From d68b78b0c7915f718674d6c528cccf627872067d Mon Sep 17 00:00:00 2001 From: kzantow Date: Fri, 17 Nov 2023 07:07:50 +0000 Subject: [PATCH 1/4] chore(deps): update Grype to v0.73.2 Signed-off-by: GitHub --- GrypeVersion.js | 2 +- dist/index.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/GrypeVersion.js b/GrypeVersion.js index 88be5132..57248eb5 100644 --- a/GrypeVersion.js +++ b/GrypeVersion.js @@ -1 +1 @@ -exports.GRYPE_VERSION = "v0.63.1"; +exports.GRYPE_VERSION = "v0.73.2"; diff --git a/dist/index.js b/dist/index.js index 280ddbd5..16afaa59 100644 --- a/dist/index.js +++ b/dist/index.js @@ -4,7 +4,7 @@ /***/ 6244: /***/ ((__unused_webpack_module, exports) => { -exports.GRYPE_VERSION = "v0.63.1"; +exports.GRYPE_VERSION = "v0.73.2"; /***/ }), From 1186215e3a1f363996148b3bca7b1f431e344275 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 17 Nov 2023 13:18:54 -0500 Subject: [PATCH 2/4] remove snapshot test; assert only valid SARIF Signed-off-by: Will Murphy --- tests/__snapshots__/sarif_output.test.js.snap | 2064 ----------------- tests/sarif_output.test.js | 10 +- 2 files changed, 5 insertions(+), 2069 deletions(-) delete mode 100644 tests/__snapshots__/sarif_output.test.js.snap diff --git a/tests/__snapshots__/sarif_output.test.js.snap b/tests/__snapshots__/sarif_output.test.js.snap deleted file mode 100644 index d13e5e25..00000000 --- a/tests/__snapshots__/sarif_output.test.js.snap +++ /dev/null @@ -1,2064 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`SARIF alpine 1`] = ` -{ - "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", - "runs": [ - { - "results": [ - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2014-6051-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2014-6052-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2014-6053-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2014-6054-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2014-6055-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2016-9941-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2016-9942-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2018-7225-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2019-15681-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2019-20839-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2019-20840-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-14397-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-14399-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-14400-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-14401-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-14402-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-14403-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-14404-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-14405-libvncserver", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/lib/apk/db/installed", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//lib/apk/db/installed", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /lib/apk/db/installed reports libvncserver at version 0.9.9 which is a vulnerable (apk) package installed in the container", - }, - "ruleId": "CVE-2020-25708-libvncserver", - }, - ], - "tool": { - "driver": { - "informationUri": "https://github.com/anchore/grype", - "name": "Grype", - "rules": [ - { - "fullDescription": { - "text": "Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow.", - }, - "help": { - "markdown": "**Vulnerability CVE-2014-6051** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2014-6051](https://nvd.nist.gov/vuln/detail/CVE-2014-6051) | -", - "text": "Vulnerability CVE-2014-6051 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: -Type: apk -Location: /lib/apk/db/installed -Data Namespace: nvd:cpe -Link: [CVE-2014-6051](https://nvd.nist.gov/vuln/detail/CVE-2014-6051)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2014-6051-libvncserver", - "name": "ApkMatcherCpeMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2014-6051 high vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibVNCServer 0.9.9 and earlier does not check certain malloc return values, which allows remote VNC servers to cause a denial of service (application crash) or possibly execute arbitrary code by specifying a large screen size in a (1) FramebufferUpdate, (2) ResizeFrameBuffer, or (3) PalmVNCReSizeFrameBuffer message.", - }, - "help": { - "markdown": "**Vulnerability CVE-2014-6052** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2014-6052](https://nvd.nist.gov/vuln/detail/CVE-2014-6052) | -", - "text": "Vulnerability CVE-2014-6052 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: -Type: apk -Location: /lib/apk/db/installed -Data Namespace: nvd:cpe -Link: [CVE-2014-6052](https://nvd.nist.gov/vuln/detail/CVE-2014-6052)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2014-6052-libvncserver", - "name": "ApkMatcherCpeMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2014-6052 high vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier does not properly handle attempts to send a large amount of ClientCutText data, which allows remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that is processed by using a single unchecked malloc.", - }, - "help": { - "markdown": "**Vulnerability CVE-2014-6053** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2014-6053](https://nvd.nist.gov/vuln/detail/CVE-2014-6053) | -", - "text": "Vulnerability CVE-2014-6053 -Severity: medium -Package: libvncserver -Version: 0.9.9 -Fix Version: -Type: apk -Location: /lib/apk/db/installed -Data Namespace: nvd:cpe -Link: [CVE-2014-6053](https://nvd.nist.gov/vuln/detail/CVE-2014-6053)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2014-6053-libvncserver", - "name": "ApkMatcherCpeMatch", - "properties": { - "security-severity": "5.0", - }, - "shortDescription": { - "text": "CVE-2014-6053 medium vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier allows remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2) SetScale message.", - }, - "help": { - "markdown": "**Vulnerability CVE-2014-6054** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2014-6054](https://nvd.nist.gov/vuln/detail/CVE-2014-6054) | -", - "text": "Vulnerability CVE-2014-6054 -Severity: medium -Package: libvncserver -Version: 0.9.9 -Fix Version: -Type: apk -Location: /lib/apk/db/installed -Data Namespace: nvd:cpe -Link: [CVE-2014-6054](https://nvd.nist.gov/vuln/detail/CVE-2014-6054)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2014-6054-libvncserver", - "name": "ApkMatcherCpeMatch", - "properties": { - "security-severity": "4.3", - }, - "shortDescription": { - "text": "CVE-2014-6054 medium vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message.", - }, - "help": { - "markdown": "**Vulnerability CVE-2014-6055** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | libvncserver | 0.9.9 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2014-6055](https://nvd.nist.gov/vuln/detail/CVE-2014-6055) | -", - "text": "Vulnerability CVE-2014-6055 -Severity: medium -Package: libvncserver -Version: 0.9.9 -Fix Version: -Type: apk -Location: /lib/apk/db/installed -Data Namespace: nvd:cpe -Link: [CVE-2014-6055](https://nvd.nist.gov/vuln/detail/CVE-2014-6055)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2014-6055-libvncserver", - "name": "ApkMatcherCpeMatch", - "properties": { - "security-severity": "6.5", - }, - "shortDescription": { - "text": "CVE-2014-6055 medium vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.11-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2016-9941** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| critical | libvncserver | 0.9.9 | 0.9.11-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2016-9941](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9941) | -", - "text": "Vulnerability CVE-2016-9941 -Severity: critical -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.11-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2016-9941](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9941)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2016-9941-libvncserver", - "name": "ApkMatcherExactDirectMatch", - "properties": { - "security-severity": "9.8", - }, - "shortDescription": { - "text": "CVE-2016-9941 critical vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.11-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2016-9942** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| critical | libvncserver | 0.9.9 | 0.9.11-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2016-9942](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9942) | -", - "text": "Vulnerability CVE-2016-9942 -Severity: critical -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.11-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2016-9942](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9942)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2016-9942-libvncserver", - "name": "ApkMatcherExactIndirectMatch", - "properties": { - "security-severity": "9.8", - }, - "shortDescription": { - "text": "CVE-2016-9942 critical vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.11-r2", - }, - "help": { - "markdown": "**Vulnerability CVE-2018-7225** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| critical | libvncserver | 0.9.9 | 0.9.11-r2 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2018-7225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225) | -", - "text": "Vulnerability CVE-2018-7225 -Severity: critical -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.11-r2 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2018-7225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2018-7225-libvncserver", - "name": "ApkMatcherExactDirectMatch", - "properties": { - "security-severity": "9.8", - }, - "shortDescription": { - "text": "CVE-2018-7225 critical vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.12-r1", - }, - "help": { - "markdown": "**Vulnerability CVE-2019-15681** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | 0.9.12-r1 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2019-15681](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681) | -", - "text": "Vulnerability CVE-2019-15681 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.12-r1 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2019-15681](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2019-15681-libvncserver", - "name": "ApkMatcherExactDirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2019-15681 high vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2019-20839** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2019-20839](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839) | -", - "text": "Vulnerability CVE-2019-20839 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2019-20839](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2019-20839-libvncserver", - "name": "ApkMatcherExactIndirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2019-20839 high vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2019-20840** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2019-20840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20840) | -", - "text": "Vulnerability CVE-2019-20840 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2019-20840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20840)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2019-20840-libvncserver", - "name": "ApkMatcherExactIndirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2019-20840 high vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-14397** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-14397](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397) | -", - "text": "Vulnerability CVE-2020-14397 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-14397](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-14397-libvncserver", - "name": "ApkMatcherExactDirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2020-14397 high vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-14399** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-14399](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399) | -", - "text": "Vulnerability CVE-2020-14399 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-14399](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-14399-libvncserver", - "name": "ApkMatcherExactDirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2020-14399 high vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-14400** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-14400](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400) | -", - "text": "Vulnerability CVE-2020-14400 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-14400](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-14400-libvncserver", - "name": "ApkMatcherExactDirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2020-14400 high vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-14401** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-14401](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401) | -", - "text": "Vulnerability CVE-2020-14401 -Severity: medium -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-14401](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-14401-libvncserver", - "name": "ApkMatcherExactIndirectMatch", - "properties": { - "security-severity": "6.5", - }, - "shortDescription": { - "text": "CVE-2020-14401 medium vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-14402** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-14402](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402) | -", - "text": "Vulnerability CVE-2020-14402 -Severity: medium -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-14402](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-14402-libvncserver", - "name": "ApkMatcherExactIndirectMatch", - "properties": { - "security-severity": "5.5", - }, - "shortDescription": { - "text": "CVE-2020-14402 medium vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-14403** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-14403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403) | -", - "text": "Vulnerability CVE-2020-14403 -Severity: medium -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-14403](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-14403-libvncserver", - "name": "ApkMatcherExactIndirectMatch", - "properties": { - "security-severity": "5.5", - }, - "shortDescription": { - "text": "CVE-2020-14403 medium vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-14404** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-14404](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404) | -", - "text": "Vulnerability CVE-2020-14404 -Severity: medium -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-14404](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-14404-libvncserver", - "name": "ApkMatcherExactIndirectMatch", - "properties": { - "security-severity": "5.5", - }, - "shortDescription": { - "text": "CVE-2020-14404 medium vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-14405** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-14405](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405) | -", - "text": "Vulnerability CVE-2020-14405 -Severity: medium -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-14405](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-14405-libvncserver", - "name": "ApkMatcherExactDirectMatch", - "properties": { - "security-severity": "6.5", - }, - "shortDescription": { - "text": "CVE-2020-14405 medium vulnerability for libvncserver package", - }, - }, - { - "fullDescription": { - "text": "Version 0.9.9 is affected with an available fix in versions 0.9.13-r0", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-25708** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | libvncserver | 0.9.9 | 0.9.13-r0 | apk | /lib/apk/db/installed | alpine:distro:alpine:3.12 | [CVE-2020-25708](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25708) | -", - "text": "Vulnerability CVE-2020-25708 -Severity: high -Package: libvncserver -Version: 0.9.9 -Fix Version: 0.9.13-r0 -Type: apk -Location: /lib/apk/db/installed -Data Namespace: alpine:distro:alpine:3.12 -Link: [CVE-2020-25708](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25708)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-25708-libvncserver", - "name": "ApkMatcherExactDirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2020-25708 high vulnerability for libvncserver package", - }, - }, - ], - "version": "", - }, - }, - }, - ], - "version": "2.1.0", -} -`; - -exports[`SARIF debian 1`] = ` -{ - "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", - "runs": [ - { - "results": [ - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/var/lib/dpkg/status", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//var/lib/dpkg/status", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /var/lib/dpkg/status reports apt at version 1.8.2 which is a vulnerable (deb) package installed in the container", - }, - "ruleId": "CVE-2011-3374-apt", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/ruby/specifications/bundler.gemspec", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//ruby/specifications/bundler.gemspec", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which is a vulnerable (gem) package installed in the container", - }, - "ruleId": "CVE-2020-36327-bundler", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/python/dist-info/METADATA", - }, - { - "fullyQualifiedName": "", - "name": "/python/dist-info/top_level.txt", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//python/dist-info/METADATA", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /python/dist-info/METADATA reports Pygments at version 2.6.1 which is a vulnerable (python) package installed in the container", - }, - "ruleId": "CVE-2021-20270-Pygments", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/python/dist-info/METADATA", - }, - { - "fullyQualifiedName": "", - "name": "/python/dist-info/top_level.txt", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//python/dist-info/METADATA", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /python/dist-info/METADATA reports Pygments at version 2.6.1 which is a vulnerable (python) package installed in the container", - }, - "ruleId": "CVE-2021-27291-Pygments", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/ruby/specifications/bundler.gemspec", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//ruby/specifications/bundler.gemspec", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which is a vulnerable (gem) package installed in the container", - }, - "ruleId": "CVE-2021-43809-bundler", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/python/dist-info/METADATA", - }, - { - "fullyQualifiedName": "", - "name": "/python/dist-info/top_level.txt", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//python/dist-info/METADATA", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /python/dist-info/METADATA reports Pygments at version 2.6.1 which is a vulnerable (python) package installed in the container", - }, - "ruleId": "GHSA-9w8r-397f-prfh-Pygments", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/ruby/specifications/bundler.gemspec", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//ruby/specifications/bundler.gemspec", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which is a vulnerable (gem) package installed in the container", - }, - "ruleId": "GHSA-fj7f-vq84-fh43-bundler", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/ruby/specifications/bundler.gemspec", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//ruby/specifications/bundler.gemspec", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /ruby/specifications/bundler.gemspec reports bundler at version 2.1.4 which is a vulnerable (gem) package installed in the container", - }, - "ruleId": "GHSA-fp4w-jxhp-m23p-bundler", - }, - { - "locations": [ - { - "logicalLocations": [ - { - "fullyQualifiedName": "", - "name": "/python/dist-info/METADATA", - }, - { - "fullyQualifiedName": "", - "name": "/python/dist-info/top_level.txt", - }, - ], - "physicalLocation": { - "artifactLocation": { - "uri": "image//python/dist-info/METADATA", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path /python/dist-info/METADATA reports Pygments at version 2.6.1 which is a vulnerable (python) package installed in the container", - }, - "ruleId": "GHSA-pq64-v7f5-gqh8-Pygments", - }, - ], - "tool": { - "driver": { - "informationUri": "https://github.com/anchore/grype", - "name": "Grype", - "rules": [ - { - "fullDescription": { - "text": "Version 1.8.2 is affected with no fixes reported yet.", - }, - "help": { - "markdown": "**Vulnerability CVE-2011-3374** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| low | apt | 1.8.2 | | deb | /var/lib/dpkg/status | debian:distro:debian:8 | [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374) | -", - "text": "Vulnerability CVE-2011-3374 -Severity: low -Package: apt -Version: 1.8.2 -Fix Version: -Type: deb -Location: /var/lib/dpkg/status -Data Namespace: debian:distro:debian:8 -Link: [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2011-3374-apt", - "name": "DpkgMatcherExactDirectMatch", - "properties": { - "security-severity": "4.3", - }, - "shortDescription": { - "text": "CVE-2011-3374 low vulnerability for apt package", - }, - }, - { - "fullDescription": { - "text": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.", - }, - "help": { - "markdown": "**Vulnerability CVE-2020-36327** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | bundler | 2.1.4 | | gem | /ruby/specifications/bundler.gemspec | nvd:cpe | [CVE-2020-36327](https://nvd.nist.gov/vuln/detail/CVE-2020-36327) | -", - "text": "Vulnerability CVE-2020-36327 -Severity: high -Package: bundler -Version: 2.1.4 -Fix Version: -Type: gem -Location: /ruby/specifications/bundler.gemspec -Data Namespace: nvd:cpe -Link: [CVE-2020-36327](https://nvd.nist.gov/vuln/detail/CVE-2020-36327)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2020-36327-bundler", - "name": "RubyGemMatcherCpeMatch", - "properties": { - "security-severity": "9.3", - }, - "shortDescription": { - "text": "CVE-2020-36327 high vulnerability for bundler package", - }, - }, - { - "fullDescription": { - "text": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.", - }, - "help": { - "markdown": "**Vulnerability CVE-2021-20270** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | Pygments | 2.6.1 | | python | /python/dist-info/METADATA | nvd:cpe | [CVE-2021-20270](https://nvd.nist.gov/vuln/detail/CVE-2021-20270) | -", - "text": "Vulnerability CVE-2021-20270 -Severity: high -Package: Pygments -Version: 2.6.1 -Fix Version: -Type: python -Location: /python/dist-info/METADATA -Data Namespace: nvd:cpe -Link: [CVE-2021-20270](https://nvd.nist.gov/vuln/detail/CVE-2021-20270)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2021-20270-Pygments", - "name": "PythonMatcherCpeMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2021-20270 high vulnerability for Pygments package", - }, - }, - { - "fullDescription": { - "text": "In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.", - }, - "help": { - "markdown": "**Vulnerability CVE-2021-27291** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | Pygments | 2.6.1 | | python | /python/dist-info/METADATA | nvd:cpe | [CVE-2021-27291](https://nvd.nist.gov/vuln/detail/CVE-2021-27291) | -", - "text": "Vulnerability CVE-2021-27291 -Severity: high -Package: Pygments -Version: 2.6.1 -Fix Version: -Type: python -Location: /python/dist-info/METADATA -Data Namespace: nvd:cpe -Link: [CVE-2021-27291](https://nvd.nist.gov/vuln/detail/CVE-2021-27291)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2021-27291-Pygments", - "name": "PythonMatcherCpeMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "CVE-2021-27291 high vulnerability for Pygments package", - }, - }, - { - "fullDescription": { - "text": "\`Bundler\` is a package for managing application dependencies in Ruby. In \`bundler\` versions before 2.2.33, when working with untrusted and apparently harmless \`Gemfile\`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the \`Gemfile\` itself. However, if the \`Gemfile\` includes \`gem\` entries that use the \`git\` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as \`git clone\`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (\`-\`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the \`Gemfile\` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a \`Gemfile\` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of \`-u./payload\`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as \`bundle lock\`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting \`--\` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred \`Gemfile\`'s before running any \`bundler\` commands that may read them, since they can contain arbitrary ruby code.", - }, - "help": { - "markdown": "**Vulnerability CVE-2021-43809** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | bundler | 2.1.4 | | gem | /ruby/specifications/bundler.gemspec | nvd:cpe | [CVE-2021-43809](https://nvd.nist.gov/vuln/detail/CVE-2021-43809) | -", - "text": "Vulnerability CVE-2021-43809 -Severity: high -Package: bundler -Version: 2.1.4 -Fix Version: -Type: gem -Location: /ruby/specifications/bundler.gemspec -Data Namespace: nvd:cpe -Link: [CVE-2021-43809](https://nvd.nist.gov/vuln/detail/CVE-2021-43809)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "CVE-2021-43809-bundler", - "name": "RubyGemMatcherCpeMatch", - "properties": { - "security-severity": "9.3", - }, - "shortDescription": { - "text": "CVE-2021-43809 high vulnerability for bundler package", - }, - }, - { - "fullDescription": { - "text": "Infinite Loop in Pygments", - }, - "help": { - "markdown": "**Vulnerability GHSA-9w8r-397f-prfh** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | Pygments | 2.6.1 | 2.7.4 | python | /python/dist-info/METADATA | github:language:python | [GHSA-9w8r-397f-prfh](https://github.com/advisories/GHSA-9w8r-397f-prfh) | -", - "text": "Vulnerability GHSA-9w8r-397f-prfh -Severity: high -Package: Pygments -Version: 2.6.1 -Fix Version: 2.7.4 -Type: python -Location: /python/dist-info/METADATA -Data Namespace: github:language:python -Link: [GHSA-9w8r-397f-prfh](https://github.com/advisories/GHSA-9w8r-397f-prfh)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-9w8r-397f-prfh-Pygments", - "name": "PythonMatcherExactDirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "GHSA-9w8r-397f-prfh high vulnerability for Pygments package", - }, - }, - { - "fullDescription": { - "text": "Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile.", - }, - "help": { - "markdown": "**Vulnerability GHSA-fj7f-vq84-fh43** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| medium | bundler | 2.1.4 | 2.2.33 | gem | /ruby/specifications/bundler.gemspec | github:language:ruby | [GHSA-fj7f-vq84-fh43](https://github.com/advisories/GHSA-fj7f-vq84-fh43) | -", - "text": "Vulnerability GHSA-fj7f-vq84-fh43 -Severity: medium -Package: bundler -Version: 2.1.4 -Fix Version: 2.2.33 -Type: gem -Location: /ruby/specifications/bundler.gemspec -Data Namespace: github:language:ruby -Link: [GHSA-fj7f-vq84-fh43](https://github.com/advisories/GHSA-fj7f-vq84-fh43)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-fj7f-vq84-fh43-bundler", - "name": "RubyGemMatcherExactDirectMatch", - "properties": { - "security-severity": "9.3", - }, - "shortDescription": { - "text": "GHSA-fj7f-vq84-fh43 medium vulnerability for bundler package", - }, - }, - { - "fullDescription": { - "text": "Dependency Confusion in Bundler", - }, - "help": { - "markdown": "**Vulnerability GHSA-fp4w-jxhp-m23p** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | bundler | 2.1.4 | 2.2.10 | gem | /ruby/specifications/bundler.gemspec | github:language:ruby | [GHSA-fp4w-jxhp-m23p](https://github.com/advisories/GHSA-fp4w-jxhp-m23p) | -", - "text": "Vulnerability GHSA-fp4w-jxhp-m23p -Severity: high -Package: bundler -Version: 2.1.4 -Fix Version: 2.2.10 -Type: gem -Location: /ruby/specifications/bundler.gemspec -Data Namespace: github:language:ruby -Link: [GHSA-fp4w-jxhp-m23p](https://github.com/advisories/GHSA-fp4w-jxhp-m23p)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-fp4w-jxhp-m23p-bundler", - "name": "RubyGemMatcherExactDirectMatch", - "properties": { - "security-severity": "9.3", - }, - "shortDescription": { - "text": "GHSA-fp4w-jxhp-m23p high vulnerability for bundler package", - }, - }, - { - "fullDescription": { - "text": "Regular Expression Denial of Service (ReDoS) in Pygments", - }, - "help": { - "markdown": "**Vulnerability GHSA-pq64-v7f5-gqh8** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | Pygments | 2.6.1 | 2.7.4 | python | /python/dist-info/METADATA | github:language:python | [GHSA-pq64-v7f5-gqh8](https://github.com/advisories/GHSA-pq64-v7f5-gqh8) | -", - "text": "Vulnerability GHSA-pq64-v7f5-gqh8 -Severity: high -Package: Pygments -Version: 2.6.1 -Fix Version: 2.7.4 -Type: python -Location: /python/dist-info/METADATA -Data Namespace: github:language:python -Link: [GHSA-pq64-v7f5-gqh8](https://github.com/advisories/GHSA-pq64-v7f5-gqh8)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-pq64-v7f5-gqh8-Pygments", - "name": "PythonMatcherExactDirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "GHSA-pq64-v7f5-gqh8 high vulnerability for Pygments package", - }, - }, - ], - "version": "", - }, - }, - }, - ], - "version": "2.1.0", -} -`; - -exports[`SARIF npm 1`] = ` -{ - "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", - "runs": [ - { - "results": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "tests/fixtures/npm-project/package-lock.json", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", - }, - "ruleId": "GHSA-3jfq-g458-7qm9-tar", - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "tests/fixtures/npm-project/package-lock.json", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", - }, - "ruleId": "GHSA-5955-9wpr-37jh-tar", - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "tests/fixtures/npm-project/package-lock.json", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", - }, - "ruleId": "GHSA-9r2w-394v-53qc-tar", - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "tests/fixtures/npm-project/package-lock.json", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", - }, - "ruleId": "GHSA-qq89-hq3f-393p-tar", - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "tests/fixtures/npm-project/package-lock.json", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", - }, - "ruleId": "GHSA-r628-mhmh-qjhw-tar", - }, - ], - "tool": { - "driver": { - "informationUri": "https://github.com/anchore/grype", - "name": "Grype", - "rules": [ - { - "fullDescription": { - "text": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", - }, - "help": { - "markdown": "**Vulnerability GHSA-3jfq-g458-7qm9** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.1 | npm | tests/fixtures/npm-project/package-lock.json | github:language:javascript | [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9) | -", - "text": "Vulnerability GHSA-3jfq-g458-7qm9 -Severity: high -Package: tar -Version: 6.1.0 -Fix Version: 6.1.1 -Type: npm -Location: tests/fixtures/npm-project/package-lock.json -Data Namespace: github:language:javascript -Link: [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-3jfq-g458-7qm9-tar", - "name": "JavascriptMatcherExactDirectMatch", - "properties": { - "security-severity": "8.1", - }, - "shortDescription": { - "text": "GHSA-3jfq-g458-7qm9 high vulnerability for tar package", - }, - }, - { - "fullDescription": { - "text": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", - }, - "help": { - "markdown": "**Vulnerability GHSA-5955-9wpr-37jh** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.9 | npm | tests/fixtures/npm-project/package-lock.json | github:language:javascript | [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh) | -", - "text": "Vulnerability GHSA-5955-9wpr-37jh -Severity: high -Package: tar -Version: 6.1.0 -Fix Version: 6.1.9 -Type: npm -Location: tests/fixtures/npm-project/package-lock.json -Data Namespace: github:language:javascript -Link: [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-5955-9wpr-37jh-tar", - "name": "JavascriptMatcherExactDirectMatch", - "properties": { - "security-severity": "8.6", - }, - "shortDescription": { - "text": "GHSA-5955-9wpr-37jh high vulnerability for tar package", - }, - }, - { - "fullDescription": { - "text": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", - }, - "help": { - "markdown": "**Vulnerability GHSA-9r2w-394v-53qc** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.7 | npm | tests/fixtures/npm-project/package-lock.json | github:language:javascript | [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc) | -", - "text": "Vulnerability GHSA-9r2w-394v-53qc -Severity: high -Package: tar -Version: 6.1.0 -Fix Version: 6.1.7 -Type: npm -Location: tests/fixtures/npm-project/package-lock.json -Data Namespace: github:language:javascript -Link: [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-9r2w-394v-53qc-tar", - "name": "JavascriptMatcherExactDirectMatch", - "properties": { - "security-severity": "8.6", - }, - "shortDescription": { - "text": "GHSA-9r2w-394v-53qc high vulnerability for tar package", - }, - }, - { - "fullDescription": { - "text": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", - }, - "help": { - "markdown": "**Vulnerability GHSA-qq89-hq3f-393p** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.9 | npm | tests/fixtures/npm-project/package-lock.json | github:language:javascript | [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p) | -", - "text": "Vulnerability GHSA-qq89-hq3f-393p -Severity: high -Package: tar -Version: 6.1.0 -Fix Version: 6.1.9 -Type: npm -Location: tests/fixtures/npm-project/package-lock.json -Data Namespace: github:language:javascript -Link: [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-qq89-hq3f-393p-tar", - "name": "JavascriptMatcherExactDirectMatch", - "properties": { - "security-severity": "8.6", - }, - "shortDescription": { - "text": "GHSA-qq89-hq3f-393p high vulnerability for tar package", - }, - }, - { - "fullDescription": { - "text": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning", - }, - "help": { - "markdown": "**Vulnerability GHSA-r628-mhmh-qjhw** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.2 | npm | tests/fixtures/npm-project/package-lock.json | github:language:javascript | [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw) | -", - "text": "Vulnerability GHSA-r628-mhmh-qjhw -Severity: high -Package: tar -Version: 6.1.0 -Fix Version: 6.1.2 -Type: npm -Location: tests/fixtures/npm-project/package-lock.json -Data Namespace: github:language:javascript -Link: [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-r628-mhmh-qjhw-tar", - "name": "JavascriptMatcherExactDirectMatch", - "properties": { - "security-severity": "8.1", - }, - "shortDescription": { - "text": "GHSA-r628-mhmh-qjhw high vulnerability for tar package", - }, - }, - ], - "version": "", - }, - }, - }, - ], - "version": "2.1.0", -} -`; - -exports[`SARIF yarn 1`] = ` -{ - "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", - "runs": [ - { - "results": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "tests/fixtures/yarn-project/yarn.lock", - }, - "region": { - "endColumn": 1, - "endLine": 1, - "startColumn": 1, - "startLine": 1, - }, - }, - }, - ], - "message": { - "text": "The path tests/fixtures/yarn-project/yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", - }, - "ruleId": "GHSA-w5p7-h5w8-2hfq-trim", - }, - ], - "tool": { - "driver": { - "informationUri": "https://github.com/anchore/grype", - "name": "Grype", - "rules": [ - { - "fullDescription": { - "text": "Regular Expression Denial of Service in trim", - }, - "help": { - "markdown": "**Vulnerability GHSA-w5p7-h5w8-2hfq** -| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | -| --- | --- | --- | --- | --- | --- | --- | --- | -| high | trim | 0.0.2 | 0.0.3 | npm | tests/fixtures/yarn-project/yarn.lock | github:language:javascript | [GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq) | -", - "text": "Vulnerability GHSA-w5p7-h5w8-2hfq -Severity: high -Package: trim -Version: 0.0.2 -Fix Version: 0.0.3 -Type: npm -Location: tests/fixtures/yarn-project/yarn.lock -Data Namespace: github:language:javascript -Link: [GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq)", - }, - "helpUri": "https://github.com/anchore/grype", - "id": "GHSA-w5p7-h5w8-2hfq-trim", - "name": "JavascriptMatcherExactDirectMatch", - "properties": { - "security-severity": "7.5", - }, - "shortDescription": { - "text": "GHSA-w5p7-h5w8-2hfq high vulnerability for trim package", - }, - }, - ], - "version": "", - }, - }, - }, - ], - "version": "2.1.0", -} -`; diff --git a/tests/sarif_output.test.js b/tests/sarif_output.test.js index 681c55c0..616ed5c1 100644 --- a/tests/sarif_output.test.js +++ b/tests/sarif_output.test.js @@ -64,7 +64,7 @@ describe("SARIF", () => { "localhost:5000/match-coverage/alpine:latest", ["CVE-2014-6051-libvncserver"] ); - expect(sarif).toMatchSnapshot(); + expect(sarif).toBeValidSarifLog(); }); it("centos", async () => { await testSource("localhost:5000/match-coverage/centos:latest", []); @@ -72,20 +72,20 @@ describe("SARIF", () => { it("debian", async () => { const sarif = await testSource( "localhost:5000/match-coverage/debian:latest", - ["CVE-2020-36327-bundler", "GHSA-9w8r-397f-prfh-Pygments"] + ["GHSA-9w8r-397f-prfh-Pygments"] ); - expect(sarif).toMatchSnapshot(); + expect(sarif).toBeValidSarifLog(); }); it("npm", async () => { const sarif = await testSource("dir:tests/fixtures/npm-project", [ "GHSA-3jfq-g458-7qm9-tar", ]); - expect(sarif).toMatchSnapshot(); + expect(sarif).toBeValidSarifLog(); }); it("yarn", async () => { const sarif = await testSource("dir:tests/fixtures/yarn-project", [ "GHSA-w5p7-h5w8-2hfq-trim", ]); - expect(sarif).toMatchSnapshot(); + expect(sarif).toBeValidSarifLog(); }); }); From 9df7dc7ac5dbce697e0df0cf001134176b67e244 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 17 Nov 2023 14:16:41 -0500 Subject: [PATCH 3/4] make cmd arg assertions aware of debug Signed-off-by: Will Murphy --- tests/grype_command.test.js | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/grype_command.test.js b/tests/grype_command.test.js index 66f58299..cd1446b0 100644 --- a/tests/grype_command.test.js +++ b/tests/grype_command.test.js @@ -1,5 +1,6 @@ const githubActionsExec = require("@actions/exec"); const githubActionsToolCache = require("@actions/tool-cache"); +const core = require("@actions/core"); jest.setTimeout(30000); @@ -23,6 +24,8 @@ const mockExec = async (args) => { }; describe("Grype command", () => { + const cmdPrefix = core.isDebug() ? "grype -vv" : "grype"; + it("is invoked with dir", async () => { let cmd = await mockExec({ source: "dir:.", @@ -35,7 +38,7 @@ describe("Grype command", () => { addCpesIfNone: "false", byCve: "false", }); - expect(cmd).toBe("grype -o sarif --fail-on high dir:."); + expect(cmd).toBe(`${cmdPrefix} -o sarif --fail-on high dir:.`); }); it("is invoked with values", async () => { @@ -49,7 +52,7 @@ describe("Grype command", () => { addCpesIfNone: "false", byCve: "false", }); - expect(cmd).toBe("grype -o json --fail-on low asdf"); + expect(cmd).toBe(`${cmdPrefix} -o json --fail-on low asdf`); }); it("adds missing CPEs if requested", async () => { @@ -63,6 +66,8 @@ describe("Grype command", () => { addCpesIfNone: "true", byCve: "false", }); - expect(cmd).toBe("grype -o json --fail-on low --add-cpes-if-none asdf"); + expect(cmd).toBe( + `${cmdPrefix} -o json --fail-on low --add-cpes-if-none asdf` + ); }); }); From baf0dbcc6b94a4544ff124a72b7cd04598098bdb Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 17 Nov 2023 14:30:37 -0500 Subject: [PATCH 4/4] put bundler vuln back from GHSA Signed-off-by: Will Murphy --- tests/sarif_output.test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/sarif_output.test.js b/tests/sarif_output.test.js index 616ed5c1..94ec33d0 100644 --- a/tests/sarif_output.test.js +++ b/tests/sarif_output.test.js @@ -72,7 +72,7 @@ describe("SARIF", () => { it("debian", async () => { const sarif = await testSource( "localhost:5000/match-coverage/debian:latest", - ["GHSA-9w8r-397f-prfh-Pygments"] + ["GHSA-fp4w-jxhp-m23p-bundler", "GHSA-9w8r-397f-prfh-Pygments"] ); expect(sarif).toBeValidSarifLog(); });