aquasecurity-trivy/integration/testdata/gomod-vex.json.golden

{
  "SchemaVersion": 2,
  "ReportID": "3ff14136-e09f-4df9-80ea-000000000002",
  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
  "ArtifactName": "testdata/fixtures/repo/gomod",
  "ArtifactType": "repository",
  "Results": [
    {
      "Target": "go.mod",
      "Class": "lang-pkgs",
      "Type": "gomod",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "GMS-2022-20",
          "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
          "PkgName": "github.com/docker/distribution",
          "PkgIdentifier": {
            "PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
            "UID": "782e16d5a74c9fa6"
          },
          "InstalledVersion": "v2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
          "Status": "fixed",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Go",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
          },
          "Title": "OCI Manifest Type Confusion Issue",
          "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
          "Severity": "UNKNOWN",
          "References": [
            "https://github.com/advisories/GHSA-qq97-vm5h-rrhg",
            "https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586",
            "https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg",
            "https://github.com/opencontainers/image-spec/pull/411"
          ]
        },
        {
          "VulnerabilityID": "CVE-2021-38561",
          "PkgID": "golang.org/x/text@v0.3.6",
          "PkgName": "golang.org/x/text",
          "PkgIdentifier": {
            "PURL": "pkg:golang/golang.org/x/text@v0.3.6",
            "UID": "9c987ed7494d95be"
          },
          "InstalledVersion": "v0.3.6",
          "FixedVersion": "0.3.7",
          "Status": "fixed",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-38561",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Go",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
          },
          "Description": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse\nto panic via an out of bounds read. If Parse is used to process untrusted user inputs,\nthis may be used as a vector for a denial of service attack.\n",
          "Severity": "UNKNOWN",
          "References": [
            "https://go-review.googlesource.com/c/text/+/340830",
            "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f",
            "https://pkg.go.dev/vuln/GO-2021-0113"
          ]
        }
      ]
    },
    {
      "Target": "submod/go.mod",
      "Class": "lang-pkgs",
      "Type": "gomod",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "GMS-2022-20",
          "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
          "PkgName": "github.com/docker/distribution",
          "PkgIdentifier": {
            "PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
            "UID": "97673687db393443"
          },
          "InstalledVersion": "v2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
          "Status": "fixed",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Go",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
          },
          "Title": "OCI Manifest Type Confusion Issue",
          "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
          "Severity": "UNKNOWN",
          "References": [
            "https://github.com/advisories/GHSA-qq97-vm5h-rrhg",
            "https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586",
            "https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg",
            "https://github.com/opencontainers/image-spec/pull/411"
          ]
        }
      ]
    },
    {
      "Target": "submod2/go.mod",
      "Class": "lang-pkgs",
      "Type": "gomod",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "GMS-2022-20",
          "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
          "PkgName": "github.com/docker/distribution",
          "PkgIdentifier": {
            "PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
            "UID": "48e3a06649df4bd4"
          },
          "InstalledVersion": "v2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
          "Status": "fixed",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Go",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
          },
          "Title": "OCI Manifest Type Confusion Issue",
          "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
          "Severity": "UNKNOWN",
          "References": [
            "https://github.com/advisories/GHSA-qq97-vm5h-rrhg",
            "https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586",
            "https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg",
            "https://github.com/opencontainers/image-spec/pull/411"
          ]
        }
      ]
    }
  ]
}