityID": "CVE-2017-14159", + "PkgID": "libldap-2.5-0@2.5.13+dfsg-5", + "PkgName": "libldap-2.5-0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.5.13+dfsg-5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-14159", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openldap: Privilege escalation via PID file manipulation", + "Description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", + "Severity": "LOW", + "CweIDs": [ + "CWE-665" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 1.9, + "V3Score": 4.7 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 4.4 + } + }, + "References": [ + "http://www.openldap.org/its/index.cgi?findid=8703", + "https://access.redhat.com/security/cve/CVE-2017-14159", + "https://nvd.nist.gov/vuln/detail/CVE-2017-14159", + "https://www.cve.org/CVERecord?id=CVE-2017-14159", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2017-09-05T18:29:00.133Z", + "LastModifiedDate": "2022-06-13T19:18:13.177Z" + }, + { + "VulnerabilityID": "CVE-2017-17740", + "PkgID": "libldap-2.5-0@2.5.13+dfsg-5", + "PkgName": "libldap-2.5-0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.5.13+dfsg-5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-17740", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service", + "Description": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.", + "Severity": "LOW", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html", + "http://www.openldap.org/its/index.cgi/Incoming?id=8759", + "https://access.redhat.com/security/cve/CVE-2017-17740", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", + "https://nvd.nist.gov/vuln/detail/CVE-2017-17740", + "https://www.cve.org/CVERecord?id=CVE-2017-17740", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2017-12-18T06:29:00.397Z", + "LastModifiedDate": "2022-06-13T19:10:10.043Z" + }, + { + "VulnerabilityID": "CVE-2020-15719", + "PkgID": "libldap-2.5-0@2.5.13+dfsg-5", + "PkgName": "libldap-2.5-0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libldap-2.5-0@2.5.13%2Bdfsg-5?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.5.13+dfsg-5", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15719", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openldap: Certificate validation incorrectly matches name against CN-ID", + "Description": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", + "Severity": "LOW", + "CweIDs": [ + "CWE-295" + ], + "VendorSeverity": { + "bitnami": 2, + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", + "V3Score": 4.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", + "V2Score": 4, + "V3Score": 4.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", + "V3Score": 4.2 + } + }, + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html", + "https://access.redhat.com/errata/RHBA-2019:3674", + "https://access.redhat.com/security/cve/CVE-2020-15719", + "https://bugs.openldap.org/show_bug.cgi?id=9266", + "https://bugzilla.redhat.com/show_bug.cgi?id=1740070", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15719", + "https://www.cve.org/CVERecord?id=CVE-2020-15719", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "PublishedDate": "2020-07-14T14:15:17.667Z", + "LastModifiedDate": "2022-05-12T15:01:09.437Z" + }, + { + "VulnerabilityID": "CVE-2022-0563", + "PkgID": "libmount1@2.38.1-5+deb12u1", + "PkgName": "libmount1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libmount1@2.38.1-5%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.38.1-5+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", + "Description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "Severity": "LOW", + "CweIDs": [ + "CWE-209" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0563", + "https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", + "https://security.gentoo.org/glsa/202401-08", + "https://security.netapp.com/advisory/ntap-20220331-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-0563" + ], + "PublishedDate": "2022-02-21T19:15:08.393Z", + "LastModifiedDate": "2024-01-07T09:15:08.713Z" + }, + { + "VulnerabilityID": "CVE-2024-28182", + "PkgID": "libnghttp2-14@1.52.0-1+deb12u1", + "PkgName": "libnghttp2-14", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libnghttp2-14@1.52.0-1%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.52.0-1+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28182", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "nghttp2: CONTINUATION frames DoS", + "Description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "redhat": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-28182", + "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm", + "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0", + "https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9", + "https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q", + "https://nowotarski.info/http2-continuation-flood/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28182", + "https://www.cve.org/CVERecord?id=CVE-2024-28182", + "https://www.kb.cert.org/vuls/id/421644" + ], + "PublishedDate": "2024-04-04T15:15:38.427Z", + "LastModifiedDate": "2024-04-04T16:33:06.61Z" + }, + { + "VulnerabilityID": "CVE-2024-22365", + "PkgID": "libpam-modules@1.5.2-6+deb12u1", + "PkgName": "libpam-modules", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libpam-modules@1.5.2-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.5.2-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-22365", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "pam: allowing unprivileged user to block another user namespace", + "Description": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 1, + "cbl-mariner": 2, + "nvd": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/01/18/3", + "https://access.redhat.com/security/cve/CVE-2024-22365", + "https://github.com/linux-pam/linux-pam", + "https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb", + "https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0", + "https://nvd.nist.gov/vuln/detail/CVE-2024-22365", + "https://ubuntu.com/security/notices/USN-6588-1", + "https://ubuntu.com/security/notices/USN-6588-2", + "https://www.cve.org/CVERecord?id=CVE-2024-22365", + "https://www.openwall.com/lists/oss-security/2024/01/18/3" + ], + "PublishedDate": "2024-02-06T08:15:52.203Z", + "LastModifiedDate": "2024-02-14T00:27:40.143Z" + }, + { + "VulnerabilityID": "CVE-2024-22365", + "PkgID": "libpam-modules-bin@1.5.2-6+deb12u1", + "PkgName": "libpam-modules-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libpam-modules-bin@1.5.2-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.5.2-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-22365", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "pam: allowing unprivileged user to block another user namespace", + "Description": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 1, + "cbl-mariner": 2, + "nvd": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/01/18/3", + "https://access.redhat.com/security/cve/CVE-2024-22365", + "https://github.com/linux-pam/linux-pam", + "https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb", + "https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0", + "https://nvd.nist.gov/vuln/detail/CVE-2024-22365", + "https://ubuntu.com/security/notices/USN-6588-1", + "https://ubuntu.com/security/notices/USN-6588-2", + "https://www.cve.org/CVERecord?id=CVE-2024-22365", + "https://www.openwall.com/lists/oss-security/2024/01/18/3" + ], + "PublishedDate": "2024-02-06T08:15:52.203Z", + "LastModifiedDate": "2024-02-14T00:27:40.143Z" + }, + { + "VulnerabilityID": "CVE-2024-22365", + "PkgID": "libpam-runtime@1.5.2-6+deb12u1", + "PkgName": "libpam-runtime", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libpam-runtime@1.5.2-6%2Bdeb12u1?arch=all\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.5.2-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-22365", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "pam: allowing unprivileged user to block another user namespace", + "Description": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 1, + "cbl-mariner": 2, + "nvd": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/01/18/3", + "https://access.redhat.com/security/cve/CVE-2024-22365", + "https://github.com/linux-pam/linux-pam", + "https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb", + "https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0", + "https://nvd.nist.gov/vuln/detail/CVE-2024-22365", + "https://ubuntu.com/security/notices/USN-6588-1", + "https://ubuntu.com/security/notices/USN-6588-2", + "https://www.cve.org/CVERecord?id=CVE-2024-22365", + "https://www.openwall.com/lists/oss-security/2024/01/18/3" + ], + "PublishedDate": "2024-02-06T08:15:52.203Z", + "LastModifiedDate": "2024-02-14T00:27:40.143Z" + }, + { + "VulnerabilityID": "CVE-2024-22365", + "PkgID": "libpam0g@1.5.2-6+deb12u1", + "PkgName": "libpam0g", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libpam0g@1.5.2-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.5.2-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-22365", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "pam: allowing unprivileged user to block another user namespace", + "Description": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 1, + "cbl-mariner": 2, + "nvd": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/01/18/3", + "https://access.redhat.com/security/cve/CVE-2024-22365", + "https://github.com/linux-pam/linux-pam", + "https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb", + "https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0", + "https://nvd.nist.gov/vuln/detail/CVE-2024-22365", + "https://ubuntu.com/security/notices/USN-6588-1", + "https://ubuntu.com/security/notices/USN-6588-2", + "https://www.cve.org/CVERecord?id=CVE-2024-22365", + "https://www.openwall.com/lists/oss-security/2024/01/18/3" + ], + "PublishedDate": "2024-02-06T08:15:52.203Z", + "LastModifiedDate": "2024-02-14T00:27:40.143Z" + }, + { + "VulnerabilityID": "CVE-2021-4214", + "PkgID": "libpng16-16@1.6.39-2", + "PkgName": "libpng16-16", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libpng16-16@1.6.39-2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.6.39-2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-4214", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libpng: hardcoded value leads to heap-overflow", + "Description": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.", + "Severity": "LOW", + "CweIDs": [ + "CWE-120", + "CWE-787" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-4214", + "https://bugzilla.redhat.com/show_bug.cgi?id=2043393", + "https://github.com/glennrp/libpng/issues/302", + "https://nvd.nist.gov/vuln/detail/CVE-2021-4214", + "https://security-tracker.debian.org/tracker/CVE-2021-4214", + "https://security.netapp.com/advisory/ntap-20221020-0001/", + "https://www.cve.org/CVERecord?id=CVE-2021-4214" + ], + "PublishedDate": "2022-08-24T16:15:10.037Z", + "LastModifiedDate": "2022-11-08T02:32:10.533Z" + }, + { + "VulnerabilityID": "CVE-2022-0563", + "PkgID": "libsmartcols1@2.38.1-5+deb12u1", + "PkgName": "libsmartcols1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libsmartcols1@2.38.1-5%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.38.1-5+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", + "Description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "Severity": "LOW", + "CweIDs": [ + "CWE-209" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0563", + "https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", + "https://security.gentoo.org/glsa/202401-08", + "https://security.netapp.com/advisory/ntap-20220331-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-0563" + ], + "PublishedDate": "2022-02-21T19:15:08.393Z", + "LastModifiedDate": "2024-01-07T09:15:08.713Z" + }, + { + "VulnerabilityID": "CVE-2023-5678", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5678", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow", + "Description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-754" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 3, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:7877", + "https://access.redhat.com/security/cve/CVE-2023-5678", + "https://bugzilla.redhat.com/2224962", + "https://bugzilla.redhat.com/2227852", + "https://bugzilla.redhat.com/2248616", + "https://errata.almalinux.org/8/ALSA-2023-7877.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://linux.oracle.com/cve/CVE-2023-5678.html", + "https://linux.oracle.com/errata/ELSA-2024-12056.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "https://security.netapp.com/advisory/ntap-20231130-0010/", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://www.cve.org/CVERecord?id=CVE-2023-5678", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "PublishedDate": "2023-11-06T16:15:42.67Z", + "LastModifiedDate": "2023-11-30T22:15:09.723Z" + }, + { + "VulnerabilityID": "CVE-2023-6129", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6129", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC", + "Description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-6129", + "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6129", + "https://security.netapp.com/advisory/ntap-20240216-0009/", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://www.cve.org/CVERecord?id=CVE-2023-6129", + "https://www.openssl.org/news/secadv/20240109.txt", + "https://www.openwall.com/lists/oss-security/2024/01/09/1" + ], + "PublishedDate": "2024-01-09T17:15:12.147Z", + "LastModifiedDate": "2024-02-16T13:15:09.91Z" + }, + { + "VulnerabilityID": "CVE-2023-6237", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6237", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Excessive time spent checking invalid RSA public keys", + "Description": "A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-6237", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6237", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://www.cve.org/CVERecord?id=CVE-2023-6237", + "https://www.openssl.org/news/secadv/20240115.txt", + "https://www.openwall.com/lists/oss-security/2024/01/15/2" + ] + }, + { + "VulnerabilityID": "CVE-2024-0727", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-0727", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: denial of service via null dereference", + "Description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 3, + "ghsa": 2, + "nvd": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-0727", + "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "https://github.com/github/advisory-database/pull/3472", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.com/openssl/openssl/pull/23362", + "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "https://security.netapp.com/advisory/ntap-20240208-0006", + "https://security.netapp.com/advisory/ntap-20240208-0006/", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://www.cve.org/CVERecord?id=CVE-2024-0727", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "PublishedDate": "2024-01-26T09:15:07.637Z", + "LastModifiedDate": "2024-02-08T10:15:13.91Z" + }, + { + "VulnerabilityID": "CVE-2007-6755", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2007-6755", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "Dual_EC_DRBG: weak pseudo random number generator", + "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", + "Severity": "LOW", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "V2Score": 5.8 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "V2Score": 5.8 + } + }, + "References": [ + "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", + "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", + "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", + "http://rump2007.cr.yp.to/15-shumow.pdf", + "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", + "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", + "http://www.securityfocus.com/bid/63657", + "https://access.redhat.com/security/cve/CVE-2007-6755", + "https://nvd.nist.gov/vuln/detail/CVE-2007-6755", + "https://www.cve.org/CVERecord?id=CVE-2007-6755", + "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" + ], + "PublishedDate": "2013-10-11T22:55:33.58Z", + "LastModifiedDate": "2022-11-01T14:44:55.093Z" + }, + { + "VulnerabilityID": "CVE-2010-0928", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-0928", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: RSA authentication weakness", + "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", + "Severity": "LOW", + "CweIDs": [ + "CWE-310" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:H/Au:N/C:C/I:N/A:N", + "V2Score": 4 + } + }, + "References": [ + "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", + "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf", + "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", + "http://www.osvdb.org/62808", + "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", + "https://access.redhat.com/security/cve/CVE-2010-0928", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750", + "https://nvd.nist.gov/vuln/detail/CVE-2010-0928", + "https://www.cve.org/CVERecord?id=CVE-2010-0928" + ], + "PublishedDate": "2010-03-05T19:30:00.797Z", + "LastModifiedDate": "2023-11-07T02:05:11.413Z" + }, + { + "VulnerabilityID": "CVE-2024-2511", + "PkgID": "libssl3@3.0.11-1~deb12u2", + "PkgName": "libssl3", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2511", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Unbounded memory growth with session handling in TLSv1.3", + "Description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "Severity": "LOW", + "VendorSeverity": { + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2511", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "https://www.cve.org/CVERecord?id=CVE-2024-2511", + "https://www.openssl.org/news/secadv/20240408.txt", + "https://www.openssl.org/news/vulnerabilities.html" + ], + "PublishedDate": "2024-04-08T14:15:07.66Z", + "LastModifiedDate": "2024-04-08T18:48:40.217Z" + }, + { + "VulnerabilityID": "CVE-2023-4039", + "PkgID": "libstdc++6@12.2.0-14", + "PkgName": "libstdc++6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "12.2.0-14", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4039", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "gcc: -fstack-protector fails to guard dynamic stack allocations on ARM64", + "Description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-693" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 1, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 4.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-4039", + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://gcc.gnu.org/git/?p=gcc.git;a=blob_plain;f=SECURITY.txt", + "https://gcc.gnu.org/pipermail/gcc-patches/2023-October/634066.html", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", + "https://inbox.sourceware.org/gcc-patches/46cfa37b-56eb-344d-0745-e0d35393392d@gotplt.org", + "https://linux.oracle.com/cve/CVE-2023-4039.html", + "https://linux.oracle.com/errata/ELSA-2023-28766.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4039" + ], + "PublishedDate": "2023-09-13T09:15:15.69Z", + "LastModifiedDate": "2024-02-19T23:15:07.68Z" + }, + { + "VulnerabilityID": "CVE-2022-27943", + "PkgID": "libstdc++6@12.2.0-14", + "PkgName": "libstdc++6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libstdc%2B%2B6@12.2.0-14?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "12.2.0-14", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27943", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const", + "Description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "amazon": 1, + "debian": 1, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-27943", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=1a770b01ef415e114164b6151d1e55acdee09371", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79", + "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=fc968115a742d9e4674d9725ce9c2106b91b6ead", + "https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995", + "https://www.cve.org/CVERecord?id=CVE-2022-27943" + ], + "PublishedDate": "2022-03-26T13:15:07.9Z", + "LastModifiedDate": "2023-11-07T03:45:32.64Z" + }, + { + "VulnerabilityID": "CVE-2023-50387", + "PkgID": "libsystemd0@252.22-1~deb12u1", + "PkgName": "libsystemd0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50387", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator", + "Description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/02/16/2", + "http://www.openwall.com/lists/oss-security/2024/02/16/3", + "https://access.redhat.com/errata/RHSA-2024:1789", + "https://access.redhat.com/security/cve/CVE-2023-50387", + "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released", + "https://bugzilla.redhat.com/2263896", + "https://bugzilla.redhat.com/2263897", + "https://bugzilla.redhat.com/2263909", + "https://bugzilla.redhat.com/2263911", + "https://bugzilla.redhat.com/2263914", + "https://bugzilla.redhat.com/2263917", + "https://bugzilla.redhat.com/show_bug.cgi?id=2263914", + "https://bugzilla.redhat.com/show_bug.cgi?id=2263917", + "https://bugzilla.suse.com/show_bug.cgi?id=1219823", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868", + "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", + "https://errata.almalinux.org/9/ALSA-2024-1789.html", + "https://errata.rockylinux.org/RLSA-2024:1335", + "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", + "https://kb.isc.org/docs/cve-2023-50387", + "https://linux.oracle.com/cve/CVE-2023-50387.html", + "https://linux.oracle.com/errata/ELSA-2024-1789.html", + "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", + "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", + "https://news.ycombinator.com/item?id=39367411", + "https://news.ycombinator.com/item?id=39372384", + "https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt", + "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-50387", + "https://security.netapp.com/advisory/ntap-20240307-0007/", + "https://ubuntu.com/security/notices/USN-6633-1", + "https://ubuntu.com/security/notices/USN-6642-1", + "https://ubuntu.com/security/notices/USN-6657-1", + "https://ubuntu.com/security/notices/USN-6665-1", + "https://ubuntu.com/security/notices/USN-6723-1", + "https://www.athene-center.de/aktuelles/key-trap", + "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", + "https://www.cve.org/CVERecord?id=CVE-2023-50387", + "https://www.isc.org/blogs/2024-bind-security-release/", + "https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html", + "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", + "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/" + ], + "PublishedDate": "2024-02-14T16:15:45.3Z", + "LastModifiedDate": "2024-03-07T17:15:11.587Z" + }, + { + "VulnerabilityID": "CVE-2023-50868", + "PkgID": "libsystemd0@252.22-1~deb12u1", + "PkgName": "libsystemd0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50868", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources", + "Description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/02/16/2", + "http://www.openwall.com/lists/oss-security/2024/02/16/3", + "https://access.redhat.com/errata/RHSA-2024:1789", + "https://access.redhat.com/security/cve/CVE-2023-50868", + "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released", + "https://bugzilla.redhat.com/2263896", + "https://bugzilla.redhat.com/2263897", + "https://bugzilla.redhat.com/2263909", + "https://bugzilla.redhat.com/2263911", + "https://bugzilla.redhat.com/2263914", + "https://bugzilla.redhat.com/2263917", + "https://bugzilla.redhat.com/show_bug.cgi?id=2263914", + "https://bugzilla.redhat.com/show_bug.cgi?id=2263917", + "https://bugzilla.suse.com/show_bug.cgi?id=1219826", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868", + "https://datatracker.ietf.org/doc/html/rfc5155", + "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", + "https://errata.almalinux.org/9/ALSA-2024-1789.html", + "https://errata.rockylinux.org/RLSA-2024:1335", + "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", + "https://kb.isc.org/docs/cve-2023-50868", + "https://linux.oracle.com/cve/CVE-2023-50868.html", + "https://linux.oracle.com/errata/ELSA-2024-1789.html", + "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", + "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", + "https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt", + "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-50868", + "https://security.netapp.com/advisory/ntap-20240307-0008/", + "https://ubuntu.com/security/notices/USN-6633-1", + "https://ubuntu.com/security/notices/USN-6642-1", + "https://ubuntu.com/security/notices/USN-6657-1", + "https://ubuntu.com/security/notices/USN-6665-1", + "https://ubuntu.com/security/notices/USN-6723-1", + "https://www.cve.org/CVERecord?id=CVE-2023-50868", + "https://www.isc.org/blogs/2024-bind-security-release/", + "https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html" + ], + "PublishedDate": "2024-02-14T16:15:45.377Z", + "LastModifiedDate": "2024-03-07T17:15:11.817Z" + }, + { + "VulnerabilityID": "CVE-2013-4392", + "PkgID": "libsystemd0@252.22-1~deb12u1", + "PkgName": "libsystemd0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2013-4392", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "TOCTOU race condition when updating file permissions and SELinux security contexts", + "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", + "Severity": "LOW", + "CweIDs": [ + "CWE-59" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 1, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N", + "V2Score": 3.3 + }, + "redhat": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N", + "V2Score": 3.3 + } + }, + "References": [ + "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", + "http://www.openwall.com/lists/oss-security/2013/10/01/9", + "https://access.redhat.com/security/cve/CVE-2013-4392", + "https://bugzilla.redhat.com/show_bug.cgi?id=859060", + "https://nvd.nist.gov/vuln/detail/CVE-2013-4392", + "https://www.cve.org/CVERecord?id=CVE-2013-4392" + ], + "PublishedDate": "2013-10-28T22:55:03.773Z", + "LastModifiedDate": "2022-01-31T17:49:14.387Z" + }, + { + "VulnerabilityID": "CVE-2023-31437", + "PkgID": "libsystemd0@252.22-1~deb12u1", + "PkgName": "libsystemd0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31437", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "An issue was discovered in systemd 253. An attacker can modify a seale ...", + "Description": "An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "Severity": "LOW", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/kastel-security/Journald", + "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", + "https://github.com/systemd/systemd/releases" + ], + "PublishedDate": "2023-06-13T17:15:14.657Z", + "LastModifiedDate": "2024-04-11T01:20:11.607Z" + }, + { + "VulnerabilityID": "CVE-2023-31438", + "PkgID": "libsystemd0@252.22-1~deb12u1", + "PkgName": "libsystemd0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31438", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "An issue was discovered in systemd 253. An attacker can truncate a sea ...", + "Description": "An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "Severity": "LOW", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/kastel-security/Journald", + "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", + "https://github.com/systemd/systemd/pull/28886", + "https://github.com/systemd/systemd/releases" + ], + "PublishedDate": "2023-06-13T17:15:14.707Z", + "LastModifiedDate": "2024-04-11T01:20:11.66Z" + }, + { + "VulnerabilityID": "CVE-2023-31439", + "PkgID": "libsystemd0@252.22-1~deb12u1", + "PkgName": "libsystemd0", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libsystemd0@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31439", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "An issue was discovered in systemd 253. An attacker can modify the con ...", + "Description": "An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "Severity": "LOW", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/kastel-security/Journald", + "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", + "https://github.com/systemd/systemd/pull/28885", + "https://github.com/systemd/systemd/releases" + ], + "PublishedDate": "2023-06-13T17:15:14.753Z", + "LastModifiedDate": "2024-04-11T01:20:11.72Z" + }, + { + "VulnerabilityID": "CVE-2023-52355", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-52355", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: TIFFRasterScanlineSize64 produce too-big size and could cause OOM", + "Description": "An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "nvd": 3, + "photon": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-52355", + "https://bugzilla.redhat.com/show_bug.cgi?id=2251326", + "https://gitlab.com/libtiff/libtiff/-/issues/621", + "https://nvd.nist.gov/vuln/detail/CVE-2023-52355", + "https://www.cve.org/CVERecord?id=CVE-2023-52355" + ], + "PublishedDate": "2024-01-25T20:15:38.353Z", + "LastModifiedDate": "2024-02-04T20:15:45.9Z" + }, + { + "VulnerabilityID": "CVE-2023-52356", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-52356", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: Segment fault in libtiff in TIFFReadRGBATileExt() leading to denial of service", + "Description": "A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-787", + "CWE-122" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 3, + "nvd": 3, + "photon": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-52356", + "https://bugzilla.redhat.com/show_bug.cgi?id=2251344", + "https://gitlab.com/libtiff/libtiff/-/issues/622", + "https://gitlab.com/libtiff/libtiff/-/merge_requests/546", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00011.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-52356", + "https://ubuntu.com/security/notices/USN-6644-1", + "https://ubuntu.com/security/notices/USN-6644-2", + "https://www.cve.org/CVERecord?id=CVE-2023-52356" + ], + "PublishedDate": "2024-01-25T20:15:39.063Z", + "LastModifiedDate": "2024-03-11T13:15:52.753Z" + }, + { + "VulnerabilityID": "CVE-2023-25433", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-25433", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: Buffer Overflow via /libtiff/tools/tiffcrop.c", + "Description": "libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-120" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-25433", + "https://gitlab.com/libtiff/libtiff/-/issues/520", + "https://gitlab.com/libtiff/libtiff/-/merge_requests/467", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-25433", + "https://ubuntu.com/security/notices/USN-6229-1", + "https://ubuntu.com/security/notices/USN-6290-1", + "https://www.cve.org/CVERecord?id=CVE-2023-25433" + ], + "PublishedDate": "2023-06-29T20:15:09.83Z", + "LastModifiedDate": "2023-08-01T02:15:09.91Z" + }, + { + "VulnerabilityID": "CVE-2023-26965", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26965", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: heap-based use after free via a crafted TIFF image in loadImage() in tiffcrop.c", + "Description": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6575", + "https://access.redhat.com/security/cve/CVE-2023-26965", + "https://bugzilla.redhat.com/2207635", + "https://bugzilla.redhat.com/2215206", + "https://bugzilla.redhat.com/2216080", + "https://bugzilla.redhat.com/2218749", + "https://bugzilla.redhat.com/2219340", + "https://errata.almalinux.org/9/ALSA-2023-6575.html", + "https://gitlab.com/libtiff/libtiff/-/merge_requests/472", + "https://linux.oracle.com/cve/CVE-2023-26965.html", + "https://linux.oracle.com/errata/ELSA-2023-6575.html", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26965", + "https://security.netapp.com/advisory/ntap-20230706-0009/", + "https://ubuntu.com/security/notices/USN-6229-1", + "https://ubuntu.com/security/notices/USN-6290-1", + "https://www.cve.org/CVERecord?id=CVE-2023-26965" + ], + "PublishedDate": "2023-06-14T21:15:09.483Z", + "LastModifiedDate": "2023-08-01T02:15:10.003Z" + }, + { + "VulnerabilityID": "CVE-2023-26966", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26966", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: Buffer Overflow in uv_encode()", + "Description": "libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-120" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6575", + "https://access.redhat.com/security/cve/CVE-2023-26966", + "https://bugzilla.redhat.com/2207635", + "https://bugzilla.redhat.com/2215206", + "https://bugzilla.redhat.com/2216080", + "https://bugzilla.redhat.com/2218749", + "https://bugzilla.redhat.com/2219340", + "https://errata.almalinux.org/9/ALSA-2023-6575.html", + "https://gitlab.com/libtiff/libtiff/-/commit/b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 (v4.5.1rc1)", + "https://gitlab.com/libtiff/libtiff/-/issues/530", + "https://gitlab.com/libtiff/libtiff/-/merge_requests/473", + "https://linux.oracle.com/cve/CVE-2023-26966.html", + "https://linux.oracle.com/errata/ELSA-2023-6575.html", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-26966", + "https://ubuntu.com/security/notices/USN-6229-1", + "https://ubuntu.com/security/notices/USN-6290-1", + "https://www.cve.org/CVERecord?id=CVE-2023-26966" + ], + "PublishedDate": "2023-06-29T20:15:09.873Z", + "LastModifiedDate": "2023-08-01T02:15:10.08Z" + }, + { + "VulnerabilityID": "CVE-2023-2908", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-2908", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: null pointer dereference in tif_dir.c", + "Description": "A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "nvd": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-2908", + "https://bugzilla.redhat.com/show_bug.cgi?id=2218830", + "https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f", + "https://gitlab.com/libtiff/libtiff/-/merge_requests/479", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-2908", + "https://security.netapp.com/advisory/ntap-20230731-0004/", + "https://ubuntu.com/security/notices/USN-6290-1", + "https://www.cve.org/CVERecord?id=CVE-2023-2908" + ], + "PublishedDate": "2023-06-30T22:15:10.017Z", + "LastModifiedDate": "2023-11-07T04:13:32.397Z" + }, + { + "VulnerabilityID": "CVE-2023-3316", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3316", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: tiffcrop: null pointer dereference in TIFFClose()", + "Description": "A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\n\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6575", + "https://access.redhat.com/security/cve/CVE-2023-3316", + "https://bugzilla.redhat.com/2207635", + "https://bugzilla.redhat.com/2215206", + "https://bugzilla.redhat.com/2216080", + "https://bugzilla.redhat.com/2218749", + "https://bugzilla.redhat.com/2219340", + "https://errata.almalinux.org/9/ALSA-2023-6575.html", + "https://gitlab.com/libtiff/libtiff/-/issues/515", + "https://gitlab.com/libtiff/libtiff/-/merge_requests/468", + "https://linux.oracle.com/cve/CVE-2023-3316.html", + "https://linux.oracle.com/errata/ELSA-2023-6575.html", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-3316", + "https://research.jfrog.com/vulnerabilities/libtiff-nullderef-dos-xray-522144/", + "https://ubuntu.com/security/notices/USN-6229-1", + "https://ubuntu.com/security/notices/USN-6290-1", + "https://www.cve.org/CVERecord?id=CVE-2023-3316" + ], + "PublishedDate": "2023-06-19T12:15:09.52Z", + "LastModifiedDate": "2023-08-01T02:15:10.577Z" + }, + { + "VulnerabilityID": "CVE-2023-3618", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3618", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: segmentation fault in Fax3Encode in libtiff/tif_fax3.c", + "Description": "A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-120" + ], + "VendorSeverity": { + "amazon": 3, + "nvd": 2, + "photon": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-3618", + "https://bugzilla.redhat.com/show_bug.cgi?id=2215865", + "https://gitlab.com/libtiff/libtiff/-/commit/8a4f6b587be4fa7bb39fe17f5f9dec52182ab26e", + "https://gitlab.com/libtiff/libtiff/-/issues/529", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-3618", + "https://security.netapp.com/advisory/ntap-20230824-0012/", + "https://support.apple.com/kb/HT214036", + "https://support.apple.com/kb/HT214037", + "https://support.apple.com/kb/HT214038", + "https://ubuntu.com/security/notices/USN-6290-1", + "https://www.cve.org/CVERecord?id=CVE-2023-3618" + ], + "PublishedDate": "2023-07-12T15:15:09.06Z", + "LastModifiedDate": "2024-03-23T11:15:43.67Z" + }, + { + "VulnerabilityID": "CVE-2023-6277", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6277", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: Out-of-memory in TIFFOpen via a craft file", + "Description": "An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "amazon": 3, + "nvd": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-6277", + "https://bugzilla.redhat.com/show_bug.cgi?id=2251311", + "https://gitlab.com/libtiff/libtiff/-/issues/614", + "https://gitlab.com/libtiff/libtiff/-/merge_requests/545", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJIN6DTSL3VODZUGWEUXLEL5DR53EZMV/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7ZGN2MZXJ6E57W3L4YBM3ZPAU3T7T5C/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6277", + "https://security.netapp.com/advisory/ntap-20240119-0002/", + "https://ubuntu.com/security/notices/USN-6644-1", + "https://ubuntu.com/security/notices/USN-6644-2", + "https://www.cve.org/CVERecord?id=CVE-2023-6277" + ], + "PublishedDate": "2023-11-24T19:15:07.643Z", + "LastModifiedDate": "2024-01-19T16:15:11.057Z" + }, + { + "VulnerabilityID": "CVE-2017-16232", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16232", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: Memory leaks in tif_open.c, tif_lzw.c, and tif_aux.c", + "Description": "LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue", + "Severity": "LOW", + "CweIDs": [ + "CWE-772" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 3.3 + } + }, + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html", + "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00041.html", + "http://packetstormsecurity.com/files/150896/LibTIFF-4.0.8-Memory-Leak.html", + "http://seclists.org/fulldisclosure/2018/Dec/32", + "http://seclists.org/fulldisclosure/2018/Dec/47", + "http://www.openwall.com/lists/oss-security/2017/11/01/11", + "http://www.openwall.com/lists/oss-security/2017/11/01/3", + "http://www.openwall.com/lists/oss-security/2017/11/01/7", + "http://www.openwall.com/lists/oss-security/2017/11/01/8", + "http://www.securityfocus.com/bid/101696", + "https://access.redhat.com/security/cve/CVE-2017-16232", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16232", + "https://www.cve.org/CVERecord?id=CVE-2017-16232" + ], + "PublishedDate": "2019-03-21T15:59:56.53Z", + "LastModifiedDate": "2024-04-11T00:57:46.473Z" + }, + { + "VulnerabilityID": "CVE-2017-17973", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-17973", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: heap-based use after free in tiff2pdf.c:t2p_writeproc", + "Description": "In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue", + "Severity": "LOW", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "photon": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://bugzilla.maptools.org/show_bug.cgi?id=2769", + "http://www.securityfocus.com/bid/102331", + "https://access.redhat.com/security/cve/CVE-2017-17973", + "https://bugzilla.novell.com/show_bug.cgi?id=1074318", + "https://bugzilla.redhat.com/show_bug.cgi?id=1530912", + "https://nvd.nist.gov/vuln/detail/CVE-2017-17973", + "https://www.cve.org/CVERecord?id=CVE-2017-17973" + ], + "PublishedDate": "2017-12-29T21:29:00.19Z", + "LastModifiedDate": "2024-04-11T00:58:03.313Z" + }, + { + "VulnerabilityID": "CVE-2017-5563", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-5563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: Heap-buffer overflow in LZWEncode tif_lzw.c", + "Description": "LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.", + "Severity": "LOW", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "http://bugzilla.maptools.org/show_bug.cgi?id=2664", + "http://www.securityfocus.com/bid/95705", + "https://access.redhat.com/security/cve/CVE-2017-5563", + "https://nvd.nist.gov/vuln/detail/CVE-2017-5563", + "https://security.gentoo.org/glsa/201709-27", + "https://ubuntu.com/security/notices/USN-3606-1", + "https://usn.ubuntu.com/3606-1/", + "https://www.cve.org/CVERecord?id=CVE-2017-5563" + ], + "PublishedDate": "2017-01-23T07:59:00.69Z", + "LastModifiedDate": "2019-10-03T00:03:26.223Z" + }, + { + "VulnerabilityID": "CVE-2017-9117", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-9117", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: Heap-based buffer over-read in bmp2tiff", + "Description": "In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.", + "Severity": "LOW", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 4, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 3.3 + } + }, + "References": [ + "http://bugzilla.maptools.org/show_bug.cgi?id=2690", + "http://www.securityfocus.com/bid/98581", + "https://access.redhat.com/security/cve/CVE-2017-9117", + "https://nvd.nist.gov/vuln/detail/CVE-2017-9117", + "https://ubuntu.com/security/notices/USN-3606-1", + "https://usn.ubuntu.com/3606-1/", + "https://www.cve.org/CVERecord?id=CVE-2017-9117" + ], + "PublishedDate": "2017-05-21T19:29:00.187Z", + "LastModifiedDate": "2019-10-03T00:03:26.223Z" + }, + { + "VulnerabilityID": "CVE-2018-10126", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-10126", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c", + "Description": "LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.", + "Severity": "LOW", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.3 + } + }, + "References": [ + "http://bugzilla.maptools.org/show_bug.cgi?id=2786", + "https://access.redhat.com/security/cve/CVE-2018-10126", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2018-10126", + "https://www.cve.org/CVERecord?id=CVE-2018-10126" + ], + "PublishedDate": "2018-04-21T21:29:00.29Z", + "LastModifiedDate": "2023-11-07T02:51:16.693Z" + }, + { + "VulnerabilityID": "CVE-2022-1210", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-1210", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "tiff: Malicious file leads to a denial of service in TIFF File Handler", + "Description": "A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.", + "Severity": "LOW", + "CweIDs": [ + "CWE-404", + "CWE-400" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V2Score": 4.3, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 4.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-1210", + "https://gitlab.com/libtiff/libtiff/-/issues/402", + "https://gitlab.com/libtiff/libtiff/uploads/c3da94e53cf1e1e8e6d4d3780dc8c42f/example.tiff", + "https://nvd.nist.gov/vuln/detail/CVE-2022-1210", + "https://security.gentoo.org/glsa/202210-10", + "https://security.netapp.com/advisory/ntap-20220513-0005/", + "https://vuldb.com/?id.196363", + "https://www.cve.org/CVERecord?id=CVE-2022-1210" + ], + "PublishedDate": "2022-04-03T09:15:09.033Z", + "LastModifiedDate": "2023-07-24T13:46:36.043Z" + }, + { + "VulnerabilityID": "CVE-2023-1916", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-1916", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: out-of-bounds read in extractImageSection() in tools/tiffcrop.c", + "Description": "A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.", + "Severity": "LOW", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-1916", + "https://gitlab.com/libtiff/libtiff/-/issues/536", + "https://gitlab.com/libtiff/libtiff/-/issues/536%2C", + "https://gitlab.com/libtiff/libtiff/-/issues/536,", + "https://gitlab.com/libtiff/libtiff/-/issues/537", + "https://nvd.nist.gov/vuln/detail/CVE-2023-1916", + "https://support.apple.com/kb/HT213844", + "https://ubuntu.com/security/notices/USN-6428-1", + "https://www.cve.org/CVERecord?id=CVE-2023-1916" + ], + "PublishedDate": "2023-04-10T22:15:09.223Z", + "LastModifiedDate": "2023-12-23T07:15:49.31Z" + }, + { + "VulnerabilityID": "CVE-2023-3164", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3164", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: heap-buffer-overflow in extractImageSection()", + "Description": "A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.", + "Severity": "LOW", + "CweIDs": [ + "CWE-787", + "CWE-120" + ], + "VendorSeverity": { + "amazon": 2, + "debian": 1, + "nvd": 2, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-3164", + "https://bugzilla.redhat.com/show_bug.cgi?id=2213531", + "https://gitlab.com/libtiff/libtiff/-/issues/542", + "https://nvd.nist.gov/vuln/detail/CVE-2023-3164", + "https://www.cve.org/CVERecord?id=CVE-2023-3164" + ], + "PublishedDate": "2023-11-02T12:15:09.543Z", + "LastModifiedDate": "2024-03-08T19:38:13.92Z" + }, + { + "VulnerabilityID": "CVE-2023-6228", + "PkgID": "libtiff6@4.5.0-6+deb12u1", + "PkgName": "libtiff6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtiff6@4.5.0-6%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "4.5.0-6+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6228", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libtiff: heap-based buffer overflow in cpStripToTile() in tools/tiffcp.c", + "Description": "An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.", + "Severity": "LOW", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-6228", + "https://bugzilla.redhat.com/show_bug.cgi?id=2240995", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6228", + "https://ubuntu.com/security/notices/USN-6644-1", + "https://ubuntu.com/security/notices/USN-6644-2", + "https://www.cve.org/CVERecord?id=CVE-2023-6228" + ], + "PublishedDate": "2023-12-18T14:15:11.84Z", + "LastModifiedDate": "2023-12-29T07:15:10.897Z" + }, + { + "VulnerabilityID": "CVE-2023-50495", + "PkgID": "libtinfo6@6.4-4", + "PkgName": "libtinfo6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtinfo6@6.4-4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "6.4-4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50495", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "ncurses: segmentation fault via _nc_wrap_entry()", + "Description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-50495", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "https://security.netapp.com/advisory/ntap-20240119-0008/", + "https://ubuntu.com/security/notices/USN-6684-1", + "https://www.cve.org/CVERecord?id=CVE-2023-50495" + ], + "PublishedDate": "2023-12-12T15:15:07.867Z", + "LastModifiedDate": "2024-01-31T03:15:08.49Z" + }, + { + "VulnerabilityID": "CVE-2023-45918", + "PkgID": "libtinfo6@6.4-4", + "PkgName": "libtinfo6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libtinfo6@6.4-4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "6.4-4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45918", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinf ...", + "Description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "Severity": "LOW", + "VendorSeverity": { + "amazon": 2, + "ubuntu": 1 + }, + "References": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/", + "https://www.cve.org/CVERecord?id=CVE-2023-45918" + ], + "PublishedDate": "2024-02-16T22:15:07.88Z", + "LastModifiedDate": "2024-03-15T11:15:08.51Z" + }, + { + "VulnerabilityID": "CVE-2023-50387", + "PkgID": "libudev1@252.22-1~deb12u1", + "PkgName": "libudev1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50387", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator", + "Description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/02/16/2", + "http://www.openwall.com/lists/oss-security/2024/02/16/3", + "https://access.redhat.com/errata/RHSA-2024:1789", + "https://access.redhat.com/security/cve/CVE-2023-50387", + "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released", + "https://bugzilla.redhat.com/2263896", + "https://bugzilla.redhat.com/2263897", + "https://bugzilla.redhat.com/2263909", + "https://bugzilla.redhat.com/2263911", + "https://bugzilla.redhat.com/2263914", + "https://bugzilla.redhat.com/2263917", + "https://bugzilla.redhat.com/show_bug.cgi?id=2263914", + "https://bugzilla.redhat.com/show_bug.cgi?id=2263917", + "https://bugzilla.suse.com/show_bug.cgi?id=1219823", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868", + "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", + "https://errata.almalinux.org/9/ALSA-2024-1789.html", + "https://errata.rockylinux.org/RLSA-2024:1335", + "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", + "https://kb.isc.org/docs/cve-2023-50387", + "https://linux.oracle.com/cve/CVE-2023-50387.html", + "https://linux.oracle.com/errata/ELSA-2024-1789.html", + "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", + "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", + "https://news.ycombinator.com/item?id=39367411", + "https://news.ycombinator.com/item?id=39372384", + "https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt", + "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-50387", + "https://security.netapp.com/advisory/ntap-20240307-0007/", + "https://ubuntu.com/security/notices/USN-6633-1", + "https://ubuntu.com/security/notices/USN-6642-1", + "https://ubuntu.com/security/notices/USN-6657-1", + "https://ubuntu.com/security/notices/USN-6665-1", + "https://ubuntu.com/security/notices/USN-6723-1", + "https://www.athene-center.de/aktuelles/key-trap", + "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", + "https://www.cve.org/CVERecord?id=CVE-2023-50387", + "https://www.isc.org/blogs/2024-bind-security-release/", + "https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html", + "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", + "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/" + ], + "PublishedDate": "2024-02-14T16:15:45.3Z", + "LastModifiedDate": "2024-03-07T17:15:11.587Z" + }, + { + "VulnerabilityID": "CVE-2023-50868", + "PkgID": "libudev1@252.22-1~deb12u1", + "PkgName": "libudev1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50868", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources", + "Description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "Severity": "HIGH", + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2024/02/16/2", + "http://www.openwall.com/lists/oss-security/2024/02/16/3", + "https://access.redhat.com/errata/RHSA-2024:1789", + "https://access.redhat.com/security/cve/CVE-2023-50868", + "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released", + "https://bugzilla.redhat.com/2263896", + "https://bugzilla.redhat.com/2263897", + "https://bugzilla.redhat.com/2263909", + "https://bugzilla.redhat.com/2263911", + "https://bugzilla.redhat.com/2263914", + "https://bugzilla.redhat.com/2263917", + "https://bugzilla.redhat.com/show_bug.cgi?id=2263914", + "https://bugzilla.redhat.com/show_bug.cgi?id=2263917", + "https://bugzilla.suse.com/show_bug.cgi?id=1219826", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868", + "https://datatracker.ietf.org/doc/html/rfc5155", + "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", + "https://errata.almalinux.org/9/ALSA-2024-1789.html", + "https://errata.rockylinux.org/RLSA-2024:1335", + "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", + "https://kb.isc.org/docs/cve-2023-50868", + "https://linux.oracle.com/cve/CVE-2023-50868.html", + "https://linux.oracle.com/errata/ELSA-2024-1789.html", + "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", + "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", + "https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt", + "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-50868", + "https://security.netapp.com/advisory/ntap-20240307-0008/", + "https://ubuntu.com/security/notices/USN-6633-1", + "https://ubuntu.com/security/notices/USN-6642-1", + "https://ubuntu.com/security/notices/USN-6657-1", + "https://ubuntu.com/security/notices/USN-6665-1", + "https://ubuntu.com/security/notices/USN-6723-1", + "https://www.cve.org/CVERecord?id=CVE-2023-50868", + "https://www.isc.org/blogs/2024-bind-security-release/", + "https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html" + ], + "PublishedDate": "2024-02-14T16:15:45.377Z", + "LastModifiedDate": "2024-03-07T17:15:11.817Z" + }, + { + "VulnerabilityID": "CVE-2013-4392", + "PkgID": "libudev1@252.22-1~deb12u1", + "PkgName": "libudev1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2013-4392", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "TOCTOU race condition when updating file permissions and SELinux security contexts", + "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", + "Severity": "LOW", + "CweIDs": [ + "CWE-59" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 1, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N", + "V2Score": 3.3 + }, + "redhat": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N", + "V2Score": 3.3 + } + }, + "References": [ + "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", + "http://www.openwall.com/lists/oss-security/2013/10/01/9", + "https://access.redhat.com/security/cve/CVE-2013-4392", + "https://bugzilla.redhat.com/show_bug.cgi?id=859060", + "https://nvd.nist.gov/vuln/detail/CVE-2013-4392", + "https://www.cve.org/CVERecord?id=CVE-2013-4392" + ], + "PublishedDate": "2013-10-28T22:55:03.773Z", + "LastModifiedDate": "2022-01-31T17:49:14.387Z" + }, + { + "VulnerabilityID": "CVE-2023-31437", + "PkgID": "libudev1@252.22-1~deb12u1", + "PkgName": "libudev1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31437", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "An issue was discovered in systemd 253. An attacker can modify a seale ...", + "Description": "An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "Severity": "LOW", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/kastel-security/Journald", + "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", + "https://github.com/systemd/systemd/releases" + ], + "PublishedDate": "2023-06-13T17:15:14.657Z", + "LastModifiedDate": "2024-04-11T01:20:11.607Z" + }, + { + "VulnerabilityID": "CVE-2023-31438", + "PkgID": "libudev1@252.22-1~deb12u1", + "PkgName": "libudev1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31438", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "An issue was discovered in systemd 253. An attacker can truncate a sea ...", + "Description": "An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "Severity": "LOW", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/kastel-security/Journald", + "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", + "https://github.com/systemd/systemd/pull/28886", + "https://github.com/systemd/systemd/releases" + ], + "PublishedDate": "2023-06-13T17:15:14.707Z", + "LastModifiedDate": "2024-04-11T01:20:11.66Z" + }, + { + "VulnerabilityID": "CVE-2023-31439", + "PkgID": "libudev1@252.22-1~deb12u1", + "PkgName": "libudev1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libudev1@252.22-1~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "252.22-1~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31439", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "An issue was discovered in systemd 253. An attacker can modify the con ...", + "Description": "An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "Severity": "LOW", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/kastel-security/Journald", + "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", + "https://github.com/systemd/systemd/pull/28885", + "https://github.com/systemd/systemd/releases" + ], + "PublishedDate": "2023-06-13T17:15:14.753Z", + "LastModifiedDate": "2024-04-11T01:20:11.72Z" + }, + { + "VulnerabilityID": "CVE-2022-0563", + "PkgID": "libuuid1@2.38.1-5+deb12u1", + "PkgName": "libuuid1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libuuid1@2.38.1-5%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.38.1-5+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", + "Description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "Severity": "LOW", + "CweIDs": [ + "CWE-209" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0563", + "https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", + "https://security.gentoo.org/glsa/202401-08", + "https://security.netapp.com/advisory/ntap-20220331-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-0563" + ], + "PublishedDate": "2022-02-21T19:15:08.393Z", + "LastModifiedDate": "2024-01-07T09:15:08.713Z" + }, + { + "VulnerabilityID": "CVE-2024-25062", + "PkgID": "libxml2@2.9.14+dfsg-1.3~deb12u1", + "PkgName": "libxml2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.9.14+dfsg-1.3~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-25062", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libxml2: use-after-free in XMLReader", + "Description": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "nvd": 3, + "photon": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-25062", + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604", + "https://gitlab.gnome.org/GNOME/libxml2/-/tags", + "https://nvd.nist.gov/vuln/detail/CVE-2024-25062", + "https://ubuntu.com/security/notices/USN-6658-1", + "https://ubuntu.com/security/notices/USN-6658-2", + "https://www.cve.org/CVERecord?id=CVE-2024-25062" + ], + "PublishedDate": "2024-02-04T16:15:45.12Z", + "LastModifiedDate": "2024-02-13T00:40:40.503Z" + }, + { + "VulnerabilityID": "CVE-2023-39615", + "PkgID": "libxml2@2.9.14+dfsg-1.3~deb12u1", + "PkgName": "libxml2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.9.14+dfsg-1.3~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-39615", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libxml2: crafted xml can cause global buffer overflow", + "Description": "Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:7747", + "https://access.redhat.com/security/cve/CVE-2023-39615", + "https://bugzilla.redhat.com/2235864", + "https://errata.almalinux.org/9/ALSA-2023-7747.html", + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/535", + "https://linux.oracle.com/cve/CVE-2023-39615.html", + "https://linux.oracle.com/errata/ELSA-2024-0119.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-39615", + "https://www.cve.org/CVERecord?id=CVE-2023-39615" + ], + "PublishedDate": "2023-08-29T17:15:12.527Z", + "LastModifiedDate": "2024-04-11T01:20:57.89Z" + }, + { + "VulnerabilityID": "CVE-2023-45322", + "PkgID": "libxml2@2.9.14+dfsg-1.3~deb12u1", + "PkgName": "libxml2", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libxml2@2.9.14%2Bdfsg-1.3~deb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.9.14+dfsg-1.3~deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45322", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libxml2: use-after-free in xmlUnlinkNode() in tree.c", + "Description": "libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\"", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "amazon": 3, + "cbl-mariner": 2, + "nvd": 2, + "photon": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/06/5", + "https://access.redhat.com/security/cve/CVE-2023-45322", + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/344", + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/583", + "https://nvd.nist.gov/vuln/detail/CVE-2023-45322", + "https://www.cve.org/CVERecord?id=CVE-2023-45322" + ], + "PublishedDate": "2023-10-06T22:15:11.66Z", + "LastModifiedDate": "2024-04-11T01:21:55.82Z" + }, + { + "VulnerabilityID": "CVE-2015-9019", + "PkgID": "libxslt1.1@1.1.35-1", + "PkgName": "libxslt1.1", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libxslt1.1@1.1.35-1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.1.35-1", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9019", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "libxslt: math.random() in xslt uses unseeded randomness", + "Description": "In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.", + "Severity": "LOW", + "CweIDs": [ + "CWE-330" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2015-9019", + "https://bugzilla.gnome.org/show_bug.cgi?id=758400", + "https://bugzilla.suse.com/show_bug.cgi?id=934119", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9019", + "https://www.cve.org/CVERecord?id=CVE-2015-9019" + ], + "PublishedDate": "2017-04-05T21:59:00.147Z", + "LastModifiedDate": "2017-04-11T19:57:32.417Z" + }, + { + "VulnerabilityID": "CVE-2023-4641", + "PkgID": "login@1:4.13+dfsg1-1+b1", + "PkgName": "login", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4641", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "shadow-utils: possible password leak during passwd(1) change", + "Description": "A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-287", + "CWE-303" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 4.7 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6632", + "https://access.redhat.com/errata/RHSA-2023:7112", + "https://access.redhat.com/security/cve/CVE-2023-4641", + "https://bugzilla.redhat.com/2215945", + "https://bugzilla.redhat.com/show_bug.cgi?id=2215945", + "https://errata.almalinux.org/9/ALSA-2023-6632.html", + "https://linux.oracle.com/cve/CVE-2023-4641.html", + "https://linux.oracle.com/errata/ELSA-2023-7112.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-4641", + "https://ubuntu.com/security/notices/USN-6640-1", + "https://www.cve.org/CVERecord?id=CVE-2023-4641" + ], + "PublishedDate": "2023-12-27T16:15:13.363Z", + "LastModifiedDate": "2024-01-04T17:06:55.393Z" + }, + { + "VulnerabilityID": "CVE-2007-5686", + "PkgID": "login@1:4.13+dfsg1-1+b1", + "PkgName": "login", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2007-5686", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", + "Description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", + "Severity": "LOW", + "CweIDs": [ + "CWE-264" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N", + "V2Score": 4.9 + } + }, + "References": [ + "http://secunia.com/advisories/27215", + "http://www.securityfocus.com/archive/1/482129/100/100/threaded", + "http://www.securityfocus.com/archive/1/482857/100/0/threaded", + "http://www.securityfocus.com/bid/26048", + "http://www.vupen.com/english/advisories/2007/3474", + "https://issues.rpath.com/browse/RPL-1825" + ], + "PublishedDate": "2007-10-28T17:08:00Z", + "LastModifiedDate": "2018-10-15T21:45:59.05Z" + }, + { + "VulnerabilityID": "CVE-2019-19882", + "PkgID": "login@1:4.13+dfsg1-1+b1", + "PkgName": "login", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19882", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", + "Description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", + "Severity": "LOW", + "CweIDs": [ + "CWE-732" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.9, + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-19882", + "https://bugs.archlinux.org/task/64836", + "https://bugs.gentoo.org/702252", + "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", + "https://github.com/shadow-maint/shadow/pull/199", + "https://github.com/void-linux/void-packages/pull/17580", + "https://nvd.nist.gov/vuln/detail/CVE-2019-19882", + "https://security.gentoo.org/glsa/202008-09", + "https://www.cve.org/CVERecord?id=CVE-2019-19882" + ], + "PublishedDate": "2019-12-18T16:15:26.963Z", + "LastModifiedDate": "2020-08-25T15:15:11.903Z" + }, + { + "VulnerabilityID": "CVE-2023-29383", + "PkgID": "login@1:4.13+dfsg1-1+b1", + "PkgName": "login", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-29383", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "Improper input validation in shadow-utils package utility chfn", + "Description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "Severity": "LOW", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "nvd": 1, + "photon": 1, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-29383", + "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d", + "https://github.com/shadow-maint/shadow/pull/687", + "https://nvd.nist.gov/vuln/detail/CVE-2023-29383", + "https://www.cve.org/CVERecord?id=CVE-2023-29383", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/", + "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + ], + "PublishedDate": "2023-04-14T22:15:07.68Z", + "LastModifiedDate": "2023-04-24T18:05:30.313Z" + }, + { + "VulnerabilityID": "TEMP-0628843-DBAD28", + "PkgID": "login@1:4.13+dfsg1-1+b1", + "PkgName": "login", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/login@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://security-tracker.debian.org/tracker/TEMP-0628843-DBAD28", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "[more related to CVE-2005-4890]", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1 + } + }, + { + "VulnerabilityID": "CVE-2022-0563", + "PkgID": "mount@2.38.1-5+deb12u1", + "PkgName": "mount", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/mount@2.38.1-5%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.38.1-5+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", + "Description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "Severity": "LOW", + "CweIDs": [ + "CWE-209" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0563", + "https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", + "https://security.gentoo.org/glsa/202401-08", + "https://security.netapp.com/advisory/ntap-20220331-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-0563" + ], + "PublishedDate": "2022-02-21T19:15:08.393Z", + "LastModifiedDate": "2024-01-07T09:15:08.713Z" + }, + { + "VulnerabilityID": "CVE-2023-50495", + "PkgID": "ncurses-base@6.4-4", + "PkgName": "ncurses-base", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/ncurses-base@6.4-4?arch=all\u0026distro=debian-12.5" + }, + "InstalledVersion": "6.4-4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50495", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "ncurses: segmentation fault via _nc_wrap_entry()", + "Description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-50495", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "https://security.netapp.com/advisory/ntap-20240119-0008/", + "https://ubuntu.com/security/notices/USN-6684-1", + "https://www.cve.org/CVERecord?id=CVE-2023-50495" + ], + "PublishedDate": "2023-12-12T15:15:07.867Z", + "LastModifiedDate": "2024-01-31T03:15:08.49Z" + }, + { + "VulnerabilityID": "CVE-2023-45918", + "PkgID": "ncurses-base@6.4-4", + "PkgName": "ncurses-base", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/ncurses-base@6.4-4?arch=all\u0026distro=debian-12.5" + }, + "InstalledVersion": "6.4-4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45918", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinf ...", + "Description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "Severity": "LOW", + "VendorSeverity": { + "amazon": 2, + "ubuntu": 1 + }, + "References": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/", + "https://www.cve.org/CVERecord?id=CVE-2023-45918" + ], + "PublishedDate": "2024-02-16T22:15:07.88Z", + "LastModifiedDate": "2024-03-15T11:15:08.51Z" + }, + { + "VulnerabilityID": "CVE-2023-50495", + "PkgID": "ncurses-bin@6.4-4", + "PkgName": "ncurses-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/ncurses-bin@6.4-4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "6.4-4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50495", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "ncurses: segmentation fault via _nc_wrap_entry()", + "Description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-50495", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "https://security.netapp.com/advisory/ntap-20240119-0008/", + "https://ubuntu.com/security/notices/USN-6684-1", + "https://www.cve.org/CVERecord?id=CVE-2023-50495" + ], + "PublishedDate": "2023-12-12T15:15:07.867Z", + "LastModifiedDate": "2024-01-31T03:15:08.49Z" + }, + { + "VulnerabilityID": "CVE-2023-45918", + "PkgID": "ncurses-bin@6.4-4", + "PkgName": "ncurses-bin", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/ncurses-bin@6.4-4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "6.4-4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45918", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinf ...", + "Description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "Severity": "LOW", + "VendorSeverity": { + "amazon": 2, + "ubuntu": 1 + }, + "References": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/", + "https://www.cve.org/CVERecord?id=CVE-2023-45918" + ], + "PublishedDate": "2024-02-16T22:15:07.88Z", + "LastModifiedDate": "2024-03-15T11:15:08.51Z" + }, + { + "VulnerabilityID": "CVE-2009-4487", + "PkgID": "nginx@1.25.4-1~bookworm", + "PkgName": "nginx", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/nginx@1.25.4-1~bookworm?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.25.4-1~bookworm", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2009-4487", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "nginx: Absent sanitation of escape sequences in web server log", + "Description": "nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.", + "Severity": "LOW", + "VendorSeverity": { + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V2Score": 6.8 + }, + "redhat": { + "V2Vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N", + "V2Score": 2.6 + } + }, + "References": [ + "http://www.securityfocus.com/archive/1/508830/100/0/threaded", + "http://www.securityfocus.com/bid/37711", + "http://www.ush.it/team/ush/hack_httpd_escape/adv.txt", + "https://access.redhat.com/security/cve/CVE-2009-4487", + "https://nvd.nist.gov/vuln/detail/CVE-2009-4487", + "https://www.cve.org/CVERecord?id=CVE-2009-4487" + ], + "PublishedDate": "2010-01-13T20:30:00.357Z", + "LastModifiedDate": "2021-11-10T15:51:21.787Z" + }, + { + "VulnerabilityID": "CVE-2013-0337", + "PkgID": "nginx@1.25.4-1~bookworm", + "PkgName": "nginx", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/nginx@1.25.4-1~bookworm?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.25.4-1~bookworm", + "Status": "will_not_fix", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2013-0337", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "The default configuration of nginx, possibly 1.3.13 and earlier, uses ...", + "Description": "The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.", + "Severity": "LOW", + "CweIDs": [ + "CWE-264" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V2Score": 7.5 + } + }, + "References": [ + "http://secunia.com/advisories/55181", + "http://security.gentoo.org/glsa/glsa-201310-04.xml", + "http://www.openwall.com/lists/oss-security/2013/02/21/15", + "http://www.openwall.com/lists/oss-security/2013/02/22/1", + "http://www.openwall.com/lists/oss-security/2013/02/24/1" + ], + "PublishedDate": "2013-10-27T00:55:03.713Z", + "LastModifiedDate": "2021-11-10T15:57:02.123Z" + }, + { + "VulnerabilityID": "CVE-2023-44487", + "PkgID": "nginx@1.25.4-1~bookworm", + "PkgName": "nginx", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/nginx@1.25.4-1~bookworm?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.25.4-1~bookworm", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-44487", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + "Description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Severity": "LOW", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "bitnami": 3, + "cbl-mariner": 3, + "debian": 1, + "ghsa": 2, + "nvd": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/13/4", + "http://www.openwall.com/lists/oss-security/2023/10/13/9", + "http://www.openwall.com/lists/oss-security/2023/10/18/4", + "http://www.openwall.com/lists/oss-security/2023/10/18/8", + "http://www.openwall.com/lists/oss-security/2023/10/19/6", + "http://www.openwall.com/lists/oss-security/2023/10/20/8", + "https://access.redhat.com/errata/RHSA-2023:6746", + "https://access.redhat.com/security/cve/CVE-2023-44487", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://akka.io/security/akka-http-cve-2023-44487.html", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size", + "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty", + "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://blog.vespa.ai/cve-2023-44487", + "https://blog.vespa.ai/cve-2023-44487/", + "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", + "https://bugzilla.redhat.com/2242803", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://chaos.social/@icing/111210915918780532", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", + "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", + "https://errata.almalinux.org/9/ALSA-2023-6746.html", + "https://errata.rockylinux.org/RLSA-2023:5838", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/akka/akka-http/pull/4324", + "https://github.com/akka/akka-http/pull/4325", + "https://github.com/alibaba/tengine/issues/1872", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/apache/trafficserver/pull/10564", + "https://github.com/apple/swift-nio-http2", + "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/etcd-io/etcd/issues/16740", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/golang/go/issues/63417", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/grpc/grpc-go/releases", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/hyperium/hyper/issues/3337", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://github.com/line/armeria/pull/5232", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://github.com/micrictor/http2-rst-stream", + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://github.com/ninenines/cowboy/issues/1615", + "https://github.com/nodejs/node/pull/50121", + "https://github.com/openresty/openresty/issues/930", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://github.com/projectcontour/contour/pull/5826", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://go.dev/cl/534215", + "https://go.dev/cl/534235", + "https://go.dev/issue/63417", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ", + "https://istio.io/latest/news/security/istio-security-2023-004", + "https://istio.io/latest/news/security/istio-security-2023-004/", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487", + "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", + "https://linux.oracle.com/cve/CVE-2023-44487.html", + "https://linux.oracle.com/errata/ELSA-2024-1444.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://my.f5.com/manage/s/article/K000137106", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://news.ycombinator.com/item?id=37830987", + "https://news.ycombinator.com/item?id=37830998", + "https://news.ycombinator.com/item?id=37831062", + "https://news.ycombinator.com/item?id=37837043", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://pkg.go.dev/vuln/GO-2023-2102", + "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", + "https://security.gentoo.org/glsa/202311-09", + "https://security.netapp.com/advisory/ntap-20231016-0001", + "https://security.netapp.com/advisory/ntap-20231016-0001/", + "https://security.paloaltonetworks.com/CVE-2023-44487", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12", + "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94", + "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81", + "https://ubuntu.com/security/CVE-2023-44487", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records", + "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.debian.org/security/2023/dsa-5522", + "https://www.debian.org/security/2023/dsa-5540", + "https://www.debian.org/security/2023/dsa-5549", + "https://www.debian.org/security/2023/dsa-5558", + "https://www.debian.org/security/2023/dsa-5570", + "https://www.eclipse.org/lists/jetty-announce/msg00181.html", + "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", + "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487", + "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products", + "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", + "https://www.openwall.com/lists/oss-security/2023/10/10/6", + "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday", + "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" + ], + "PublishedDate": "2023-10-10T14:15:10.883Z", + "LastModifiedDate": "2024-02-02T15:40:23.61Z" + }, + { + "VulnerabilityID": "CVE-2023-5678", + "PkgID": "openssl@3.0.11-1~deb12u2", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5678", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow", + "Description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-754" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 3, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:7877", + "https://access.redhat.com/security/cve/CVE-2023-5678", + "https://bugzilla.redhat.com/2224962", + "https://bugzilla.redhat.com/2227852", + "https://bugzilla.redhat.com/2248616", + "https://errata.almalinux.org/8/ALSA-2023-7877.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://linux.oracle.com/cve/CVE-2023-5678.html", + "https://linux.oracle.com/errata/ELSA-2024-12056.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "https://security.netapp.com/advisory/ntap-20231130-0010/", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://www.cve.org/CVERecord?id=CVE-2023-5678", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "PublishedDate": "2023-11-06T16:15:42.67Z", + "LastModifiedDate": "2023-11-30T22:15:09.723Z" + }, + { + "VulnerabilityID": "CVE-2023-6129", + "PkgID": "openssl@3.0.11-1~deb12u2", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6129", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC", + "Description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "nvd": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-6129", + "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", + "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", + "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6129", + "https://security.netapp.com/advisory/ntap-20240216-0009/", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://www.cve.org/CVERecord?id=CVE-2023-6129", + "https://www.openssl.org/news/secadv/20240109.txt", + "https://www.openwall.com/lists/oss-security/2024/01/09/1" + ], + "PublishedDate": "2024-01-09T17:15:12.147Z", + "LastModifiedDate": "2024-02-16T13:15:09.91Z" + }, + { + "VulnerabilityID": "CVE-2023-6237", + "PkgID": "openssl@3.0.11-1~deb12u2", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-6237", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Excessive time spent checking invalid RSA public keys", + "Description": "A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-6237", + "https://nvd.nist.gov/vuln/detail/CVE-2023-6237", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://www.cve.org/CVERecord?id=CVE-2023-6237", + "https://www.openssl.org/news/secadv/20240115.txt", + "https://www.openwall.com/lists/oss-security/2024/01/15/2" + ] + }, + { + "VulnerabilityID": "CVE-2024-0727", + "PkgID": "openssl@3.0.11-1~deb12u2", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-0727", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: denial of service via null dereference", + "Description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "Severity": "MEDIUM", + "VendorSeverity": { + "amazon": 3, + "ghsa": 2, + "nvd": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-0727", + "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", + "https://github.com/github/advisory-database/pull/3472", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.com/openssl/openssl/pull/23362", + "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "https://security.netapp.com/advisory/ntap-20240208-0006", + "https://security.netapp.com/advisory/ntap-20240208-0006/", + "https://ubuntu.com/security/notices/USN-6622-1", + "https://ubuntu.com/security/notices/USN-6632-1", + "https://ubuntu.com/security/notices/USN-6709-1", + "https://www.cve.org/CVERecord?id=CVE-2024-0727", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "PublishedDate": "2024-01-26T09:15:07.637Z", + "LastModifiedDate": "2024-02-08T10:15:13.91Z" + }, + { + "VulnerabilityID": "CVE-2007-6755", + "PkgID": "openssl@3.0.11-1~deb12u2", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2007-6755", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "Dual_EC_DRBG: weak pseudo random number generator", + "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", + "Severity": "LOW", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "V2Score": 5.8 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "V2Score": 5.8 + } + }, + "References": [ + "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", + "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", + "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", + "http://rump2007.cr.yp.to/15-shumow.pdf", + "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", + "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", + "http://www.securityfocus.com/bid/63657", + "https://access.redhat.com/security/cve/CVE-2007-6755", + "https://nvd.nist.gov/vuln/detail/CVE-2007-6755", + "https://www.cve.org/CVERecord?id=CVE-2007-6755", + "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" + ], + "PublishedDate": "2013-10-11T22:55:33.58Z", + "LastModifiedDate": "2022-11-01T14:44:55.093Z" + }, + { + "VulnerabilityID": "CVE-2010-0928", + "PkgID": "openssl@3.0.11-1~deb12u2", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-0928", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: RSA authentication weakness", + "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", + "Severity": "LOW", + "CweIDs": [ + "CWE-310" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:H/Au:N/C:C/I:N/A:N", + "V2Score": 4 + } + }, + "References": [ + "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", + "http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf", + "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", + "http://www.osvdb.org/62808", + "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", + "https://access.redhat.com/security/cve/CVE-2010-0928", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750", + "https://nvd.nist.gov/vuln/detail/CVE-2010-0928", + "https://www.cve.org/CVERecord?id=CVE-2010-0928" + ], + "PublishedDate": "2010-03-05T19:30:00.797Z", + "LastModifiedDate": "2023-11-07T02:05:11.413Z" + }, + { + "VulnerabilityID": "CVE-2024-2511", + "PkgID": "openssl@3.0.11-1~deb12u2", + "PkgName": "openssl", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/openssl@3.0.11-1~deb12u2?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.0.11-1~deb12u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:6fcdffcd79f0bd371fceec96d609d4cc46b805002a2ea68c74b9d9925dfe5ec2", + "DiffID": "sha256:87a8a3a2ab9c3d41f20379bec1738481e4d260a9330f50faeb440db4bb43b21b" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-2511", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "openssl: Unbounded memory growth with session handling in TLSv1.3", + "Description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "Severity": "LOW", + "VendorSeverity": { + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-2511", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "https://www.cve.org/CVERecord?id=CVE-2024-2511", + "https://www.openssl.org/news/secadv/20240408.txt", + "https://www.openssl.org/news/vulnerabilities.html" + ], + "PublishedDate": "2024-04-08T14:15:07.66Z", + "LastModifiedDate": "2024-04-08T18:48:40.217Z" + }, + { + "VulnerabilityID": "CVE-2023-4641", + "PkgID": "passwd@1:4.13+dfsg1-1+b1", + "PkgName": "passwd", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4641", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "shadow-utils: possible password leak during passwd(1) change", + "Description": "A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-287", + "CWE-303" + ], + "VendorSeverity": { + "alma": 1, + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 4.7 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:6632", + "https://access.redhat.com/errata/RHSA-2023:7112", + "https://access.redhat.com/security/cve/CVE-2023-4641", + "https://bugzilla.redhat.com/2215945", + "https://bugzilla.redhat.com/show_bug.cgi?id=2215945", + "https://errata.almalinux.org/9/ALSA-2023-6632.html", + "https://linux.oracle.com/cve/CVE-2023-4641.html", + "https://linux.oracle.com/errata/ELSA-2023-7112.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-4641", + "https://ubuntu.com/security/notices/USN-6640-1", + "https://www.cve.org/CVERecord?id=CVE-2023-4641" + ], + "PublishedDate": "2023-12-27T16:15:13.363Z", + "LastModifiedDate": "2024-01-04T17:06:55.393Z" + }, + { + "VulnerabilityID": "CVE-2007-5686", + "PkgID": "passwd@1:4.13+dfsg1-1+b1", + "PkgName": "passwd", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2007-5686", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", + "Description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", + "Severity": "LOW", + "CweIDs": [ + "CWE-264" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N", + "V2Score": 4.9 + } + }, + "References": [ + "http://secunia.com/advisories/27215", + "http://www.securityfocus.com/archive/1/482129/100/100/threaded", + "http://www.securityfocus.com/archive/1/482857/100/0/threaded", + "http://www.securityfocus.com/bid/26048", + "http://www.vupen.com/english/advisories/2007/3474", + "https://issues.rpath.com/browse/RPL-1825" + ], + "PublishedDate": "2007-10-28T17:08:00Z", + "LastModifiedDate": "2018-10-15T21:45:59.05Z" + }, + { + "VulnerabilityID": "CVE-2019-19882", + "PkgID": "passwd@1:4.13+dfsg1-1+b1", + "PkgName": "passwd", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-19882", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", + "Description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", + "Severity": "LOW", + "CweIDs": [ + "CWE-732" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.9, + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-19882", + "https://bugs.archlinux.org/task/64836", + "https://bugs.gentoo.org/702252", + "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", + "https://github.com/shadow-maint/shadow/pull/199", + "https://github.com/void-linux/void-packages/pull/17580", + "https://nvd.nist.gov/vuln/detail/CVE-2019-19882", + "https://security.gentoo.org/glsa/202008-09", + "https://www.cve.org/CVERecord?id=CVE-2019-19882" + ], + "PublishedDate": "2019-12-18T16:15:26.963Z", + "LastModifiedDate": "2020-08-25T15:15:11.903Z" + }, + { + "VulnerabilityID": "CVE-2023-29383", + "PkgID": "passwd@1:4.13+dfsg1-1+b1", + "PkgName": "passwd", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-29383", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "Improper input validation in shadow-utils package utility chfn", + "Description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "Severity": "LOW", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "nvd": 1, + "photon": 1, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-29383", + "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d", + "https://github.com/shadow-maint/shadow/pull/687", + "https://nvd.nist.gov/vuln/detail/CVE-2023-29383", + "https://www.cve.org/CVERecord?id=CVE-2023-29383", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/", + "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + ], + "PublishedDate": "2023-04-14T22:15:07.68Z", + "LastModifiedDate": "2023-04-24T18:05:30.313Z" + }, + { + "VulnerabilityID": "TEMP-0628843-DBAD28", + "PkgID": "passwd@1:4.13+dfsg1-1+b1", + "PkgName": "passwd", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/passwd@4.13%2Bdfsg1-1%2Bb1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:4.13+dfsg1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://security-tracker.debian.org/tracker/TEMP-0628843-DBAD28", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "[more related to CVE-2005-4890]", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1 + } + }, + { + "VulnerabilityID": "CVE-2023-31484", + "PkgID": "perl-base@5.36.0-7+deb12u1", + "PkgName": "perl-base", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/perl-base@5.36.0-7%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "5.36.0-7+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31484", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS", + "Description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-295" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 7.4 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/04/29/1", + "http://www.openwall.com/lists/oss-security/2023/05/03/3", + "http://www.openwall.com/lists/oss-security/2023/05/03/5", + "http://www.openwall.com/lists/oss-security/2023/05/07/2", + "https://access.redhat.com/errata/RHSA-2023:6539", + "https://access.redhat.com/security/cve/CVE-2023-31484", + "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", + "https://bugzilla.redhat.com/2218667", + "https://errata.almalinux.org/9/ALSA-2023-6539.html", + "https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL)", + "https://github.com/andk/cpanpm/pull/175", + "https://linux.oracle.com/cve/CVE-2023-31484.html", + "https://linux.oracle.com/errata/ELSA-2023-6539.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/", + "https://metacpan.org/dist/CPAN/changes", + "https://nvd.nist.gov/vuln/detail/CVE-2023-31484", + "https://ubuntu.com/security/notices/USN-6112-1", + "https://ubuntu.com/security/notices/USN-6112-2", + "https://www.cve.org/CVERecord?id=CVE-2023-31484", + "https://www.openwall.com/lists/oss-security/2023/04/18/14" + ], + "PublishedDate": "2023-04-29T00:15:09Z", + "LastModifiedDate": "2023-11-07T04:14:19.41Z" + }, + { + "VulnerabilityID": "CVE-2011-4116", + "PkgID": "perl-base@5.36.0-7+deb12u1", + "PkgName": "perl-base", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/perl-base@5.36.0-7%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "5.36.0-7+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2011-4116", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "perl: File::Temp insecure temporary file handling", + "Description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", + "Severity": "LOW", + "CweIDs": [ + "CWE-59" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V2Vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N", + "V2Score": 1.9 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2011/11/04/2", + "http://www.openwall.com/lists/oss-security/2011/11/04/4", + "https://access.redhat.com/security/cve/CVE-2011-4116", + "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14", + "https://nvd.nist.gov/vuln/detail/CVE-2011-4116", + "https://rt.cpan.org/Public/Bug/Display.html?id=69106", + "https://seclists.org/oss-sec/2011/q4/238", + "https://www.cve.org/CVERecord?id=CVE-2011-4116" + ], + "PublishedDate": "2020-01-31T18:15:11.343Z", + "LastModifiedDate": "2020-02-05T22:10:26.29Z" + }, + { + "VulnerabilityID": "CVE-2023-31486", + "PkgID": "perl-base@5.36.0-7+deb12u1", + "PkgName": "perl-base", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/perl-base@5.36.0-7%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "5.36.0-7+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31486", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "http-tiny: insecure TLS cert default", + "Description": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", + "Severity": "LOW", + "CweIDs": [ + "CWE-295" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/04/29/1", + "http://www.openwall.com/lists/oss-security/2023/05/03/3", + "http://www.openwall.com/lists/oss-security/2023/05/03/5", + "http://www.openwall.com/lists/oss-security/2023/05/07/2", + "https://access.redhat.com/errata/RHSA-2023:6542", + "https://access.redhat.com/security/cve/CVE-2023-31486", + "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", + "https://bugzilla.redhat.com/2228392", + "https://errata.almalinux.org/9/ALSA-2023-6542.html", + "https://github.com/chansen/p5-http-tiny/pull/153", + "https://hackeriet.github.io/cpan-http-tiny-overview/", + "https://linux.oracle.com/cve/CVE-2023-31486.html", + "https://linux.oracle.com/errata/ELSA-2023-7174.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-31486", + "https://www.cve.org/CVERecord?id=CVE-2023-31486", + "https://www.openwall.com/lists/oss-security/2023/04/18/14", + "https://www.openwall.com/lists/oss-security/2023/05/03/4", + "https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/" + ], + "PublishedDate": "2023-04-29T00:15:09.083Z", + "LastModifiedDate": "2023-06-21T18:19:52.937Z" + }, + { + "VulnerabilityID": "TEMP-0517018-A83CE6", + "PkgID": "sysvinit-utils@3.06-4", + "PkgName": "sysvinit-utils", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/sysvinit-utils@3.06-4?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "3.06-4", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://security-tracker.debian.org/tracker/TEMP-0517018-A83CE6", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "[sysvinit: no-root option in expert installer exposes locally exploitable security flaw]", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1 + } + }, + { + "VulnerabilityID": "CVE-2005-2541", + "PkgID": "tar@1.34+dfsg-1.2+deb12u1", + "PkgName": "tar", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.34+dfsg-1.2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2005-2541", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "tar: does not properly warn the user when extracting setuid or setgid files", + "Description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "V2Score": 10 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7 + } + }, + "References": [ + "http://marc.info/?l=bugtraq\u0026m=112327628230258\u0026w=2", + "https://access.redhat.com/security/cve/CVE-2005-2541", + "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2005-2541", + "https://www.cve.org/CVERecord?id=CVE-2005-2541" + ], + "PublishedDate": "2005-08-10T04:00:00Z", + "LastModifiedDate": "2023-11-07T01:57:39.453Z" + }, + { + "VulnerabilityID": "TEMP-0290435-0B57B5", + "PkgID": "tar@1.34+dfsg-1.2+deb12u1", + "PkgName": "tar", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "1.34+dfsg-1.2+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://security-tracker.debian.org/tracker/TEMP-0290435-0B57B5", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "[tar's rmt command may have undesired side effects]", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1 + } + }, + { + "VulnerabilityID": "CVE-2022-0563", + "PkgID": "util-linux@2.38.1-5+deb12u1", + "PkgName": "util-linux", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.38.1-5+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", + "Description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "Severity": "LOW", + "CweIDs": [ + "CWE-209" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0563", + "https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", + "https://security.gentoo.org/glsa/202401-08", + "https://security.netapp.com/advisory/ntap-20220331-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-0563" + ], + "PublishedDate": "2022-02-21T19:15:08.393Z", + "LastModifiedDate": "2024-01-07T09:15:08.713Z" + }, + { + "VulnerabilityID": "CVE-2022-0563", + "PkgID": "util-linux-extra@2.38.1-5+deb12u1", + "PkgName": "util-linux-extra", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/util-linux-extra@2.38.1-5%2Bdeb12u1?arch=amd64\u0026distro=debian-12.5" + }, + "InstalledVersion": "2.38.1-5+deb12u1", + "Status": "affected", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0563", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", + "Description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "Severity": "LOW", + "CweIDs": [ + "CWE-209" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "debian": 1, + "nvd": 2, + "photon": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 1.9, + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-0563", + "https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", + "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", + "https://security.gentoo.org/glsa/202401-08", + "https://security.netapp.com/advisory/ntap-20220331-0002/", + "https://www.cve.org/CVERecord?id=CVE-2022-0563" + ], + "PublishedDate": "2022-02-21T19:15:08.393Z", + "LastModifiedDate": "2024-01-07T09:15:08.713Z" + }, + { + "VulnerabilityID": "CVE-2023-45853", + "PkgID": "zlib1g@1:1.2.13.dfsg-1", + "PkgName": "zlib1g", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/zlib1g@1.2.13.dfsg-1?arch=amd64\u0026distro=debian-12.5\u0026epoch=1" + }, + "InstalledVersion": "1:1.2.13.dfsg-1", + "Status": "will_not_fix", + "Layer": { + "Digest": "sha256:13808c22b207b066ef43572e57e4fb8c6172e887dd9a918c089a174a19371b7a", + "DiffID": "sha256:1f00ff20147800878a4ebc9c283f79149a1dde5cc11d659c69d3a9c0bfeb7d4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45853", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Title": "zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6", + "Description": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-190" + ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 4, + "ghsa": 4, + "nvd": 4, + "photon": 4, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2023/10/20/9", + "http://www.openwall.com/lists/oss-security/2024/01/24/10", + "https://access.redhat.com/security/cve/CVE-2023-45853", + "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356", + "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", + "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4", + "https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c", + "https://github.com/madler/zlib/pull/843", + "https://github.com/smihica/pyminizip", + "https://github.com/smihica/pyminizip/blob/master/zlib-1.2.11/contrib/minizip/zip.c", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-45853", + "https://pypi.org/project/pyminizip/#history", + "https://security.gentoo.org/glsa/202401-18", + "https://security.netapp.com/advisory/ntap-20231130-0009", + "https://security.netapp.com/advisory/ntap-20231130-0009/", + "https://www.cve.org/CVERecord?id=CVE-2023-45853", + "https://www.winimage.com/zLibDll/minizip.html" + ], + "PublishedDate": "2023-10-14T02:15:09.323Z", + "LastModifiedDate": "2024-01-24T21:15:08.623Z" + } + ] + }, + { + "Target": "OS Packages", + "Class": "license", + "Licenses": [ + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "adduser", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "apt", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "apt", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "apt", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "base-files", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "base-passwd", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "base-passwd", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "bash", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bash", + "FilePath": "", + "Name": "GPL-3+ with Bison exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "bash", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bash", + "FilePath": "", + "Name": "GFDL-NIV-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bash", + "FilePath": "", + "Name": "GFDL-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bash", + "FilePath": "", + "Name": "Latex2e", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bash", + "FilePath": "", + "Name": "BSD-4-clause-UC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bash", + "FilePath": "", + "Name": "MIT-like", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bash", + "FilePath": "", + "Name": "permissive", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "BSLA", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "bsdutils", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "ca-certificates", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "ca-certificates", + "FilePath": "", + "Name": "MPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "coreutils", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "coreutils", + "FilePath": "", + "Name": "BSD-4-clause-UC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "coreutils", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "coreutils", + "FilePath": "", + "Name": "FSFULLR", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "coreutils", + "FilePath": "", + "Name": "GFDL-NIV-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "coreutils", + "FilePath": "", + "Name": "GFDL-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "curl", + "FilePath": "", + "Name": "curl", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "curl", + "FilePath": "", + "Name": "OLDAP-2.8", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "curl", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "curl", + "FilePath": "", + "Name": "GPL-2+ with Autoconf-data exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "curl", + "FilePath": "", + "Name": "GPL-3+ with Autoconf-data exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "curl", + "FilePath": "", + "Name": "GPL-2+ with Libtool exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "curl", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "curl", + "FilePath": "", + "Name": "BSD-4-Clause-UC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "curl", + "FilePath": "", + "Name": "FSFULLR", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "curl", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "curl", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "dash", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "dash", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "dash", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "debconf", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "debian-archive-keyring", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "debianutils", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "debianutils", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "debianutils", + "FilePath": "", + "Name": "SMAIL-GPL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "diffutils", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "diffutils", + "FilePath": "", + "Name": "FSFULLR", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "diffutils", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "diffutils", + "FilePath": "", + "Name": "GPL-3.0-with-autoconf-exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "diffutils", + "FilePath": "", + "Name": "GPL-3+ with texinfo exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "diffutils", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "diffutils", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "diffutils", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "diffutils", + "FilePath": "", + "Name": "FSFAP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "diffutils", + "FilePath": "", + "Name": "GFDL-NIV-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "diffutils", + "FilePath": "", + "Name": "LGPL-3.0+", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "diffutils", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "diffutils", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "diffutils", + "FilePath": "", + "Name": "GFDL-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "dpkg", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "dpkg", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "dpkg", + "FilePath": "", + "Name": "public-domain-s-s-d", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "Apache-2", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "MIT-US-export", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "Kazlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "Latex2e", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "GPL-2+ with Texinfo exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "e2fsprogs", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "GFDL-NIV-1.3+", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "findutils", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "FSFAP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "GPL-3+ with Autoconf-data exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "FSFULLR", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "GPL-2+ with Autoconf-data exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "findutils", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "findutils", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "GPL with automake exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "findutils", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "findutils", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "findutils", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "BSD-3-clause and/or GPL-3+", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "GPL-3+ with Bison-2.2 exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "ISC and/or LGPL-2.1+", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "findutils", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "findutils", + "FilePath": "", + "Name": "GFDL-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "findutils", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "fonts-dejavu-core", + "FilePath": "", + "Name": "bitstream-vera", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "fonts-dejavu-core", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gcc-12-base", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gcc-12-base", + "FilePath": "", + "Name": "GFDL-1.2", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gcc-12-base", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gcc-12-base", + "FilePath": "", + "Name": "Artistic", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gcc-12-base", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gettext-base", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gettext-base", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gettext-base", + "FilePath": "", + "Name": "GFDL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gpgv", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gpgv", + "FilePath": "", + "Name": "permissive", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gpgv", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gpgv", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "gpgv", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gpgv", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gpgv", + "FilePath": "", + "Name": "RFC-Reference", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gpgv", + "FilePath": "", + "Name": "TinySCHEME", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "unencumbered", + "PkgName": "gpgv", + "FilePath": "", + "Name": "CC0-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "grep", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "gzip", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gzip", + "FilePath": "", + "Name": "GFDL-1.3+-no-invariant", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gzip", + "FilePath": "", + "Name": "FSF-manpages", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "gzip", + "FilePath": "", + "Name": "GFDL-3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "hostname", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "init-system-helpers", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "init-system-helpers", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libabsl20220623", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libacl1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libacl1", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libacl1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libaom3", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libaom3", + "FilePath": "", + "Name": "public-domain-md5", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libaom3", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libaom3", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libaom3", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libapt-pkg6.0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libapt-pkg6.0", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libapt-pkg6.0", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libattr1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libattr1", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libattr1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libaudit-common", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libaudit-common", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libaudit-common", + "FilePath": "", + "Name": "GPL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libaudit1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libaudit1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libaudit1", + "FilePath": "", + "Name": "GPL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libavif15", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "unencumbered", + "PkgName": "libavif15", + "FilePath": "", + "Name": "CC0-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libavif15", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libavif15", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libavif15", + "FilePath": "", + "Name": "custom-1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "BSLA", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libblkid1", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libbrotli1", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-4-clause-Niels-Provos", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-3-clause-Regents", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-2-clause-NetBSD", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-3-clause-author", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-3-clause-John-Birrell", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "libutil-David-Nugent", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-2-clause-verbatim", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "BSD-2-clause-author", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "ISC-Original", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbsd0", + "FilePath": "", + "Name": "Beerware", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libbz2-1.0", + "FilePath": "", + "Name": "BSD-variant", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libbz2-1.0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libc-bin", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libc-bin", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libc6", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libc6", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libcap-ng0", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libcap-ng0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libcap-ng0", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libcap2", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libcap2", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "Apache-2", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "MIT-US-export", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "Kazlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "Latex2e", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "GPL-2+ with Texinfo exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libcom-err2", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "curl", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "OLDAP-2.8", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "GPL-2+ with Autoconf-data exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "GPL-3+ with Autoconf-data exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "GPL-2+ with Libtool exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "BSD-4-Clause-UC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "FSFULLR", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libcurl4", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libdav1d6", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libdav1d6", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libdav1d6", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "Sleepycat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "Ms-PL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "Artistic", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "MIT-old", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "TCL-like", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "BSD-3-clause-fjord", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libdb5.3", + "FilePath": "", + "Name": "Zlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libde265-0", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libde265-0", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libde265-0", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libde265-0", + "FilePath": "", + "Name": "public-domain-1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libde265-0", + "FilePath": "", + "Name": "other-1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libdebconfclient0", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libdebconfclient0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libdeflate0", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libedit2", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libexpat1", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "Apache-2", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "MIT-US-export", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "Kazlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "Latex2e", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "GPL-2+ with Texinfo exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libext2fs2", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libffi8", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libffi8", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libffi8", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libffi8", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "libffi8", + "FilePath": "", + "Name": "MPL-1.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libffi8", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libffi8", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "FTL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "FSFAP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "Public-Domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "BSL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "Zlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libfreetype6", + "FilePath": "", + "Name": "OpenGroup-BSD-like", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libgav1-1", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libgav1-1", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgcrypt20", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgcrypt20", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgd3", + "FilePath": "", + "Name": "GD", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgd3", + "FilePath": "", + "Name": "GAP~Makefile.in", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgd3", + "FilePath": "", + "Name": "GPL-2.0-with-autoconf-exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libgd3", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgd3", + "FilePath": "", + "Name": "GAP~configure", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libgd3", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgd3", + "FilePath": "", + "Name": "HPND", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgd3", + "FilePath": "", + "Name": "XFIG", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgd3", + "FilePath": "", + "Name": "WEBP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgd3", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgeoip1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libgeoip1", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgmp10", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgmp10", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgmp10", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgmp10", + "FilePath": "", + "Name": "GPL-3+ with Bison exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "GFDL-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "CC0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "LGPLv3+", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libgnutls30", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgpg-error0", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libgpg-error0", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libgpg-error0", + "FilePath": "", + "Name": "g10-permissive", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgpg-error0", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libgssapi-krb5-2", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libheif1", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libheif1", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libheif1", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libheif1", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libheif1", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libheif1", + "FilePath": "", + "Name": "BOOST-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libhogweed6", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libhogweed6", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libhogweed6", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libhogweed6", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libhogweed6", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libhogweed6", + "FilePath": "", + "Name": "GPL-3.0-with-autoconf-exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libhogweed6", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libhogweed6", + "FilePath": "", + "Name": "GAP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libicu72", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libicu72", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libidn2-0", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libidn2-0", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libidn2-0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libidn2-0", + "FilePath": "", + "Name": "Unicode", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libjbig0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libjpeg62-turbo", + "FilePath": "", + "Name": "BSD-BY-LC-NE", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libjpeg62-turbo", + "FilePath": "", + "Name": "Zlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libjpeg62-turbo", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libjpeg62-turbo", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libjpeg62-turbo", + "FilePath": "", + "Name": "NTP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libk5crypto3", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libkeyutils1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libkeyutils1", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libkrb5-3", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libkrb5support0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "OpenLDAP-2.8", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "FSF-unlimited", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "GPL-2.0-with-autoconf-exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "GPL-3.0-with-autoconf-exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "GPL-2+ with Libtool exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "GPL-3+ with Libtool exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "UMich", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "F5", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "JCG", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "MIT-XC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "NeoSoft-permissive", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "Beerware", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "BSD-4-clause-California", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "BSD-3-clause-variant", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "Expat-ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "Expat-UNM", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libldap-2.5-0", + "FilePath": "", + "Name": "BSD-3-clause-California", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "liblerc4", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "liblz4-1", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "liblz4-1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "PD", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "probably-PD", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "permissive-fsf", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "Autoconf", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "permissive-nowarranty", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "none", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "config-h", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "noderivs", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "PD-debian", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "liblzma5", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libmd0", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libmd0", + "FilePath": "", + "Name": "BSD-3-clause-Aaron-D-Gifford", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libmd0", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libmd0", + "FilePath": "", + "Name": "BSD-2-clause-NetBSD", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libmd0", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libmd0", + "FilePath": "", + "Name": "Beerware", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libmd0", + "FilePath": "", + "Name": "public-domain-md4", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libmd0", + "FilePath": "", + "Name": "public-domain-md5", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libmd0", + "FilePath": "", + "Name": "public-domain-sha1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libmount1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libmount1", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libmount1", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libmount1", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libmount1", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libmount1", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libmount1", + "FilePath": "", + "Name": "BSLA", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libmount1", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libmount1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libmount1", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnettle8", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnettle8", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnettle8", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libnettle8", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnettle8", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnettle8", + "FilePath": "", + "Name": "GPL-3.0-with-autoconf-exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libnettle8", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libnettle8", + "FilePath": "", + "Name": "GAP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libnghttp2-14", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libnghttp2-14", + "FilePath": "", + "Name": "all-permissive", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnghttp2-14", + "FilePath": "", + "Name": "GPL-3.0-with-autoconf-exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libnghttp2-14", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libnghttp2-14", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnghttp2-14", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnuma1", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libnuma1", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libp11-kit0", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libp11-kit0", + "FilePath": "", + "Name": "permissive-like-automake-output", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libp11-kit0", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libp11-kit0", + "FilePath": "", + "Name": "ISC+IBM", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libp11-kit0", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libp11-kit0", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libp11-kit0", + "FilePath": "", + "Name": "same-as-rest-of-p11kit", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpam-modules", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-modules", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-modules", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-modules", + "FilePath": "", + "Name": "GPL-3+ with Bison exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-modules", + "FilePath": "", + "Name": "BSD-tcp_wrappers", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-modules", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-modules", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-modules", + "FilePath": "", + "Name": "Beerware", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpam-modules-bin", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-modules-bin", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-modules-bin", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-modules-bin", + "FilePath": "", + "Name": "GPL-3+ with Bison exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-modules-bin", + "FilePath": "", + "Name": "BSD-tcp_wrappers", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-modules-bin", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-modules-bin", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-modules-bin", + "FilePath": "", + "Name": "Beerware", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpam-runtime", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-runtime", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-runtime", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-runtime", + "FilePath": "", + "Name": "GPL-3+ with Bison exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-runtime", + "FilePath": "", + "Name": "BSD-tcp_wrappers", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam-runtime", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-runtime", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam-runtime", + "FilePath": "", + "Name": "Beerware", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpam0g", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam0g", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam0g", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam0g", + "FilePath": "", + "Name": "GPL-3+ with Bison exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam0g", + "FilePath": "", + "Name": "BSD-tcp_wrappers", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpam0g", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam0g", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpam0g", + "FilePath": "", + "Name": "Beerware", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpcre2-8-0", + "FilePath": "", + "Name": "BSD-3-clause-Cambridge with BINARY LIBRARY-LIKE PACKAGES exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpcre2-8-0", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpcre2-8-0", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpcre2-8-0", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpcre2-8-0", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpng16-16", + "FilePath": "", + "Name": "libpng", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpng16-16", + "FilePath": "", + "Name": "expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libpng16-16", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpng16-16", + "FilePath": "", + "Name": "BSD-like-with-advertising-clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpng16-16", + "FilePath": "", + "Name": "libpng OR Apache-2.0 OR BSD-3-clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpng16-16", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpng16-16", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libpsl5", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpsl5", + "FilePath": "", + "Name": "gnulib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libpsl5", + "FilePath": "", + "Name": "Chromium", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "librav1e0", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "librav1e0", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "librtmp1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "librtmp1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "OpenSSL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "SSLeay", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "BSD-4-clause-UC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "RSA-MD", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "BSD-4-clause-KTH", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "IBM-as-is", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "BSD-3-clause-JANET", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "BSD-3-clause-PADL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "MIT-OpenVision", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "OpenLDAP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "FSFULLR", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "MIT-CMU", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "MIT-Export", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-2", + "FilePath": "", + "Name": "BSD-2.2-clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "OpenSSL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "SSLeay", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "BSD-4-clause-UC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "RSA-MD", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "BSD-4-clause-KTH", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "IBM-as-is", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "BSD-3-clause-JANET", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "BSD-3-clause-PADL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "MIT-OpenVision", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "OpenLDAP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "FSFULLR", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "MIT-CMU", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "MIT-Export", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsasl2-modules-db", + "FilePath": "", + "Name": "BSD-2.2-clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libseccomp2", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libselinux1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libselinux1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsemanage-common", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsemanage-common", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsemanage2", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsemanage2", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsepol2", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsepol2", + "FilePath": "", + "Name": "Zlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsepol2", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "BSLA", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsmartcols1", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libss2", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libss2", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libss2", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libss2", + "FilePath": "", + "Name": "Apache-2", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libss2", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libss2", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libss2", + "FilePath": "", + "Name": "MIT-US-export", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libss2", + "FilePath": "", + "Name": "Kazlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libss2", + "FilePath": "", + "Name": "Latex2e", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libss2", + "FilePath": "", + "Name": "GPL-2+ with Texinfo exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libss2", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libssh2-1", + "FilePath": "", + "Name": "BSD3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libssl3", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libssl3", + "FilePath": "", + "Name": "Artistic", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libssl3", + "FilePath": "", + "Name": "GPL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsvtav1enc1", + "FilePath": "", + "Name": "BSD-3-Clause-Clear", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsvtav1enc1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsvtav1enc1", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsvtav1enc1", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsvtav1enc1", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libsvtav1enc1", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsystemd0", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "unencumbered", + "PkgName": "libsystemd0", + "FilePath": "", + "Name": "CC0-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsystemd0", + "FilePath": "", + "Name": "GPL-2 with Linux-syscall-note exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsystemd0", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libsystemd0", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libsystemd0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libtasn1-6", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libtasn1-6", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libtasn1-6", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libtasn1-6", + "FilePath": "", + "Name": "GFDL-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libtiff6", + "FilePath": "", + "Name": "Hylafax", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libtinfo6", + "FilePath": "", + "Name": "MIT/X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libtinfo6", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libtinfo6", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libudev1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "unencumbered", + "PkgName": "libudev1", + "FilePath": "", + "Name": "CC0-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libudev1", + "FilePath": "", + "Name": "GPL-2 with Linux-syscall-note exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libudev1", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libudev1", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libudev1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libunistring2", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libunistring2", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libunistring2", + "FilePath": "", + "Name": "FreeSoftware", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libunistring2", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libunistring2", + "FilePath": "", + "Name": "GFDL-1.2+", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libunistring2", + "FilePath": "", + "Name": "GPL-2+ with distribution exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libunistring2", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libunistring2", + "FilePath": "", + "Name": "GFDL-1.2", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "BSLA", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libuuid1", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libwebp7", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libx265-199", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libx265-199", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libx265-199", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libx265-199", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libxml2", + "FilePath": "", + "Name": "MIT-1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libxml2", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libxxhash0", + "FilePath": "", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libxxhash0", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libyuv0", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libyuv0", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libzstd1", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "libzstd1", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "libzstd1", + "FilePath": "", + "Name": "Zlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "libzstd1", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "login", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "login", + "FilePath": "", + "Name": "GPL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "login", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "login", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "logsave", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "logsave", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "logsave", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "logsave", + "FilePath": "", + "Name": "Apache-2", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "logsave", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "logsave", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "logsave", + "FilePath": "", + "Name": "MIT-US-export", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "logsave", + "FilePath": "", + "Name": "Kazlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "logsave", + "FilePath": "", + "Name": "Latex2e", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "logsave", + "FilePath": "", + "Name": "GPL-2+ with Texinfo exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "logsave", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "mawk", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "mawk", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "mawk", + "FilePath": "", + "Name": "CC-BY-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "mount", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "mount", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "mount", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "mount", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "mount", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "mount", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "mount", + "FilePath": "", + "Name": "BSLA", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "mount", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "mount", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "mount", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "ncurses-base", + "FilePath": "", + "Name": "MIT/X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "ncurses-base", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "ncurses-base", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "ncurses-bin", + "FilePath": "", + "Name": "MIT/X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "ncurses-bin", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "ncurses-bin", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "openssl", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "openssl", + "FilePath": "", + "Name": "Artistic", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "openssl", + "FilePath": "", + "Name": "GPL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "passwd", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "passwd", + "FilePath": "", + "Name": "GPL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "passwd", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "passwd", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "perl-base", + "FilePath": "", + "Name": "GPL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "Artistic", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "Expat", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "REGCOMP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "perl-base", + "FilePath": "", + "Name": "GPL-2.0-with-bison-exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "Unicode", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "BZIP", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "perl-base", + "FilePath": "", + "Name": "Zlib", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "perl-base", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "RRA-KEEP-THIS-NOTICE", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "BSD-3-clause-with-weird-numbering", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "unencumbered", + "PkgName": "perl-base", + "FilePath": "", + "Name": "CC0-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "TEXT-TABS", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "BSD-4-clause-POWERDOG", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "BSD-3-clause-GENERIC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "perl-base", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "SDBM-PUBLIC-DOMAIN", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "DONT-CHANGE-THE-GPL", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "Artistic-dist", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "perl-base", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "Artistic-2", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "HSIEH-DERIVATIVE", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "perl-base", + "FilePath": "", + "Name": "HSIEH-BSD", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "sed", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "sed", + "FilePath": "", + "Name": "X11", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "sed", + "FilePath": "", + "Name": "GFDL-NIV-1.3+", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "sed", + "FilePath": "", + "Name": "GFDL-1.3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "sed", + "FilePath": "", + "Name": "ISC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "sed", + "FilePath": "", + "Name": "BSD-4-clause-UC", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "sed", + "FilePath": "", + "Name": "BSL-1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "sed", + "FilePath": "", + "Name": "pcre", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "sysvinit-utils", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "sysvinit-utils", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "tar", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "tar", + "FilePath": "", + "Name": "GPL-3+ with Bison exception", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "tar", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "tar", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "tzdata", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "usr-is-merged", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "util-linux", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "util-linux", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "util-linux", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "util-linux", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "util-linux", + "FilePath": "", + "Name": "BSLA", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "GPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "GPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "public-domain", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "BSLA", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "LGPL-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "LGPL-2.1", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "util-linux-extra", + "FilePath": "", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "zlib1g", + "FilePath": "", + "Name": "Zlib", + "Confidence": 1, + "Link": "" + } + ] + }, + { + "Target": "Loose File License(s)", + "Class": "license-file" + } + ] +} diff --git a/internal/sql/repository/ImageScanDeployInfoRepository.go b/internal/sql/repository/ImageScanDeployInfoRepository.go index c1cfb63d..cce325ef 100644 --- a/internal/sql/repository/ImageScanDeployInfoRepository.go +++ b/internal/sql/repository/ImageScanDeployInfoRepository.go @@ -9,6 +9,8 @@ import ( this table contains scanned images registry for deployed object and apps, images which are deployed on cluster by anyway and has scanned result */ + +// TODO refactor name and column names Subhashish type ImageScanDeployInfo struct { tableName struct{} `sql:"image_scan_deploy_info" pg:",discard_unknown_columns"` Id int `sql:"id,pk"` @@ -16,9 +18,19 @@ type ImageScanDeployInfo struct { ScanObjectMetaId int `sql:"scan_object_meta_id,notnull"` ObjectType string `sql:"object_type,notnull"` EnvId int `sql:"env_id,notnull"` + ClusterId int `sql:"cluster_id,notnull"` AuditLog } +const ( + ScanObjectType_APP string = "app" + ScanObjectType_CHART string = "chart" + ScanObjectType_POD string = "pod" + ScanObjectType_CHART_HISTORY string = "chart-history" + ScanObjectType_CI_Workflow string = "ci-workflow" + ScanObjectType_CD_Workflow string = "cd-workflow" +) + type ImageScanDeployInfoRepository interface { Save(model *ImageScanDeployInfo) error FindAll() ([]*ImageScanDeployInfo, error) @@ -27,6 +39,7 @@ type ImageScanDeployInfoRepository interface { Update(model *ImageScanDeployInfo) error FetchListingGroupByObject() ([]*ImageScanDeployInfo, error) FetchByAppIdAndEnvId(appId int, envId int) (*ImageScanDeployInfo, error) + FindByObjectTypeAndId(scanObjectMetaId int, objectType string) (*ImageScanDeployInfo, error) } type ImageScanDeployInfoRepositoryImpl struct { @@ -95,3 +108,16 @@ func (impl ImageScanDeployInfoRepositoryImpl) FetchByAppIdAndEnvId(appId int, en Select() return &model, err } + +func (impl ImageScanDeployInfoRepositoryImpl) FindByObjectTypeAndId(scanObjectMetaId int, objectType string) (*ImageScanDeployInfo, error) { + var model ImageScanDeployInfo + err := impl.dbConnection.Model(&model). + Where("scan_object_meta_id = ?", scanObjectMetaId). + Where("object_type = ?", objectType). + Order("created_on desc").Limit(1). + Select() + if err == pg.ErrNoRows { + return nil, nil + } + return &model, err +} diff --git a/internal/sql/repository/ImageScanHistoryRepository.go b/internal/sql/repository/ImageScanHistoryRepository.go index c6c6eec1..529da930 100644 --- a/internal/sql/repository/ImageScanHistoryRepository.go +++ b/internal/sql/repository/ImageScanHistoryRepository.go @@ -1,22 +1,30 @@ package repository import ( + "github.com/devtron-labs/image-scanner/common" "github.com/go-pg/pg" "go.uber.org/zap" "time" ) type ImageScanExecutionHistory struct { - tableName struct{} `sql:"image_scan_execution_history" pg:",discard_unknown_columns"` - Id int `sql:"id,pk"` - Image string `sql:"image,notnull"` - ImageHash string `sql:"image_hash,notnull"` - ExecutionTime time.Time `sql:"execution_time"` - ExecutedBy int `sql:"executed_by,notnull"` - ScanEventJson string `sql:"scan_event_json"` - ExecutionHistoryDirectoryPath string `sql:"execution_history_directory_path"` + tableName struct{} `sql:"image_scan_execution_history" pg:",discard_unknown_columns"` + Id int `sql:"id,pk"` + Image string `sql:"image,notnull"` + ImageHash string `sql:"image_hash,notnull"` // TODO Migrate to request metadata + ExecutionTime time.Time `sql:"execution_time"` + ExecutedBy int `sql:"executed_by,notnull"` + SourceMetadataJson string `sql:"source_metadata_json"` // to have relevant info to process a scan for a given source type and subtype + ExecutionHistoryDirectoryPath string `sql:"execution_history_directory_path"` // Deprecated + SourceType common.SourceType `sql:"source_type"` + SourceSubType common.SourceSubType `sql:"source_sub_type"` } +//Refer image_scan_deploy_info table for source_type relation +// ci workflow will have scans for ci-code and ci artifact +// cd workflow will have scans for deployment manifest, manifest images +// helm chart will have scans for manifest images and manifest + type ImageScanHistoryRepository interface { Save(model *ImageScanExecutionHistory) error FindAll() ([]*ImageScanExecutionHistory, error) @@ -25,6 +33,7 @@ type ImageScanHistoryRepository interface { FindByImageDigests(digest []string) ([]*ImageScanExecutionHistory, error) Update(model *ImageScanExecutionHistory) error FindByImage(image string) (*ImageScanExecutionHistory, error) + FindBySource(sourceType common.SourceType, subType common.SourceSubType) ([]*ImageScanExecutionHistory, error) } type ImageScanHistoryRepositoryImpl struct { @@ -82,3 +91,16 @@ func (impl ImageScanHistoryRepositoryImpl) FindByImage(image string) (*ImageScan Where("image = ?", image).Order("execution_time desc").Limit(1).Select() return &model, err } + +func (impl ImageScanHistoryRepositoryImpl) FindBySource(sourceType common.SourceType, subType common.SourceSubType) ([]*ImageScanExecutionHistory, error) { + var model []*ImageScanExecutionHistory + err := impl.dbConnection.Model(&model). + Where("source_type = ?", sourceType). + Where("source_sub_type = ?", subType). + Select() + if err == pg.ErrNoRows { + return model, nil + } + + return model, err +} diff --git a/internal/sql/repository/RegistryIndexMappingRepository.go b/internal/sql/repository/RegistryIndexMappingRepository.go index 5d399c5b..49d7bf66 100644 --- a/internal/sql/repository/RegistryIndexMappingRepository.go +++ b/internal/sql/repository/RegistryIndexMappingRepository.go @@ -32,6 +32,11 @@ type RegistryIndexMappingRepository interface { } func (repo *RegistryIndexMappingRepositoryImpl) GetStartingIndexForARegistryAndATool(scanToolid int, registry common.RegistryType) (*RegistryIndexMapping, error) { + if registry == "" { + return &RegistryIndexMapping{ + Index: 5, + }, nil + } var model RegistryIndexMapping err := repo.dbConnection.Model(&model).Where("scan_tool_id = ?", scanToolid).Where("registry_type = ?", registry).Select() if err != nil { diff --git a/internal/sql/repository/ResourceScanExecutionResultRepository.go b/internal/sql/repository/ResourceScanExecutionResultRepository.go new file mode 100644 index 00000000..9639e96c --- /dev/null +++ b/internal/sql/repository/ResourceScanExecutionResultRepository.go @@ -0,0 +1,57 @@ +package repository + +import ( + "github.com/go-pg/pg" + "go.uber.org/zap" +) + +type ResourceScanResult struct { + tableName struct{} `sql:"resource_scan_execution_result" pg:",discard_unknown_columns"` + Id int `sql:"id,pk"` + ImageScanExecutionHistoryId int `sql:"image_scan_execution_history_id"` + ScanDataJson string `sql:"scan_data_json"` + Format ResourceScanFormat `sql:"format"` + Types []int `sql:"types" pg:",array"` + ScanToolId int `sql:"scan_tool_id"` +} + +type ResourceScanFormat int + +const ( + CycloneDxSbom ResourceScanFormat = 1 //SBOM + TrivyJson = 2 + Json = 3 +) + +type ResourceScanType int + +const ( + Vulnerabilities ResourceScanType = 1 + License ResourceScanType = 2 + Config ResourceScanType = 3 + Secrets ResourceScanType = 4 +) + +func (t ResourceScanType) ToInt() int { + return int(t) +} + +type ResourceScanResultRepository interface { + SaveInBatch(models []*ResourceScanResult) error +} + +type ResourceScanResultRepositoryImpl struct { + dbConnection *pg.DB + logger *zap.SugaredLogger +} + +func NewResourceScanResultRepositoryImpl(dbConnection *pg.DB, logger *zap.SugaredLogger) *ResourceScanResultRepositoryImpl { + return &ResourceScanResultRepositoryImpl{ + dbConnection: dbConnection, + logger: logger, + } +} + +func (impl ResourceScanResultRepositoryImpl) SaveInBatch(models []*ResourceScanResult) error { + return impl.dbConnection.Insert(&models) +} diff --git a/internal/sql/repository/ScanToolExecutionHistoryMappingRepository.go b/internal/sql/repository/ScanToolExecutionHistoryMappingRepository.go index 84ae45df..ffeb38f5 100644 --- a/internal/sql/repository/ScanToolExecutionHistoryMappingRepository.go +++ b/internal/sql/repository/ScanToolExecutionHistoryMappingRepository.go @@ -16,13 +16,14 @@ type ScanToolExecutionHistoryMapping struct { ExecutionFinishTime time.Time `sql:"execution_finish_time,notnull"` State bean.ScanExecutionProcessState `sql:"state"` TryCount int `sql:"try_count"` + ErrorMessage string `sql:"error_message"` AuditLog } type ScanToolExecutionHistoryMappingRepository interface { Save(model *ScanToolExecutionHistoryMapping) error SaveInBatch(models []*ScanToolExecutionHistoryMapping) error - UpdateStateByToolAndExecutionHistoryId(executionHistoryId, toolId int, state bean.ScanExecutionProcessState, executionFinishTime time.Time) error + UpdateStateByToolAndExecutionHistoryId(executionHistoryId, toolId int, state bean.ScanExecutionProcessState, executionFinishTime time.Time, errorMessage string) error MarkAllRunningStateAsFailedHavingTryCountReachedLimit(tryCount int) error GetAllScanHistoriesByState(state bean.ScanExecutionProcessState) ([]*ScanToolExecutionHistoryMapping, error) GetAllScanHistoriesByExecutionHistoryIdAndStates(executionHistoryId int, states []bean.ScanExecutionProcessState) ([]*ScanToolExecutionHistoryMapping, error) @@ -60,9 +61,11 @@ func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) SaveInBatch(models [] } func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) UpdateStateByToolAndExecutionHistoryId(executionHistoryId, toolId int, - state bean.ScanExecutionProcessState, executionFinishTime time.Time) error { + state bean.ScanExecutionProcessState, executionFinishTime time.Time, errorMessage string) error { model := &ScanToolExecutionHistoryMapping{} - _, err := repo.dbConnection.Model(model).Set("state = ?", state). + _, err := repo.dbConnection.Model(model). + Set("state = ?", state). + Set("error_message = ?", errorMessage). Set("execution_finish_time = ?", executionFinishTime). Where("image_scan_execution_history_id = ?", executionHistoryId). Where("scan_tool_id = ?", toolId).Update() diff --git a/internal/step-lib/util/cli-util/handler.go b/internal/step-lib/util/cli-util/handler.go index 00fefd0d..65b649bf 100644 --- a/internal/step-lib/util/cli-util/handler.go +++ b/internal/step-lib/util/cli-util/handler.go @@ -24,7 +24,9 @@ func HandleCliRequest(baseCommand, outputFileName string, ctx context.Context, o for arg, value := range args { //assuming '-' or '--' is provided by user (if applicable) argsSlice = append(argsSlice, arg) - argsSlice = append(argsSlice, value) + if value != "" { + argsSlice = append(argsSlice, value) + } } command := exec.CommandContext(ctx, common.SHELL_COMMAND, common.COMMAND_ARGS, baseCommand) if outputType == CliOutPutTypeStream { //TODO: make async in further feature iterations @@ -33,7 +35,7 @@ func HandleCliRequest(baseCommand, outputFileName string, ctx context.Context, o err, output = executeStaticCliRequest(command, outputFileName) } if err != nil { - log.Println("error in executing cli request", "err", err, "req", command) + log.Println("error in executing cli request", "err", err, "req", command, string(output)) return output, err } return output, nil @@ -42,8 +44,8 @@ func HandleCliRequest(baseCommand, outputFileName string, ctx context.Context, o func executeStaticCliRequest(command *exec.Cmd, outputFileName string) (error, []byte) { op, err := command.CombinedOutput() if err != nil { - log.Println("error in running command", "err", err) - return err, nil + log.Println("error in running command", "err", err, "op", string(op)) + return err, op } // If output is already stored in file, considering the output from file (file is created by tool over here) if outputFileName != "" && op != nil { diff --git a/pkg/security/CodeScanService.go b/pkg/security/CodeScanService.go new file mode 100644 index 00000000..0221d80f --- /dev/null +++ b/pkg/security/CodeScanService.go @@ -0,0 +1,135 @@ +package security + +import ( + "context" + "github.com/devtron-labs/image-scanner/common" + "github.com/devtron-labs/image-scanner/helper" + "github.com/devtron-labs/image-scanner/internal/sql/bean" + "github.com/devtron-labs/image-scanner/internal/sql/repository" + cliUtil "github.com/devtron-labs/image-scanner/internal/step-lib/util/cli-util" + "go.uber.org/zap" + "time" +) + +type CodeScanService interface { + ScanCode(scanEvent *common.ImageScanEvent, tool *repository.ScanToolMetadata, executionHistory *repository.ImageScanExecutionHistory, executionHistoryDirPath string) error +} + +type CodeScanServiceImpl struct { + logger *zap.SugaredLogger + gitManager *helper.GitManager + scanToolExecutionHistoryMappingRepository repository.ScanToolExecutionHistoryMappingRepository + imageScanDeployInfoRepository repository.ImageScanDeployInfoRepository + resourceScanResultRepository repository.ResourceScanResultRepository + scanToolExecutionHistoryMapping repository.ScanToolExecutionHistoryMappingRepository +} + +func NewCodeScanServiceImpl(logger *zap.SugaredLogger, + gitManager *helper.GitManager, + scanToolExecutionHistoryMappingRepository repository.ScanToolExecutionHistoryMappingRepository, + imageScanDeployInfoRepository repository.ImageScanDeployInfoRepository, + resourceScanResultRepository repository.ResourceScanResultRepository, +) *CodeScanServiceImpl { + service := &CodeScanServiceImpl{ + logger: logger, + scanToolExecutionHistoryMappingRepository: scanToolExecutionHistoryMappingRepository, + gitManager: gitManager, + imageScanDeployInfoRepository: imageScanDeployInfoRepository, + resourceScanResultRepository: resourceScanResultRepository, + } + return service +} + +func (impl CodeScanServiceImpl) ScanCode(scanEvent *common.ImageScanEvent, tool *repository.ScanToolMetadata, executionHistory *repository.ImageScanExecutionHistory, executionHistoryDirPath string) error { + + var metaId int + var objectType string + if scanEvent.SourceSubType == common.SourceSubTypeCi { + metaId = scanEvent.CiWorkflowId + objectType = repository.ScanObjectType_CI_Workflow + } else if scanEvent.SourceSubType == common.SourceSubTypeManifest { + metaId = scanEvent.CdWorkflowId + objectType = repository.ScanObjectType_CD_Workflow + } + + var info *repository.ImageScanDeployInfo + var err error + info, err = impl.imageScanDeployInfoRepository.FindByObjectTypeAndId(metaId, objectType) + if err != nil { + return err + } + + if info == nil { + info = &repository.ImageScanDeployInfo{ + ImageScanExecutionHistoryId: []int{executionHistory.Id}, + ScanObjectMetaId: metaId, + ObjectType: objectType, + EnvId: 1, + ClusterId: 1, + AuditLog: repository.AuditLog{ + CreatedOn: time.Now(), + CreatedBy: 1, + UpdatedOn: time.Now(), + UpdatedBy: 1, + }, + } + err := impl.imageScanDeployInfoRepository.Save(info) + if err != nil { + return err + } + + } else { + info.ImageScanExecutionHistoryId = append(info.ImageScanExecutionHistoryId, executionHistory.Id) + info.UpdatedOn = time.Now() + err := impl.imageScanDeployInfoRepository.Update(info) + if err != nil { + return err + } + } + + path := executionHistoryDirPath + "/code" + if scanEvent.SourceSubType == common.SourceSubTypeCi { + + err := impl.gitManager.CloneAndCheckout(scanEvent.CiProjectDetails, path) + if err != nil { + return err + } + + } else if scanEvent.SourceSubType == common.SourceSubTypeManifest { + //TODO + } + outputFile := executionHistoryDirPath + "/cicodescan.json" + renderedCommand := "trivy fs " + path + " --scanners vuln,config,secret,license " + "--license-full " + "--format json " + "-o " + outputFile + + //args := map[string]string{path: "", "--scanners": "vuln,misconfig,secret,license", "--license-full": "", "--format": "json", "-o": outputFile} + output, err := cliUtil.HandleCliRequest(renderedCommand, outputFile, context.Background(), "STATIC", nil) + + var processedState bean.ScanExecutionProcessState + var errorMessage string + if err != nil { + impl.logger.Errorw("error in processing scan for tool:", tool.Name, "err", err) + processedState = bean.ScanExecutionProcessStateFailed + errorMessage = err.Error() + } else { + processedState = bean.ScanExecutionProcessStateCompleted + result := &repository.ResourceScanResult{ + ImageScanExecutionHistoryId: executionHistory.Id, + ScanDataJson: string(output), + Format: repository.Json, + Types: []int{repository.Vulnerabilities.ToInt(), repository.License.ToInt(), repository.Secrets.ToInt(), repository.Config.ToInt()}, + ScanToolId: tool.Id, + } + err := impl.resourceScanResultRepository.SaveInBatch([]*repository.ResourceScanResult{result}) + if err != nil { + impl.logger.Errorw("error in saving scan result:", "err", err) + processedState = bean.ScanExecutionProcessStateFailed + } + } + updateErr := impl.scanToolExecutionHistoryMappingRepository.UpdateStateByToolAndExecutionHistoryId(executionHistory.Id, tool.Id, processedState, time.Now(), errorMessage) + if updateErr != nil { + impl.logger.Errorw("error in UpdateStateByToolAndExecutionHistoryId", "err", err) + err = updateErr + } + + return nil +} diff --git a/pkg/security/ImageScanService.go b/pkg/security/ImageScanService.go index 4ea46968..49612e57 100644 --- a/pkg/security/ImageScanService.go +++ b/pkg/security/ImageScanService.go @@ -53,6 +53,8 @@ type ImageScanServiceImpl struct { imageScanConfig *ImageScanConfig dockerArtifactStoreRepository repository.DockerArtifactStoreRepository registryIndexMappingRepository repository.RegistryIndexMappingRepository + codeScanService CodeScanService + resourceScanResultRepository repository.ResourceScanResultRepository } func NewImageScanServiceImpl(logger *zap.SugaredLogger, scanHistoryRepository repository.ImageScanHistoryRepository, @@ -65,7 +67,10 @@ func NewImageScanServiceImpl(logger *zap.SugaredLogger, scanHistoryRepository re scanToolStepRepository repository.ScanToolStepRepository, scanStepConditionMappingRepository repository.ScanStepConditionMappingRepository, imageScanConfig *ImageScanConfig, - dockerArtifactStoreRepository repository.DockerArtifactStoreRepository, registryIndexMappingRepository repository.RegistryIndexMappingRepository) *ImageScanServiceImpl { + dockerArtifactStoreRepository repository.DockerArtifactStoreRepository, registryIndexMappingRepository repository.RegistryIndexMappingRepository, + codeScanService CodeScanService, + resourceScanResultRepository repository.ResourceScanResultRepository, +) *ImageScanServiceImpl { imageScanService := &ImageScanServiceImpl{logger: logger, scanHistoryRepository: scanHistoryRepository, scanResultRepository: scanResultRepository, scanObjectMetaRepository: scanObjectMetaRepository, cveStoreRepository: cveStoreRepository, imageScanDeployInfoRepository: imageScanDeployInfoRepository, @@ -78,6 +83,8 @@ func NewImageScanServiceImpl(logger *zap.SugaredLogger, scanHistoryRepository re imageScanConfig: imageScanConfig, dockerArtifactStoreRepository: dockerArtifactStoreRepository, registryIndexMappingRepository: registryIndexMappingRepository, + codeScanService: codeScanService, + resourceScanResultRepository: resourceScanResultRepository, } imageScanService.handleProgressingScans() return imageScanService @@ -101,6 +108,7 @@ func (impl *ImageScanServiceImpl) ScanImage(scanEvent *common.ImageScanEvent, to impl.logger.Errorw("error in fetching scan history ", "err", err, "image", scanEvent.Image) return err } + //TODO handle for rescans for new history Id if isImageScanned { impl.logger.Infow("image already scanned, skipping further process", "image", scanEvent.Image) return nil @@ -113,18 +121,33 @@ func (impl *ImageScanServiceImpl) ScanImage(scanEvent *common.ImageScanEvent, to wg := &sync.WaitGroup{} wg.Add(1) // TODO: if multiple processes are to be done in parallel, then error propagation should have to be done via channels - err = impl.scanImageForTool(tool, executionHistory.Id, executionHistoryDirPath, wg, int32(scanEvent.UserId), ctx, imageScanRenderDto) + + isV2 := false + if scanEvent.SourceType == common.SourceTypeImage { + isV2 = true + } + output, err := impl.scanImageForTool(tool, executionHistory.Id, executionHistoryDirPath, wg, int32(scanEvent.UserId), ctx, imageScanRenderDto, isV2) + if isV2 { + err = impl.processImageScanSbom(scanEvent, tool, executionHistory.Id, output) + if err != nil { + impl.logger.Errorw("err in processImageScanSbom", "err", err) + } + } if err != nil { impl.logger.Errorw("err in scanning image", "err", err, "tool", tool, "executionHistory.Id", executionHistory.Id, "executionHistoryDirPath", executionHistoryDirPath, "scanEvent.UserId", scanEvent.UserId) return err } + wg.Wait() return err } func (impl *ImageScanServiceImpl) getImageScanRenderDto(registryId string, image string) (*common.ImageScanRenderDto, error) { + dockerRegistry, err := impl.dockerArtifactStoreRepository.FindById(registryId) - if err != nil { + if err == pg.ErrNoRows { + dockerRegistry = &repository.DockerArtifactStore{} + } else if err != nil { impl.logger.Errorw("error in getting docker registry by id", "err", err, "id", registryId) return nil, err } @@ -139,24 +162,28 @@ func (impl *ImageScanServiceImpl) getImageScanRenderDto(registryId string, image } return imageScanRenderDto, nil } + func (impl *ImageScanServiceImpl) scanImageForTool(tool *repository.ScanToolMetadata, executionHistoryId int, - executionHistoryDirPathCopy string, wg *sync.WaitGroup, userId int32, ctx context.Context, imageScanRenderDto *common.ImageScanRenderDto) error { + executionHistoryDirPathCopy string, wg *sync.WaitGroup, userId int32, ctx context.Context, imageScanRenderDto *common.ImageScanRenderDto, isV2 bool) (string, error) { toolCopy := *tool var processedState bean.ScanExecutionProcessState - err := impl.ProcessScanForTool(toolCopy, executionHistoryDirPathCopy, executionHistoryId, userId, ctx, imageScanRenderDto) + output, err := impl.ProcessScanForTool(toolCopy, executionHistoryDirPathCopy, executionHistoryId, userId, ctx, imageScanRenderDto, isV2) + var errorMessage string if err != nil { impl.logger.Errorw("error in processing scan for tool:", toolCopy.Name, "err", err) processedState = bean.ScanExecutionProcessStateFailed + errorMessage = err.Error() } else { processedState = bean.ScanExecutionProcessStateCompleted } - updateErr := impl.scanToolExecutionHistoryMappingRepository.UpdateStateByToolAndExecutionHistoryId(executionHistoryId, toolCopy.Id, processedState, time.Now()) + + updateErr := impl.scanToolExecutionHistoryMappingRepository.UpdateStateByToolAndExecutionHistoryId(executionHistoryId, toolCopy.Id, processedState, time.Now(), errorMessage) if updateErr != nil { impl.logger.Errorw("error in UpdateStateByToolAndExecutionHistoryId", "err", err) err = updateErr } wg.Done() - return err + return output, err } func (impl *ImageScanServiceImpl) createFolderForOutputData(executionHistoryModelId int) string { executionHistoryModelIdStr := strconv.Itoa(executionHistoryModelId) @@ -175,17 +202,21 @@ func (impl *ImageScanServiceImpl) RegisterScanExecutionHistoryAndState(scanEvent return nil, "", err } executionHistoryModel := &repository.ImageScanExecutionHistory{ - Image: scanEvent.Image, - ImageHash: scanEvent.ImageDigest, - ExecutionTime: executionTimeStart, - ExecutedBy: scanEvent.UserId, - ScanEventJson: string(scanEventJson), + Image: scanEvent.Image, + ImageHash: scanEvent.ImageDigest, + ExecutionTime: executionTimeStart, + ExecutedBy: scanEvent.UserId, + SourceMetadataJson: string(scanEventJson), + SourceType: scanEvent.SourceType, + SourceSubType: scanEvent.SourceSubType, } + err = impl.scanHistoryRepository.Save(executionHistoryModel) if err != nil { impl.logger.Errorw("Failed to save executionHistory", "err", err, "model", executionHistoryModel) return nil, executionHistoryDirPath, err } + // creating folder for storing all details if not exist isExist, err := DoesFileExist(bean.ScanOutputDirectory) if err != nil { @@ -236,12 +267,72 @@ func DoesFileExist(path string) (bool, error) { } return false, err } -func (impl *ImageScanServiceImpl) ProcessScanForTool(tool repository.ScanToolMetadata, executionHistoryDirPath string, executionHistoryId int, userId int32, ctx context.Context, imageScanRenderDto *common.ImageScanRenderDto) error { +func (impl *ImageScanServiceImpl) processImageScanSbom(scanEvent *common.ImageScanEvent, tool *repository.ScanToolMetadata, executionHistoryId int, output string) error { + + var metaId int + var objectType string + if scanEvent.SourceSubType == common.SourceSubTypeCi { + metaId = scanEvent.CiWorkflowId + objectType = repository.ScanObjectType_CI_Workflow + } else if scanEvent.SourceSubType == common.SourceSubTypeManifest { + metaId = scanEvent.CdWorkflowId + objectType = repository.ScanObjectType_CD_Workflow + } + + var info *repository.ImageScanDeployInfo + var err error + info, err = impl.imageScanDeployInfoRepository.FindByObjectTypeAndId(metaId, objectType) + if err != nil { + return err + } + + if info == nil { + info = &repository.ImageScanDeployInfo{ + ImageScanExecutionHistoryId: []int{executionHistoryId}, + ScanObjectMetaId: metaId, + ObjectType: objectType, + EnvId: 1, + ClusterId: 1, + AuditLog: repository.AuditLog{ + CreatedOn: time.Now(), + CreatedBy: 1, + UpdatedOn: time.Now(), + UpdatedBy: 1, + }, + } + err := impl.imageScanDeployInfoRepository.Save(info) + if err != nil { + return err + } + + } else { + info.ImageScanExecutionHistoryId = append(info.ImageScanExecutionHistoryId, executionHistoryId) + info.UpdatedOn = time.Now() + err := impl.imageScanDeployInfoRepository.Update(info) + if err != nil { + return err + } + } + result := &repository.ResourceScanResult{ + ImageScanExecutionHistoryId: executionHistoryId, + ScanDataJson: output, + Format: repository.Json, + Types: []int{repository.Vulnerabilities.ToInt(), repository.License.ToInt()}, + ScanToolId: tool.Id, + } + err = impl.resourceScanResultRepository.SaveInBatch([]*repository.ResourceScanResult{result}) + if err != nil { + return err + } + return nil +} + +func (impl *ImageScanServiceImpl) ProcessScanForTool(tool repository.ScanToolMetadata, executionHistoryDirPath string, executionHistoryId int, userId int32, ctx context.Context, imageScanRenderDto *common.ImageScanRenderDto, isV2 bool) (string, error) { imageScanConfig := &ImageScanConfig{} err := env.Parse(imageScanConfig) if err != nil { impl.logger.Errorw("error in parsing env ", "err", err) - return err + return "", err } // creating folder for storing this tool output data @@ -250,13 +341,13 @@ func (impl *ImageScanServiceImpl) ProcessScanForTool(tool repository.ScanToolMet err = os.Mkdir(toolOutputDirPath, commonUtil.DefaultFileCreatePermission) if err != nil && !os.IsExist(err) { impl.logger.Errorw("error in creating toolOutput directory", "err", err, "toolId", tool.Id, "executionHistoryDir", executionHistoryDirPath) - return err + return "", err } //getting all steps for this tool steps, err := impl.scanToolStepRepository.FindAllByScanToolId(tool.Id) if err != nil { impl.logger.Errorw("error in getting steps by scan tool id", "err", err, "toolId", tool.Id) - return err + return "", err } //sorting steps on the basis of index //sort.Slice(steps, func(i, j int) bool { return steps[i].Index < steps[j].Index }) @@ -268,7 +359,7 @@ func (impl *ImageScanServiceImpl) ProcessScanForTool(tool repository.ScanToolMet registryIndexMappingModel, err := impl.registryIndexMappingRepository.GetStartingIndexForARegistryAndATool(tool.Id, imageScanRenderDto.RegistryType) if err != nil { impl.logger.Errorw("error in getting registry index mapping", "err", err, "RegistryType", imageScanRenderDto.RegistryType, "toolId", tool.Id) - return err + return "", err } stepProcessIndex = registryIndexMappingModel.Index @@ -283,16 +374,16 @@ func (impl *ImageScanServiceImpl) ProcessScanForTool(tool repository.ScanToolMet } for { if stepTryCount[stepProcessIndex] <= 0 { - return fmt.Errorf("error in completing tool scan process, max no of tries reached for failed step with index : %d", stepProcessIndex) + return "", fmt.Errorf("error in completing tool scan process, max no of tries reached for failed step with index : %d", stepProcessIndex) } step := stepIndexMap[stepProcessIndex] //decrementing try count for this step stepTryCount[stepProcessIndex] -= 1 if step.StepExecutionSync { - output, err := impl.ProcessScanStep(step, tool, toolOutputDirPath, ctx, imageScanRenderDto) + output, err := impl.ProcessScanStep(step, tool, toolOutputDirPath, ctx, imageScanRenderDto, isV2) if err != nil { impl.logger.Errorw("error in processing scan step sync", "err", err, "stepId", step.Id) - return err + return "", errors.New(string(output)) } if step.StepExecutionType == bean.ScanExecutionTypeCli && step.CliOutputType == cliUtil.CliOutPutTypeStream { // read output here for further processing, to update this logic when cli stream processing is made async @@ -300,28 +391,34 @@ func (impl *ImageScanServiceImpl) ProcessScanForTool(tool repository.ScanToolMet output, err = commonUtil.ReadFile(outputFileName) if err != nil { impl.logger.Errorw("error in getting reading output of step", "err", err, "stepOutputFileName", outputFileName) - return err + return "", err } } isPassed, err := impl.CheckConditionsForAStep(step, output) if err != nil { impl.logger.Errorw("error in checking conditions for step", "err", err, "stepId", step.Id) - return err + return "", err } if !isPassed { impl.logger.Infow("conditions not passed for step", "stepId", step.Id) - return fmt.Errorf("conditions not passed for step with index : %d", step.Index) + return "", fmt.Errorf("conditions not passed for step with index : %d", step.Index) } - if step.ExecuteStepOnPass == bean.NullProcessIndex && isPassed { //step process is passed and scanning is completed + if step.ExecuteStepOnPass == bean.NullProcessIndex && isPassed { + + if isV2 { + return string(output), nil + } + + //step process is passed and scanning is completed err = impl.ConvertEndStepOutputAndSaveVulnerabilities(output, executionHistoryId, tool, step, userId) if err != nil { impl.logger.Errorw("error in saving vulnerabilities", "err", err) - return err + return "", err } - return nil + return string(output), nil } else if step.ExecuteStepOnFail == bean.NullProcessIndex && !isPassed { //step process is failed and scanning is completed - return fmt.Errorf("error in executing step with index : %d", stepProcessIndex) + return "", fmt.Errorf("error in executing step with index : %d", stepProcessIndex) } else if isPassed { //step process is passed and have to move to next step for processing stepProcessIndex = step.ExecuteStepOnPass } else if !isPassed { //step process is failed and have to move to next step for processing @@ -332,7 +429,7 @@ func (impl *ImageScanServiceImpl) ProcessScanForTool(tool repository.ScanToolMet defer cancel() go func() { //will not check if step is passed or failed - _, err := impl.ProcessScanStep(step, tool, toolOutputDirPath, cxtx, nil) + _, err := impl.ProcessScanStep(step, tool, toolOutputDirPath, cxtx, nil, false) if err != nil { impl.logger.Errorw("error in processing scan step async", "err", err, "stepId", step.Id) return @@ -340,13 +437,13 @@ func (impl *ImageScanServiceImpl) ProcessScanForTool(tool repository.ScanToolMet }() stepProcessIndex = step.ExecuteStepOnPass // for async type process, always considering step to be passed if stepProcessIndex == bean.NullProcessIndex { // if end step, consider it completed and return - return nil + return "", nil } } } } -func (impl *ImageScanServiceImpl) ProcessScanStep(step repository.ScanToolStep, tool repository.ScanToolMetadata, toolOutputDirPath string, ctx context.Context, imageScanRenderDto *common.ImageScanRenderDto) ([]byte, error) { +func (impl *ImageScanServiceImpl) ProcessScanStep(step repository.ScanToolStep, tool repository.ScanToolMetadata, toolOutputDirPath string, ctx context.Context, imageScanRenderDto *common.ImageScanRenderDto, isV2 bool) ([]byte, error) { outputFileNameForThisStep := path.Join(toolOutputDirPath, fmt.Sprintf("%d%s", step.Index, bean.JsonOutputFileNameSuffix)) var output []byte if step.StepExecutionType == bean.ScanExecutionTypeHttp { @@ -361,8 +458,13 @@ func (impl *ImageScanServiceImpl) ProcessScanStep(step repository.ScanToolStep, return nil, err } } else if step.StepExecutionType == bean.ScanExecutionTypeCli { + extraArgs := "" + if isV2 { + extraArgs = "--scanners vuln,config,secret,license --license-full" + } + imageScanRenderDto.OutputFilePath = outputFileNameForThisStep - renderedCommand, err := impl.GetCliInputParams(step, toolOutputDirPath, imageScanRenderDto, tool.ToolMetaData) + renderedCommand, err := impl.GetCliInputParams(step, toolOutputDirPath, imageScanRenderDto, tool.ToolMetaData, extraArgs) if err != nil { impl.logger.Errorw("error in getting cli step input params", "err", err) return nil, err @@ -370,7 +472,7 @@ func (impl *ImageScanServiceImpl) ProcessScanStep(step repository.ScanToolStep, output, err = cliUtil.HandleCliRequest(renderedCommand, outputFileNameForThisStep, ctx, step.CliOutputType, nil) if err != nil { impl.logger.Errorw("error in cli request txn", "err", err) - return nil, err + return output, err } } return output, nil @@ -571,7 +673,7 @@ func (impl *ImageScanServiceImpl) GetHttpStepInputParams(step repository.ScanToo return queryParams, httpHeaders, inputPayload, err } } - inputPayloadBytes, err = impl.RenderInputDataForAStep(string(step.HttpInputPayload), step.RenderInputDataFromStep, toolOutputDirPath, imageScanRenderDto, "") + inputPayloadBytes, err = impl.RenderInputDataForAStep(string(step.HttpInputPayload), step.RenderInputDataFromStep, toolOutputDirPath, imageScanRenderDto, "", "") if err != nil { impl.logger.Errorw("error in rendering http input payload", "err", err) return queryParams, httpHeaders, inputPayload, err @@ -580,10 +682,10 @@ func (impl *ImageScanServiceImpl) GetHttpStepInputParams(step repository.ScanToo return queryParams, httpHeaders, inputPayload, nil } -func (impl *ImageScanServiceImpl) GetCliInputParams(step repository.ScanToolStep, toolOutputDirPath string, imageScanRenderDto *common.ImageScanRenderDto, toolMetaData string) (string, error) { +func (impl *ImageScanServiceImpl) GetCliInputParams(step repository.ScanToolStep, toolOutputDirPath string, imageScanRenderDto *common.ImageScanRenderDto, toolMetaData string, extraArgs string) (string, error) { var err error var renderedCommand []byte - renderedCommand, err = impl.RenderInputDataForAStep(step.CliCommand, step.RenderInputDataFromStep, toolOutputDirPath, imageScanRenderDto, toolMetaData) + renderedCommand, err = impl.RenderInputDataForAStep(step.CliCommand, step.RenderInputDataFromStep, toolOutputDirPath, imageScanRenderDto, toolMetaData, extraArgs) if err != nil { impl.logger.Errorw("error in rendering cli input args", "err", err) return "", err @@ -591,7 +693,7 @@ func (impl *ImageScanServiceImpl) GetCliInputParams(step repository.ScanToolStep return string(renderedCommand), nil } -func (impl *ImageScanServiceImpl) RenderInputDataForAStep(inputPayloadTmpl string, outputStepIndex int, toolExecutionDirectoryPath string, imageScanRenderDto *common.ImageScanRenderDto, toolMetaData string) ([]byte, error) { +func (impl *ImageScanServiceImpl) RenderInputDataForAStep(inputPayloadTmpl string, outputStepIndex int, toolExecutionDirectoryPath string, imageScanRenderDto *common.ImageScanRenderDto, toolMetaData string, extraArgs string) ([]byte, error) { tmpl := template.Must(template.New("").Parse(inputPayloadTmpl)) jsonMap := map[string]interface{}{} metaDataMap := map[string]interface{}{} @@ -622,6 +724,7 @@ func (impl *ImageScanServiceImpl) RenderInputDataForAStep(inputPayloadTmpl strin jsonMap[common.GCR_FILE_PATH] = toolExecutionDirectoryPath jsonMap[common.IMAGE_NAME] = imageScanRenderDto.Image jsonMap[common.OUTPUT_FILE_PATH] = imageScanRenderDto.OutputFilePath + jsonMap[common.EXTRA_ARGS] = extraArgs for key, val := range metaDataMap { jsonMap[key] = val @@ -850,7 +953,7 @@ func (impl *ImageScanServiceImpl) handleProgressingScans() { //System doing image scanning for all pending scans for _, scanHistory := range scanHistories { scanEvent := common.ImageScanEvent{} - scanEventJson := imageScanExecutionHistoryMap[scanHistory.ImageScanExecutionHistoryId].ScanEventJson + scanEventJson := imageScanExecutionHistoryMap[scanHistory.ImageScanExecutionHistoryId].SourceMetadataJson if len(scanEventJson) == 0 { return } @@ -865,7 +968,7 @@ func (impl *ImageScanServiceImpl) handleProgressingScans() { impl.logger.Errorw("service error, getImageScanRenderDto", "err", err, "dockerRegistryId", scanEvent.DockerRegistryId) return } - err = impl.scanImageForTool(scanTool, scanHistory.ImageScanExecutionHistoryId, executionHistoryDirPath, wg, 1, nil, imageScanRenderDto) + _, err = impl.scanImageForTool(scanTool, scanHistory.ImageScanExecutionHistoryId, executionHistoryDirPath, wg, 1, nil, imageScanRenderDto, false) if err != nil { impl.logger.Errorw("error in scanning image", "err", err) return diff --git a/pubsub/NatSubscription.go b/pubsub/NatSubscription.go index ef4cf8ed..d5954ba1 100644 --- a/pubsub/NatSubscription.go +++ b/pubsub/NatSubscription.go @@ -4,6 +4,7 @@ import ( "encoding/json" pubsub1 "github.com/devtron-labs/common-lib/pubsub-lib" "github.com/devtron-labs/common-lib/pubsub-lib/model" + "github.com/devtron-labs/image-scanner/api" "github.com/devtron-labs/image-scanner/common" "github.com/devtron-labs/image-scanner/pkg/clairService" "go.uber.org/zap" @@ -17,15 +18,18 @@ type NatSubscriptionImpl struct { pubSubClient *pubsub1.PubSubClientServiceImpl logger *zap.SugaredLogger clairService clairService.ClairService + restHandler *api.RestHandlerImpl } func NewNatSubscription(pubSubClient *pubsub1.PubSubClientServiceImpl, logger *zap.SugaredLogger, - clairService clairService.ClairService) (*NatSubscriptionImpl, error) { + clairService clairService.ClairService, + restHandler *api.RestHandlerImpl) (*NatSubscriptionImpl, error) { ns := &NatSubscriptionImpl{ pubSubClient: pubSubClient, logger: logger, clairService: clairService, + restHandler: restHandler, } return ns, ns.Subscribe() } @@ -44,11 +48,15 @@ func (impl *NatSubscriptionImpl) Subscribe() error { // NOTE: This is not being used, thats why not updated the call // TODO: Will have to update if any usage in future // scanConfig.Image = "quay.io/coreos/clair:v2.0.0" - _, err = impl.clairService.ScanImage(scanConfig, nil, nil) - if err != nil { - impl.logger.Infow("err in process msg", "err", err) - return - } + go func() { + _, err := impl.restHandler.ScanForVulnerabilityEvent(scanConfig) + if err != nil { + impl.logger.Infow("err in process msg", "err", err) + return + } + }() + //_, err = impl.clairService.ScanImage(scanConfig, nil, nil) + } var loggerFunc pubsub1.LoggerFunc = func(msg model.PubSubMsg) (string, []interface{}) { diff --git a/report.json b/report.json new file mode 100644 index 00000000..e48240db --- /dev/null +++ b/report.json @@ -0,0 +1,1510 @@ +{ + "SchemaVersion": 2, + "CreatedAt": "2024-04-14T19:56:06.449033+05:30", + "ArtifactName": ".", + "ArtifactType": "filesystem", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": "go.mod", + "Class": "lang-pkgs", + "Type": "gomod", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-24557", + "PkgID": "github.com/docker/docker@v20.10.27+incompatible", + "PkgName": "github.com/docker/docker", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/docker/docker@20.10.27%2Bincompatible" + }, + "InstalledVersion": "20.10.27+incompatible", + "FixedVersion": "25.0.2, 24.0.9", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24557", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "moby: classic builder cache poisoning", + "Description": "Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-346", + "CWE-345" + ], + "VendorSeverity": { + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 2, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", + "V3Score": 6.9 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", + "V3Score": 6.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-24557", + "https://github.com/moby/moby", + "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", + "https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd", + "https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff", + "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", + "https://nvd.nist.gov/vuln/detail/CVE-2024-24557", + "https://www.cve.org/CVERecord?id=CVE-2024-24557" + ], + "PublishedDate": "2024-02-01T17:15:10.953Z", + "LastModifiedDate": "2024-02-09T20:21:32.97Z" + }, + { + "VulnerabilityID": "CVE-2024-29018", + "PkgID": "github.com/docker/docker@v20.10.27+incompatible", + "PkgName": "github.com/docker/docker", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/docker/docker@20.10.27%2Bincompatible" + }, + "InstalledVersion": "20.10.27+incompatible", + "FixedVersion": "26.0.0-rc3, 25.0.5, 23.0.11", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29018", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "moby: external DNS requests from 'internal' networks could lead to data exfiltration", + "Description": "Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\n\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\n\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\n\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\n\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\n\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\n\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\n\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\n\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\n\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-669" + ], + "VendorSeverity": { + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-29018", + "https://github.com/moby/moby", + "https://github.com/moby/moby/pull/46609", + "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29018", + "https://www.cve.org/CVERecord?id=CVE-2024-29018" + ], + "PublishedDate": "2024-03-20T21:15:31.113Z", + "LastModifiedDate": "2024-03-21T12:58:51.093Z" + } + ] + }, + { + "Target": "Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 24, + "Failures": 3, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS005", + "AVDID": "AVD-DS-0005", + "Title": "ADD instead of COPY", + "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", + "Message": "Consider using 'COPY . /go/src/github.com/devtron-labs/image-scanner' command instead of 'ADD . /go/src/github.com/devtron-labs/image-scanner'", + "Namespace": "builtin.dockerfile.DS005", + "Query": "data.builtin.dockerfile.DS005.deny", + "Resolution": "Use COPY instead of ADD", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", + "References": [ + "https://docs.docker.com/engine/reference/builder/#add", + "https://avd.aquasec.com/misconfig/ds005" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 6, + "EndLine": 6, + "Code": { + "Lines": [ + { + "Number": 6, + "Content": "ADD . /go/src/github.com/devtron-labs/image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /go/src/github.com/devtron-labs/image-scanner", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS025", + "AVDID": "AVD-DS-0025", + "Title": "'apk add' is missing '--no-cache'", + "Description": "You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size.", + "Message": "'--no-cache' is missed: apk add --update make", + "Namespace": "builtin.dockerfile.DS025", + "Query": "data.builtin.dockerfile.DS025.deny", + "Resolution": "Add '--no-cache' to 'apk add' in Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds025", + "References": [ + "https://github.com/gliderlabs/docker-alpine/blob/master/docs/usage.md#disabling-cache", + "https://avd.aquasec.com/misconfig/ds025" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 3, + "EndLine": 3, + "Code": { + "Lines": [ + { + "Number": 3, + "Content": "RUN apk add --update make", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mRUN\u001b[0m apk add --update make", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "OS Packages", + "Class": "license" + }, + { + "Target": "go.mod", + "Class": "license", + "Licenses": [ + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "cloud.google.com/go/compute", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "cloud.google.com/go/compute/metadata", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/Knetic/govaluate", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/antihax/optional", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/arl/statsviz", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/aws/aws-sdk-go", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/beorn7/perks", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/caarlos0/env", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/caarlos0/env/v6", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/cespare/xxhash/v2", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/coreos/clair", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/devtron-labs/common-lib", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/docker/cli", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/docker/distribution", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/docker/docker", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/docker/docker-credential-helpers", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/go-pg/pg", + "FilePath": "go.mod", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/golang/mock", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/golang/protobuf", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/google/go-containerregistry", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/google/wire", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/gorilla/mux", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/gorilla/websocket", + "FilePath": "go.mod", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/grpc-ecosystem/grpc-gateway", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/jinzhu/inflection", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/jmespath/go-jmespath", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "github.com/juju/errors", + "FilePath": "go.mod", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/klauspost/compress", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/klauspost/compress", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/klauspost/compress", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/matttproud/golang_protobuf_extensions", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/minio/highwayhash", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/nats-io/jwt/v2", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/nats-io/nats.go", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/nats-io/nkeys", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/nats-io/nuid", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/onsi/ginkgo", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/opencontainers/go-digest", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/opencontainers/image-spec", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/optiopay/klar", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/pkg/errors", + "FilePath": "go.mod", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/prometheus/client_golang", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/prometheus/client_model", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/prometheus/common", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/prometheus/procfs", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/quay/claircore", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/sirupsen/logrus", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/tidwall/gjson", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/tidwall/match", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "github.com/tidwall/pretty", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "go.uber.org/atomic", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "go.uber.org/multierr", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "go.uber.org/zap", + "FilePath": "go.mod", + "Name": "MIT", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "golang.org/x/crypto", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "golang.org/x/mod", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "golang.org/x/net", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "golang.org/x/oauth2", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "golang.org/x/sync", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "golang.org/x/sys", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "golang.org/x/text", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "golang.org/x/tools", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "google.golang.org/appengine", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "google.golang.org/genproto", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "google.golang.org/genproto/googleapis/api", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "google.golang.org/genproto/googleapis/rpc", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "google.golang.org/grpc", + "FilePath": "go.mod", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "google.golang.org/protobuf", + "FilePath": "go.mod", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "mellium.im/sasl", + "FilePath": "go.mod", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "" + } + ] + }, + { + "Target": "Loose File License(s)", + "Class": "license-file", + "Licenses": [ + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/mellium.im/sasl/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/grpc-ecosystem/grpc-gateway/LICENSE.txt", + "Name": "BSD-3-Clause", + "Confidence": 0.9906976744186047, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/aws/aws-sdk-go/internal/sync/singleflight/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/aws/aws-sdk-go/LICENSE.txt", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/caarlos0/env/LICENSE.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/caarlos0/env/v6/LICENSE.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/beorn7/perks/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/coreos/clair/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-pg/pg/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 0.994535519125683, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/pkg/errors/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/tidwall/gjson/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/tidwall/match/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/tidwall/pretty/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/cespare/xxhash/v2/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/matttproud/golang_protobuf_extensions/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/quay/claircore/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/docker/cli/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/docker/distribution/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/docker/docker-credential-helpers/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/docker/docker/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/jinzhu/inflection/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "", + "FilePath": "vendor/github.com/juju/errors/LICENSE", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/LGPL-3.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/optiopay/klar/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/client_golang/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/client_model/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg/README.txt", + "Name": "BSD-3-Clause", + "Confidence": 0.9767441860465116, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/common/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/procfs/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/devtron-labs/common-lib/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/golang/mock/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/golang/protobuf/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gorilla/mux/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gorilla/websocket/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Knetic/govaluate/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/klauspost/compress/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/klauspost/compress/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/klauspost/compress/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/sirupsen/logrus/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/jmespath/go-jmespath/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/arl/statsviz/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/antihax/optional/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/go-containerregistry/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/wire/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/nats-io/nats.go/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/nats-io/nkeys/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/nats-io/nuid/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/opencontainers/go-digest/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/opencontainers/image-spec/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/grpc/NOTICE.txt", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/grpc/regenerate.sh", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/grpc/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/appengine/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/genproto/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/genproto/googleapis/api/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/genproto/googleapis/rpc/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/protobuf/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/compute/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/compute/metadata/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.uber.org/atomic/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.uber.org/multierr/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.uber.org/zap/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/oauth2/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/sync/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/sys/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/text/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/tools/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/crypto/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/mod/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/net/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + } + ] + } + ] +} diff --git a/ssh-config b/ssh-config new file mode 100644 index 00000000..25d6ad0d --- /dev/null +++ b/ssh-config @@ -0,0 +1,3 @@ +Host * + UserKnownHostsFile=/dev/null + StrictHostKeyChecking=no \ No newline at end of file diff --git a/wire_gen.go b/wire_gen.go index a35e97d1..e6304487 100644 --- a/wire_gen.go +++ b/wire_gen.go @@ -10,6 +10,7 @@ import ( "github.com/devtron-labs/common-lib/monitoring" "github.com/devtron-labs/common-lib/pubsub-lib" "github.com/devtron-labs/image-scanner/api" + "github.com/devtron-labs/image-scanner/helper" "github.com/devtron-labs/image-scanner/internal/logger" "github.com/devtron-labs/image-scanner/internal/sql" "github.com/devtron-labs/image-scanner/internal/sql/repository" @@ -25,8 +26,6 @@ import ( func InitializeApp() (*App, error) { sugaredLogger := logger.NewSugardLogger() - pubSubClientServiceImpl := pubsub_lib.NewPubSubClientServiceImpl(sugaredLogger) - testPublishImpl := pubsub.NewTestPublishImpl(pubSubClientServiceImpl, sugaredLogger) apiClient := grafeasService.GetGrafeasClient() client := logger.NewHttpClient() grafeasServiceImpl := grafeasService.NewKlarServiceImpl(sugaredLogger, apiClient, client) @@ -57,7 +56,11 @@ func InitializeApp() (*App, error) { } dockerArtifactStoreRepositoryImpl := repository.NewDockerArtifactStoreRepositoryImpl(db, sugaredLogger) registryIndexMappingRepositoryImpl := repository.NewRegistryIndexMappingRepositoryImpl(db, sugaredLogger) - imageScanServiceImpl := security.NewImageScanServiceImpl(sugaredLogger, imageScanHistoryRepositoryImpl, imageScanResultRepositoryImpl, imageScanObjectMetaRepositoryImpl, cveStoreRepositoryImpl, imageScanDeployInfoRepositoryImpl, ciArtifactRepositoryImpl, scanToolExecutionHistoryMappingRepositoryImpl, scanToolMetadataRepositoryImpl, scanStepConditionRepositoryImpl, scanToolStepRepositoryImpl, scanStepConditionMappingRepositoryImpl, imageScanConfig, dockerArtifactStoreRepositoryImpl, registryIndexMappingRepositoryImpl) + gitCliManagerImpl := helper.NewGitCliManager() + gitManager := helper.NewGitManagerImpl(gitCliManagerImpl) + resourceScanResultRepositoryImpl := repository.NewResourceScanResultRepositoryImpl(db, sugaredLogger) + codeScanServiceImpl := security.NewCodeScanServiceImpl(sugaredLogger, gitManager, scanToolExecutionHistoryMappingRepositoryImpl, imageScanDeployInfoRepositoryImpl, resourceScanResultRepositoryImpl) + imageScanServiceImpl := security.NewImageScanServiceImpl(sugaredLogger, imageScanHistoryRepositoryImpl, imageScanResultRepositoryImpl, imageScanObjectMetaRepositoryImpl, cveStoreRepositoryImpl, imageScanDeployInfoRepositoryImpl, ciArtifactRepositoryImpl, scanToolExecutionHistoryMappingRepositoryImpl, scanToolMetadataRepositoryImpl, scanStepConditionRepositoryImpl, scanToolStepRepositoryImpl, scanStepConditionMappingRepositoryImpl, imageScanConfig, dockerArtifactStoreRepositoryImpl, registryIndexMappingRepositoryImpl, codeScanServiceImpl, resourceScanResultRepositoryImpl) klarConfig, err := klarService.GetKlarConfig() if err != nil { return nil, err @@ -68,10 +71,11 @@ func InitializeApp() (*App, error) { return nil, err } clairServiceImpl := clairService.NewClairServiceImpl(sugaredLogger, clairConfig, client, imageScanServiceImpl, dockerArtifactStoreRepositoryImpl, scanToolMetadataRepositoryImpl) - restHandlerImpl := api.NewRestHandlerImpl(sugaredLogger, testPublishImpl, grafeasServiceImpl, userServiceImpl, imageScanServiceImpl, klarServiceImpl, clairServiceImpl, imageScanConfig) + restHandlerImpl := api.NewRestHandlerImpl(sugaredLogger, grafeasServiceImpl, userServiceImpl, imageScanServiceImpl, klarServiceImpl, clairServiceImpl, imageScanConfig, codeScanServiceImpl) monitoringRouter := monitoring.NewMonitoringRouter(sugaredLogger) router := api.NewRouter(sugaredLogger, restHandlerImpl, monitoringRouter) - natSubscriptionImpl, err := pubsub.NewNatSubscription(pubSubClientServiceImpl, sugaredLogger, clairServiceImpl) + pubSubClientServiceImpl := pubsub_lib.NewPubSubClientServiceImpl(sugaredLogger) + natSubscriptionImpl, err := pubsub.NewNatSubscription(pubSubClientServiceImpl, sugaredLogger, clairServiceImpl, restHandlerImpl) if err != nil { return nil, err }