From b10621d99c0f38375978b3630de56495f63e2da0 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 25 Aug 2023 14:02:11 +0600 Subject: [PATCH 1/5] return nil for advisories, if len of refs == 0 add marshal test --- pkg/sbom/cyclonedx/core/cyclonedx.go | 7 ++ pkg/sbom/cyclonedx/marshal_test.go | 168 +++++++++++++++++++++++++++ 2 files changed, 175 insertions(+) diff --git a/pkg/sbom/cyclonedx/core/cyclonedx.go b/pkg/sbom/cyclonedx/core/cyclonedx.go index a7f37801727e..dd8430997f33 100644 --- a/pkg/sbom/cyclonedx/core/cyclonedx.go +++ b/pkg/sbom/cyclonedx/core/cyclonedx.go @@ -341,6 +341,13 @@ func UnmarshalProperties(properties *[]cdx.Property) map[string]string { } func cdxAdvisories(refs []string) *[]cdx.Advisory { + // cyclonedx converts link to empty `[]cdx.Advisory` to `null` + // `bom-1.5.schema.json` doesn't support this - `Invalid type. Expected: array, given: null` + // we need to explicitly set `nil` for empty `refs` slice + if len(refs) == 0 { + return nil + } + var advs []cdx.Advisory for _, ref := range refs { advs = append(advs, cdx.Advisory{ diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go index b32739630ea3..861bedc669b9 100644 --- a/pkg/sbom/cyclonedx/marshal_test.go +++ b/pkg/sbom/cyclonedx/marshal_test.go @@ -1430,6 +1430,174 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, }, + { + name: "happy path. Vuln has no References", + inputReport: types.Report{ + SchemaVersion: report.SchemaVersion, + ArtifactName: "CVE-2023-34468", + ArtifactType: ftypes.ArtifactFilesystem, + Results: types.Results{ + { + Target: "Java", + Class: types.ClassLangPkg, + Type: ftypes.Jar, + Packages: []ftypes.Package{ + { + Name: "org.apache.nifi:nifi-dbcp-base", + Version: "1.20.0", + FilePath: "nifi-dbcp-base-1.20.0.jar", + }, + }, + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2023-34468", + PkgName: "org.apache.nifi:nifi-dbcp-base", + PkgPath: "nifi-dbcp-base-1.20.0.jar", + InstalledVersion: "1.20.0", + FixedVersion: "1.22.0", + SeveritySource: vulnerability.GHSA, + PrimaryURL: "https://avd.aquasec.com/nvd/cve-2023-34468", + DataSource: &dtypes.DataSource{ + ID: vulnerability.GHSA, + Name: "GitHub Security Advisory Maven", + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", + }, + Vulnerability: dtypes.Vulnerability{ + Title: "Apache NiFi vulnerable to Code Injection", + Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...", + Severity: dtypes.SeverityHigh.String(), + CweIDs: []string{ + "CWE-94", + }, + VendorSeverity: dtypes.VendorSeverity{ + vulnerability.GHSA: dtypes.SeverityHigh, + vulnerability.NVD: dtypes.SeverityHigh, + }, + CVSS: dtypes.VendorCVSS{ + vulnerability.GHSA: dtypes.CVSS{ + V3Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + V3Score: 8.8, + }, + vulnerability.NVD: dtypes.CVSS{ + V3Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + V3Score: 8.8, + }, + }, + PublishedDate: lo.ToPtr(time.Date(2023, 6, 12, 16, 15, 0, 0, time.UTC)), + LastModifiedDate: lo.ToPtr(time.Date(2023, 6, 21, 02, 20, 0, 0, time.UTC)), + }, + }, + }, + }, + }, + }, + want: &cdx.BOM{ + XMLNS: "http://cyclonedx.org/schema/bom/1.5", + BOMFormat: "CycloneDX", + SpecVersion: cdx.SpecVersion1_5, + JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json", + SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", + Version: 1, + Metadata: &cdx.Metadata{ + Timestamp: "2021-08-25T12:20:30+00:00", + Tools: &[]cdx.Tool{ + { + Name: "trivy", + Vendor: "aquasecurity", + Version: "dev", + }, + }, + Component: &cdx.Component{ + BOMRef: "3ff14136-e09f-4df9-80ea-000000000002", + Type: cdx.ComponentTypeApplication, + Name: "CVE-2023-34468", + Properties: &[]cdx.Property{ + { + Name: "aquasecurity:trivy:SchemaVersion", + Value: "2", + }, + }, + }, + }, + Components: &[]cdx.Component{ + { + BOMRef: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", + Type: "library", + Name: "nifi-dbcp-base", + Group: "org.apache.nifi", + Version: "1.20.0", + PackageURL: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0", + Properties: &[]cdx.Property{ + { + Name: "aquasecurity:trivy:FilePath", + Value: "nifi-dbcp-base-1.20.0.jar", + }, + { + Name: "aquasecurity:trivy:PkgType", + Value: "jar", + }, + }, + }, + }, + Dependencies: &[]cdx.Dependency{ + { + Ref: "3ff14136-e09f-4df9-80ea-000000000002", + Dependencies: &[]string{ + "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", + }, + }, + { + Ref: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", + Dependencies: lo.ToPtr([]string{}), + }, + }, + Vulnerabilities: &[]cdx.Vulnerability{ + { + ID: "CVE-2023-34468", + Source: &cdx.Source{ + Name: string(vulnerability.GHSA), + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", + }, + Recommendation: "Upgrade org.apache.nifi:nifi-dbcp-base to version 1.22.0", + Ratings: &[]cdx.VulnerabilityRating{ + { + Source: &cdx.Source{ + Name: string(vulnerability.GHSA), + }, + Score: lo.ToPtr(8.8), + Severity: cdx.SeverityHigh, + Method: cdx.ScoringMethodCVSSv31, + Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + }, + { + Source: &cdx.Source{ + Name: string(vulnerability.NVD), + }, + Score: lo.ToPtr(8.8), + Severity: cdx.SeverityHigh, + Method: cdx.ScoringMethodCVSSv31, + Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + }, + }, + CWEs: lo.ToPtr([]int{94}), + Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...", + Published: "2023-06-12T16:15:00+00:00", + Updated: "2023-06-21T02:20:00+00:00", + Affects: &[]cdx.Affects{ + { + Ref: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", + Range: &[]cdx.AffectedVersions{ + { + Version: "1.20.0", + Status: cdx.VulnerabilityStatusAffected, + }, + }, + }, + }, + }, + }, + }, + }, { name: "happy path aggregate results", inputReport: types.Report{ From 8b7e27cde0d99cd7a42d263ded042ec018bc95f8 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 25 Aug 2023 14:25:23 +0600 Subject: [PATCH 2/5] add integration test for cyclonedx with vulns --- integration/repo_test.go | 10 + .../testdata/pom-cyclonedx.json.golden | 304 ++++++++++++++++++ 2 files changed, 314 insertions(+) create mode 100644 integration/testdata/pom-cyclonedx.json.golden diff --git a/integration/repo_test.go b/integration/repo_test.go index 79801bc3e0a7..c554881e3101 100644 --- a/integration/repo_test.go +++ b/integration/repo_test.go @@ -327,6 +327,16 @@ func TestRepository(t *testing.T) { }, golden: "testdata/conda-cyclonedx.json.golden", }, + { + name: "pom.xml generating CycloneDX SBOM (with vulnerabilities)", + args: args{ + command: "fs", + scanner: types.VulnerabilityScanner, + format: "cyclonedx", + input: "testdata/fixtures/repo/pom", + }, + golden: "testdata/pom-cyclonedx.json.golden", + }, { name: "conda generating SPDX SBOM", args: args{ diff --git a/integration/testdata/pom-cyclonedx.json.golden b/integration/testdata/pom-cyclonedx.json.golden new file mode 100644 index 000000000000..ec07b00e5317 --- /dev/null +++ b/integration/testdata/pom-cyclonedx.json.golden @@ -0,0 +1,304 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", + "version": 1, + "metadata": { + "timestamp": "2020-09-10T14:20:30+00:00", + "tools": [ + { + "vendor": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ], + "component": { + "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002", + "type": "application", + "name": "testdata/fixtures/repo/pom", + "properties": [ + { + "name": "aquasecurity:trivy:SchemaVersion", + "value": "2" + } + ] + } + }, + "components": [ + { + "bom-ref": "3ff14136-e09f-4df9-80ea-000000000003", + "type": "application", + "name": "pom.xml", + "properties": [ + { + "name": "aquasecurity:trivy:Class", + "value": "lang-pkgs" + }, + { + "name": "aquasecurity:trivy:Type", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT", + "type": "library", + "name": "com.example:log4shell", + "version": "1.0-SNAPSHOT", + "purl": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT", + "properties": [ + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", + "type": "library", + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.9.1", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", + "properties": [ + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + } + ], + "dependencies": [ + { + "ref": "3ff14136-e09f-4df9-80ea-000000000002", + "dependsOn": [ + "3ff14136-e09f-4df9-80ea-000000000003" + ] + }, + { + "ref": "3ff14136-e09f-4df9-80ea-000000000003", + "dependsOn": [ + "pkg:maven/com.example/log4shell@1.0-SNAPSHOT", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" + ] + }, + { + "ref": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT", + "dependsOn": [] + }, + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", + "dependsOn": [] + } + ], + "vulnerabilities": [ + { + "id": "CVE-2020-9548", + "source": { + "name": "ghsa", + "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" + }, + "ratings": [ + { + "source": { + "name": "ghsa" + }, + "severity": "critical" + }, + { + "source": { + "name": "nvd" + }, + "score": 6.8, + "severity": "medium", + "method": "CVSSv2", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + }, + { + "source": { + "name": "nvd" + }, + "score": 9.8, + "severity": "critical", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 8.1, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "cwes": [ + 502 + ], + "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4", + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2020-9548" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2634" + }, + { + "url": "https://github.com/advisories/GHSA-p43x-xfjf-5jhr" + }, + { + "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200904-0006/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + } + ], + "published": "2020-03-02T04:15:00+00:00", + "updated": "2021-12-02T21:23:00+00:00", + "affects": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", + "versions": [ + { + "version": "2.9.1", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2021-20190", + "source": { + "name": "glad", + "url": "https://gitlab.com/gitlab-org/advisories-community" + }, + "ratings": [ + { + "source": { + "name": "ghsa" + }, + "severity": "high" + }, + { + "source": { + "name": "nvd" + }, + "score": 8.3, + "severity": "high", + "method": "CVSSv2", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C" + }, + { + "source": { + "name": "nvd" + }, + "score": 8.1, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 8.1, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "cwes": [ + 502 + ], + "description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7", + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2021-20190" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2854" + }, + { + "url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w" + }, + { + "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210219-0008/" + } + ], + "published": "2021-01-19T17:15:00+00:00", + "updated": "2021-07-20T23:15:00+00:00", + "affects": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", + "versions": [ + { + "version": "2.9.1", + "status": "affected" + } + ] + } + ] + } + ] +} From af908f342d81b252e698890d92100dbfdb010368 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 28 Aug 2023 16:54:28 +0600 Subject: [PATCH 3/5] use existing testcase --- pkg/sbom/cyclonedx/marshal_test.go | 184 +---------------------------- 1 file changed, 2 insertions(+), 182 deletions(-) diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go index 861bedc669b9..6c76a592e83f 100644 --- a/pkg/sbom/cyclonedx/marshal_test.go +++ b/pkg/sbom/cyclonedx/marshal_test.go @@ -108,10 +108,6 @@ func TestMarshaler_Marshal(t *testing.T) { V3Score: 5.3, }, }, - References: []string{ - "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", - }, PublishedDate: lo.ToPtr(time.Date(2018, 12, 31, 19, 29, 0, 0, time.UTC)), LastModifiedDate: lo.ToPtr(time.Date(2019, 10, 31, 1, 15, 0, 0, time.UTC)), }, @@ -525,16 +521,8 @@ func TestMarshaler_Marshal(t *testing.T) { 416, }, Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.", - Advisories: &[]cdx.Advisory{ - { - URL: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", - }, - { - URL: "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", - }, - }, - Published: "2018-12-31T19:29:00+00:00", - Updated: "2019-10-31T01:15:00+00:00", + Published: "2018-12-31T19:29:00+00:00", + Updated: "2019-10-31T01:15:00+00:00", Affects: &[]cdx.Affects{ { Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", @@ -1430,174 +1418,6 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, }, - { - name: "happy path. Vuln has no References", - inputReport: types.Report{ - SchemaVersion: report.SchemaVersion, - ArtifactName: "CVE-2023-34468", - ArtifactType: ftypes.ArtifactFilesystem, - Results: types.Results{ - { - Target: "Java", - Class: types.ClassLangPkg, - Type: ftypes.Jar, - Packages: []ftypes.Package{ - { - Name: "org.apache.nifi:nifi-dbcp-base", - Version: "1.20.0", - FilePath: "nifi-dbcp-base-1.20.0.jar", - }, - }, - Vulnerabilities: []types.DetectedVulnerability{ - { - VulnerabilityID: "CVE-2023-34468", - PkgName: "org.apache.nifi:nifi-dbcp-base", - PkgPath: "nifi-dbcp-base-1.20.0.jar", - InstalledVersion: "1.20.0", - FixedVersion: "1.22.0", - SeveritySource: vulnerability.GHSA, - PrimaryURL: "https://avd.aquasec.com/nvd/cve-2023-34468", - DataSource: &dtypes.DataSource{ - ID: vulnerability.GHSA, - Name: "GitHub Security Advisory Maven", - URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", - }, - Vulnerability: dtypes.Vulnerability{ - Title: "Apache NiFi vulnerable to Code Injection", - Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...", - Severity: dtypes.SeverityHigh.String(), - CweIDs: []string{ - "CWE-94", - }, - VendorSeverity: dtypes.VendorSeverity{ - vulnerability.GHSA: dtypes.SeverityHigh, - vulnerability.NVD: dtypes.SeverityHigh, - }, - CVSS: dtypes.VendorCVSS{ - vulnerability.GHSA: dtypes.CVSS{ - V3Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - V3Score: 8.8, - }, - vulnerability.NVD: dtypes.CVSS{ - V3Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - V3Score: 8.8, - }, - }, - PublishedDate: lo.ToPtr(time.Date(2023, 6, 12, 16, 15, 0, 0, time.UTC)), - LastModifiedDate: lo.ToPtr(time.Date(2023, 6, 21, 02, 20, 0, 0, time.UTC)), - }, - }, - }, - }, - }, - }, - want: &cdx.BOM{ - XMLNS: "http://cyclonedx.org/schema/bom/1.5", - BOMFormat: "CycloneDX", - SpecVersion: cdx.SpecVersion1_5, - JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json", - SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", - Version: 1, - Metadata: &cdx.Metadata{ - Timestamp: "2021-08-25T12:20:30+00:00", - Tools: &[]cdx.Tool{ - { - Name: "trivy", - Vendor: "aquasecurity", - Version: "dev", - }, - }, - Component: &cdx.Component{ - BOMRef: "3ff14136-e09f-4df9-80ea-000000000002", - Type: cdx.ComponentTypeApplication, - Name: "CVE-2023-34468", - Properties: &[]cdx.Property{ - { - Name: "aquasecurity:trivy:SchemaVersion", - Value: "2", - }, - }, - }, - }, - Components: &[]cdx.Component{ - { - BOMRef: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", - Type: "library", - Name: "nifi-dbcp-base", - Group: "org.apache.nifi", - Version: "1.20.0", - PackageURL: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0", - Properties: &[]cdx.Property{ - { - Name: "aquasecurity:trivy:FilePath", - Value: "nifi-dbcp-base-1.20.0.jar", - }, - { - Name: "aquasecurity:trivy:PkgType", - Value: "jar", - }, - }, - }, - }, - Dependencies: &[]cdx.Dependency{ - { - Ref: "3ff14136-e09f-4df9-80ea-000000000002", - Dependencies: &[]string{ - "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", - }, - }, - { - Ref: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", - Dependencies: lo.ToPtr([]string{}), - }, - }, - Vulnerabilities: &[]cdx.Vulnerability{ - { - ID: "CVE-2023-34468", - Source: &cdx.Source{ - Name: string(vulnerability.GHSA), - URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", - }, - Recommendation: "Upgrade org.apache.nifi:nifi-dbcp-base to version 1.22.0", - Ratings: &[]cdx.VulnerabilityRating{ - { - Source: &cdx.Source{ - Name: string(vulnerability.GHSA), - }, - Score: lo.ToPtr(8.8), - Severity: cdx.SeverityHigh, - Method: cdx.ScoringMethodCVSSv31, - Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - }, - { - Source: &cdx.Source{ - Name: string(vulnerability.NVD), - }, - Score: lo.ToPtr(8.8), - Severity: cdx.SeverityHigh, - Method: cdx.ScoringMethodCVSSv31, - Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - }, - }, - CWEs: lo.ToPtr([]int{94}), - Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...", - Published: "2023-06-12T16:15:00+00:00", - Updated: "2023-06-21T02:20:00+00:00", - Affects: &[]cdx.Affects{ - { - Ref: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", - Range: &[]cdx.AffectedVersions{ - { - Version: "1.20.0", - Status: cdx.VulnerabilityStatusAffected, - }, - }, - }, - }, - }, - }, - }, - }, { name: "happy path aggregate results", inputReport: types.Report{ From fc28e6e2c177cbc2f84781a4f99b3eb45893ef0b Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 31 Aug 2023 13:29:08 +0600 Subject: [PATCH 4/5] test(pom): add ID for cyclondedx integration golden file --- .../testdata/pom-cyclonedx.json.golden | 164 ++++++++++-------- 1 file changed, 87 insertions(+), 77 deletions(-) diff --git a/integration/testdata/pom-cyclonedx.json.golden b/integration/testdata/pom-cyclonedx.json.golden index ec07b00e5317..8f0cb5020718 100644 --- a/integration/testdata/pom-cyclonedx.json.golden +++ b/integration/testdata/pom-cyclonedx.json.golden @@ -48,6 +48,10 @@ "version": "1.0-SNAPSHOT", "purl": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT", "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "com.example:log4shell:1.0-SNAPSHOT" + }, { "name": "aquasecurity:trivy:PkgType", "value": "pom" @@ -61,6 +65,10 @@ "version": "2.9.1", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "com.fasterxml.jackson.core:jackson-databind:2.9.1" + }, { "name": "aquasecurity:trivy:PkgType", "value": "pom" @@ -84,7 +92,9 @@ }, { "ref": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT", - "dependsOn": [] + "dependsOn": [ + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" + ] }, { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", @@ -93,35 +103,35 @@ ], "vulnerabilities": [ { - "id": "CVE-2020-9548", + "id": "CVE-2021-20190", "source": { - "name": "ghsa", - "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" + "name": "glad", + "url": "https://gitlab.com/gitlab-org/advisories-community" }, "ratings": [ { "source": { "name": "ghsa" }, - "severity": "critical" + "severity": "high" }, { "source": { "name": "nvd" }, - "score": 6.8, - "severity": "medium", + "score": 8.3, + "severity": "high", "method": "CVSSv2", - "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C" }, { "source": { "name": "nvd" }, - "score": 9.8, - "severity": "critical", + "score": 8.1, + "severity": "high", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "source": { @@ -136,69 +146,39 @@ "cwes": [ 502 ], - "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", - "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4", + "description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7", "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2020-9548" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2634" - }, - { - "url": "https://github.com/advisories/GHSA-p43x-xfjf-5jhr" - }, - { - "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" + "url": "https://access.redhat.com/security/cve/CVE-2021-20190" }, { - "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633" }, { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" + "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a" }, { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548" + "url": "https://github.com/FasterXML/jackson-databind/issues/2854" }, { - "url": "https://security.netapp.com/advisory/ntap-20200904-0006/" + "url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w" }, { - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" }, { - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190" }, { - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + "url": "https://security.netapp.com/advisory/ntap-20210219-0008/" } ], - "published": "2020-03-02T04:15:00+00:00", - "updated": "2021-12-02T21:23:00+00:00", + "published": "2021-01-19T17:15:00+00:00", + "updated": "2021-07-20T23:15:00+00:00", "affects": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", @@ -212,35 +192,35 @@ ] }, { - "id": "CVE-2021-20190", + "id": "CVE-2020-9548", "source": { - "name": "glad", - "url": "https://gitlab.com/gitlab-org/advisories-community" + "name": "ghsa", + "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" }, "ratings": [ { "source": { "name": "ghsa" }, - "severity": "high" + "severity": "critical" }, { "source": { "name": "nvd" }, - "score": 8.3, - "severity": "high", + "score": 6.8, + "severity": "medium", "method": "CVSSv2", - "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C" + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" }, { "source": { "name": "nvd" }, - "score": 8.1, - "severity": "high", + "score": 9.8, + "severity": "critical", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "source": { @@ -255,39 +235,69 @@ "cwes": [ 502 ], - "description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", - "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7", + "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4", "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2021-20190" + "url": "https://access.redhat.com/security/cve/CVE-2020-9548" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633" + "url": "https://github.com/FasterXML/jackson-databind/issues/2634" }, { - "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a" + "url": "https://github.com/advisories/GHSA-p43x-xfjf-5jhr" }, { - "url": "https://github.com/FasterXML/jackson-databind/issues/2854" + "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" }, { - "url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w" + "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" }, { - "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" }, { - "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" + "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" }, { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190" + "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" }, { - "url": "https://security.netapp.com/advisory/ntap-20210219-0008/" + "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200904-0006/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], - "published": "2021-01-19T17:15:00+00:00", - "updated": "2021-07-20T23:15:00+00:00", + "published": "2020-03-02T04:15:00+00:00", + "updated": "2021-12-02T21:23:00+00:00", "affects": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", From c4a09f0aa510fe809726b968d7c7e9840a44cc60 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 31 Aug 2023 15:27:16 +0600 Subject: [PATCH 5/5] test(integration): add sorting cyclonedx vulns --- integration/integration_test.go | 3 + .../testdata/pom-cyclonedx.json.golden | 152 +++++++++--------- 2 files changed, 79 insertions(+), 76 deletions(-) diff --git a/integration/integration_test.go b/integration/integration_test.go index 04e1f423c927..11e5a431d977 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -151,6 +151,9 @@ func readCycloneDX(t *testing.T, filePath string) *cdx.BOM { return (*(*bom.Components)[i].Properties)[ii].Name < (*(*bom.Components)[i].Properties)[jj].Name }) } + sort.Slice(*bom.Vulnerabilities, func(i, j int) bool { + return (*bom.Vulnerabilities)[i].ID < (*bom.Vulnerabilities)[j].ID + }) } return bom diff --git a/integration/testdata/pom-cyclonedx.json.golden b/integration/testdata/pom-cyclonedx.json.golden index 8f0cb5020718..8e1c482e0580 100644 --- a/integration/testdata/pom-cyclonedx.json.golden +++ b/integration/testdata/pom-cyclonedx.json.golden @@ -103,35 +103,35 @@ ], "vulnerabilities": [ { - "id": "CVE-2021-20190", + "id": "CVE-2020-9548", "source": { - "name": "glad", - "url": "https://gitlab.com/gitlab-org/advisories-community" + "name": "ghsa", + "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" }, "ratings": [ { "source": { "name": "ghsa" }, - "severity": "high" + "severity": "critical" }, { "source": { "name": "nvd" }, - "score": 8.3, - "severity": "high", + "score": 6.8, + "severity": "medium", "method": "CVSSv2", - "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C" + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" }, { "source": { "name": "nvd" }, - "score": 8.1, - "severity": "high", + "score": 9.8, + "severity": "critical", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "source": { @@ -146,39 +146,69 @@ "cwes": [ 502 ], - "description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", - "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7", + "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4", "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2021-20190" + "url": "https://access.redhat.com/security/cve/CVE-2020-9548" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633" + "url": "https://github.com/FasterXML/jackson-databind/issues/2634" }, { - "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a" + "url": "https://github.com/advisories/GHSA-p43x-xfjf-5jhr" }, { - "url": "https://github.com/FasterXML/jackson-databind/issues/2854" + "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" }, { - "url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w" + "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" }, { - "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" }, { - "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" + "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" }, { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190" + "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" }, { - "url": "https://security.netapp.com/advisory/ntap-20210219-0008/" + "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200904-0006/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], - "published": "2021-01-19T17:15:00+00:00", - "updated": "2021-07-20T23:15:00+00:00", + "published": "2020-03-02T04:15:00+00:00", + "updated": "2021-12-02T21:23:00+00:00", "affects": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1", @@ -192,35 +222,35 @@ ] }, { - "id": "CVE-2020-9548", + "id": "CVE-2021-20190", "source": { - "name": "ghsa", - "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" + "name": "glad", + "url": "https://gitlab.com/gitlab-org/advisories-community" }, "ratings": [ { "source": { "name": "ghsa" }, - "severity": "critical" + "severity": "high" }, { "source": { "name": "nvd" }, - "score": 6.8, - "severity": "medium", + "score": 8.3, + "severity": "high", "method": "CVSSv2", - "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C" }, { "source": { "name": "nvd" }, - "score": 9.8, - "severity": "critical", + "score": 8.1, + "severity": "high", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "source": { @@ -235,69 +265,39 @@ "cwes": [ 502 ], - "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", - "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4", + "description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7", "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2020-9548" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2634" - }, - { - "url": "https://github.com/advisories/GHSA-p43x-xfjf-5jhr" - }, - { - "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" - }, - { - "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" + "url": "https://access.redhat.com/security/cve/CVE-2021-20190" }, { - "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633" }, { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" + "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a" }, { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548" + "url": "https://github.com/FasterXML/jackson-databind/issues/2854" }, { - "url": "https://security.netapp.com/advisory/ntap-20200904-0006/" + "url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w" }, { - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" }, { - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190" }, { - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + "url": "https://security.netapp.com/advisory/ntap-20210219-0008/" } ], - "published": "2020-03-02T04:15:00+00:00", - "updated": "2021-12-02T21:23:00+00:00", + "published": "2021-01-19T17:15:00+00:00", + "updated": "2021-07-20T23:15:00+00:00", "affects": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",