mirror of
https://github.com/aquasecurity/trivy.git
synced 2026-01-31 13:53:14 +08:00
b6d5b82c48
* feat: add comparer * refactor: rename lang with ecosystem * feat(bundler): add comparer * feat(node): add comparer * feat(bundler): integrate comparer * feat(cargo): integrate comparer * feat(composer): add comparer * feat(ghsa): integrate comparer * feat(node): integrate comparer * feat(python): integrate comparer * test(bundler): add tests * test(cargo): add tests * test(composer): add tests * test(ghsa): add tests * test(node): add tests * test(python): add tests * refactor(utils): remove unnecessary functions * test(utils): add tests * test: rename bucket prefixes * fix(detect): use string * chore: update dependencies * docs: add comments * fix(cargo): handle unpatched vulnerability * test(db): update trivy-db for integration tests * test(integration): update a golden file * test(cargo): Add a case for missing patched version Signed-off-by: Simarpreet Singh <simar@linux.com> * refactor(advisory): update comments * refactor(node/advisory): change the receiver * chore(mod): update dependencies * refactor(comparer): unexport MatchVersion * refactor: fix maligned structs * test(node): add empty value * refactor * refactor: sort imports * chore(mod): update trivy-db Co-authored-by: Simarpreet Singh <simar@linux.com>
127 lines
6.7 KiB
Plaintext
127 lines
6.7 KiB
Plaintext
[
|
|
{
|
|
"Target": "Cargo.lock",
|
|
"Type": "cargo",
|
|
"Vulnerabilities": [
|
|
{
|
|
"VulnerabilityID": "RUSTSEC-2019-0001",
|
|
"PkgName": "ammonia",
|
|
"InstalledVersion": "1.9.0",
|
|
"FixedVersion": "\u003e= 2.1.0",
|
|
"Layer": {
|
|
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
|
|
},
|
|
"Title": "Uncontrolled recursion leads to abort in HTML serialization",
|
|
"Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
|
|
"Severity": "UNKNOWN",
|
|
"References": [
|
|
"https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "RUSTSEC-2016-0001",
|
|
"PkgName": "openssl",
|
|
"InstalledVersion": "0.8.3",
|
|
"FixedVersion": "\u003e= 0.9.0",
|
|
"Layer": {
|
|
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
|
|
},
|
|
"Title": "SSL/TLS MitM vulnerability due to insecure defaults",
|
|
"Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
|
|
"Severity": "UNKNOWN",
|
|
"References": [
|
|
"https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "RUSTSEC-2019-0035",
|
|
"PkgName": "rand_core",
|
|
"InstalledVersion": "0.3.1",
|
|
"FixedVersion": "\u003e= 0.4.2",
|
|
"Layer": {
|
|
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
|
|
},
|
|
"Title": "Unaligned memory access",
|
|
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
|
|
"Severity": "UNKNOWN",
|
|
"References": [
|
|
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "RUSTSEC-2019-0035",
|
|
"PkgName": "rand_core",
|
|
"InstalledVersion": "0.4.0",
|
|
"FixedVersion": "\u003e= 0.4.2",
|
|
"Layer": {
|
|
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
|
|
},
|
|
"Title": "Unaligned memory access",
|
|
"Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
|
|
"Severity": "UNKNOWN",
|
|
"References": [
|
|
"https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "RUSTSEC-2018-0018",
|
|
"PkgName": "smallvec",
|
|
"InstalledVersion": "0.6.9",
|
|
"FixedVersion": "\u003e= 0.6.13",
|
|
"Layer": {
|
|
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
|
|
},
|
|
"Title": "smallvec creates uninitialized value of any type",
|
|
"Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
|
|
"Severity": "UNKNOWN",
|
|
"References": [
|
|
"https://github.com/servo/rust-smallvec/issues/126"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "RUSTSEC-2019-0009",
|
|
"PkgName": "smallvec",
|
|
"InstalledVersion": "0.6.9",
|
|
"FixedVersion": "\u003e= 0.6.10",
|
|
"Layer": {
|
|
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
|
|
},
|
|
"Title": "Double-free and use-after-free in SmallVec::grow()",
|
|
"Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
|
|
"Severity": "UNKNOWN",
|
|
"References": [
|
|
"https://github.com/servo/rust-smallvec/issues/148"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "RUSTSEC-2019-0012",
|
|
"PkgName": "smallvec",
|
|
"InstalledVersion": "0.6.9",
|
|
"FixedVersion": "\u003e= 0.6.10",
|
|
"Layer": {
|
|
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
|
|
},
|
|
"Title": "Memory corruption in SmallVec::grow()",
|
|
"Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
|
|
"Severity": "UNKNOWN",
|
|
"References": [
|
|
"https://github.com/servo/rust-smallvec/issues/149"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "RUSTSEC-2018-0017",
|
|
"PkgName": "tempdir",
|
|
"InstalledVersion": "0.3.7",
|
|
"Layer": {
|
|
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
|
|
},
|
|
"Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
|
|
"Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
|
|
"Severity": "UNKNOWN",
|
|
"References": [
|
|
"https://github.com/rust-lang-deprecated/tempdir/pull/46"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
] |