jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
Code Issues Releases Activity
b2246a021f
sap-jenkins-library/pkg/protecode/testdata/protecode_result_no_violations.json
redehnroV 2ebf2010b7
Protecode as GoLang (#1119) 
* Protecode as go implementation

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-02-06 16:16:34 +01:00

1 line
31 KiB
JSON
Raw Blame History

{"meta": {"code": 200}, "results": {"components": [{"extended-objects": [{"confidence": 0.6100244498777506, "sha1": "1f774a90da1d4d8734c4bda586f8a8c7f23c4952", "name": "busybox", "timestamp": 1513075346, "binary-type": "elf-shared-x86_64", "matching-method": "signature", "fullpath": ["tini_mini.tar", "498654318d0999ce36c7b90901ed8bd8cb63d86837cb101ea1ec9bb092f44e59/layer.tar", "bin/busybox"], "type": "native"}], "objects": ["busybox"], "version": "1.27.2-r7", "lib": "busybox", "distro_version": "1.27.2-r7", "distro": "alpine", "latest_version": null, "vuln-count": {"total": 12, "exact": 0, "historical": 12}, "vulns": [{"vuln": {"cve": "CVE-2017-15873", "summary": "The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.", "cvss": 4.3, "published": "2017-10-24T20:29:00", "modified": "2017-10-31T21:49:10", "published-epoch": "1508876940", "modified-epoch": "1509486550", "cwe": "CWE-190", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "MEDIUM", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-10-29T23:04:34", "cvss_created-epoch": "1509318274", "cvss2_vector": "AV:N/AC:M/Au:N:/C:N/I:N/A:P", "cvss3_vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3_score": "5.5"}, "exact": false, "invalidation": {"reason": "Vendor patched", "reason_text": "Distribution vendor has backported the fix for this vulnerability", "type": "distro-backport"}}, {"vuln": {"cve": "CVE-2017-15874", "summary": "archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation.", "cvss": 4.3, "published": "2017-10-24T20:29:00", "modified": "2017-10-31T21:48:48", "published-epoch": "1508876940", "modified-epoch": "1509486528", "cwe": "CWE-191", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "MEDIUM", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-10-29T23:10:36", "cvss_created-epoch": "1509318636", "cvss2_vector": "AV:N/AC:M/Au:N:/C:N/I:N/A:P", "cvss3_vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3_score": "5.5"}, "exact": false, "invalidation": {"reason": "Vendor patched", "reason_text": "Distribution vendor has backported the fix for this vulnerability", "type": "distro-backport"}}, {"vuln": {"cve": "CVE-2017-16544", "summary": "In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.", "cvss": 6.5, "published": "2017-11-20T15:29:00", "modified": "2017-12-08T15:42:37", "published-epoch": "1511191740", "modified-epoch": "1512747757", "cwe": "CWE-94", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "SINGLE_INSTANCE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-12-06T13:55:21", "cvss_created-epoch": "1512568521", "cvss2_vector": "AV:N/AC:L/Au:S:/C:P/I:P/A:P", "cvss3_vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cvss3_score": "8.8"}, "exact": false, "invalidation": {"reason": "Vendor patched", "reason_text": "Distribution vendor has backported the fix for this vulnerability", "type": "distro-backport"}}, {"vuln": {"cve": "CVE-2011-2716", "summary": "The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.", "cvss": 6.8, "published": "2012-07-03T16:40:30", "modified": "2016-06-30T15:42:51", "published-epoch": "1341333630", "modified-epoch": "1467301371", "cwe": "CWE-20", "cvss_access_vector": "ADJACENT_NETWORK", "cvss_access_complexity": "HIGH", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "COMPLETE", "cvss_integrity_impact": "COMPLETE", "cvss_availability_impact": "COMPLETE", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2016-06-30T15:11:11", "cvss_created-epoch": "1467299471", "cvss2_vector": "AV:A/AC:H/Au:N:/C:C/I:C/A:C", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2006-1058", "summary": "BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.", "cvss": 2.1, "published": "2006-04-04T10:04:00", "modified": "2017-10-11T01:30:40", "published-epoch": "1144145040", "modified-epoch": "1507685440", "cwe": null, "cvss_access_vector": "LOCAL", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "NONE", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2006-04-04T11:57:00", "cvss_created-epoch": "1144151820", "cvss2_vector": "AV:L/AC:L/Au:N:/C:P/I:N/A:N", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2011-5325", "summary": "Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink.", "cvss": 5.0, "published": "2017-08-07T17:29:00", "modified": "2017-08-15T16:40:38", "published-epoch": "1502126940", "modified-epoch": "1502815238", "cwe": "CWE-22", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "NONE", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-08-14T14:35:15", "cvss_created-epoch": "1502721315", "cvss2_vector": "AV:N/AC:L/Au:N:/C:N/I:P/A:N", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "cvss3_score": "7.5"}, "exact": false}, {"vuln": {"cve": "CVE-2016-6301", "summary": "The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.", "cvss": 7.8, "published": "2016-12-09T20:59:01", "modified": "2017-11-29T15:48:36", "published-epoch": "1481317141", "modified-epoch": "1511970516", "cwe": "CWE-399", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "COMPLETE", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-11-27T19:40:07", "cvss_created-epoch": "1511811607", "cvss2_vector": "AV:N/AC:L/Au:N:/C:N/I:N/A:C", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3_score": "7.5"}, "exact": false}, {"vuln": {"cve": "CVE-2013-1813", "summary": "util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors.", "cvss": 7.2, "published": "2013-11-23T11:55:04", "modified": "2016-06-30T15:53:37", "published-epoch": "1385207704", "modified-epoch": "1467302017", "cwe": "CWE-264", "cvss_access_vector": "LOCAL", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "COMPLETE", "cvss_integrity_impact": "COMPLETE", "cvss_availability_impact": "COMPLETE", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2016-06-30T15:11:38", "cvss_created-epoch": "1467299498", "cvss2_vector": "AV:L/AC:L/Au:N:/C:C/I:C/A:C", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2016-2148", "summary": "Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.", "cvss": 7.5, "published": "2017-02-09T15:59:00", "modified": "2017-07-01T01:29:37", "published-epoch": "1486655940", "modified-epoch": "1498872577", "cwe": "CWE-119", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-02-15T03:06:24", "cvss_created-epoch": "1487127984", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3_score": "9.8"}, "exact": false}, {"vuln": {"cve": "CVE-2016-2147", "summary": "Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.", "cvss": 5.0, "published": "2017-02-09T15:59:00", "modified": "2017-07-01T01:29:37", "published-epoch": "1486655940", "modified-epoch": "1498872577", "cwe": "CWE-190", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-02-15T03:03:55", "cvss_created-epoch": "1487127835", "cvss2_vector": "AV:N/AC:L/Au:N:/C:N/I:N/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3_score": "7.5"}, "exact": false}, {"vuln": {"cve": "CVE-2006-5050", "summary": "Directory traversal vulnerability in httpd in Rob Landley BusyBox allows remote attackers to read arbitrary files via URL-encoded \"%2e%2e/\" sequences in the URI.", "cvss": 5.0, "published": "2006-09-27T23:07:00", "modified": "2008-09-05T21:11:14", "published-epoch": "1159398420", "modified-epoch": "1220649074", "cwe": null, "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "NONE", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2006-09-28T18:27:00", "cvss_created-epoch": "1159468020", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:N/A:N", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2014-9645", "summary": "The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an \"ifconfig /usbserial up\" command or a \"mount -t /snd_pcm none /\" command.", "cvss": 2.1, "published": "2017-03-12T06:59:00", "modified": "2017-07-01T01:29:09", "published-epoch": "1489301940", "modified-epoch": "1498872549", "cwe": "CWE-20", "cvss_access_vector": "LOCAL", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "NONE", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-03-13T17:57:13", "cvss_created-epoch": "1489427833", "cvss2_vector": "AV:L/AC:L/Au:N:/C:N/I:P/A:N", "cvss3_vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "cvss3_score": "5.5"}, "exact": false}], "tags": ["system"], "homepage": "http://www.busybox.net/", "short_version": "1.27.2-r7", "latest_cmp": null, "url": null, "codetype": "Native", "coverity_scan": {"name": "busybox", "language": "C/C++", "id": 19, "homepage_url": "https://busybox.net/", "details": {"loc": 196857, "defect_density": {"comparison": 0.5, "over_time": [null], "score": 2.97, "verdict": "high", "loc_range": "100,000 to 499,999"}, "build_date": "2015-11-12", "project_url": "https://scan.coverity.com/projects/busybox", "version": null, "cwe": [{"name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "defect_count": 14, "id": 120, "rank": 3, "uri": "http://cwe.mitre.org/top25/#CWE-120"}, {"name": "Integer Overflow or Wraparound", "defect_count": 10, "id": 190, "rank": 24, "uri": "http://cwe.mitre.org/top25/#CWE-190"}, {"name": "Use of Potentially Dangerous Function", "defect_count": 12, "id": 676, "rank": 18, "uri": "http://cwe.mitre.org/top25/#CWE-676"}]}, "repo_url": "https://git.busybox.net/busybox/", "slug": "busybox", "mapped-name": "busybox"}}, {"extended-objects": [{"confidence": 0.6799387442572741, "sha1": "8fd1e881791034e9cd097ea2afe9cc3bc23da8c2", "name": "libssl.so.44.0.1", "timestamp": 1510257703, "binary-type": "elf-shared-x86_64", "matching-method": "signature", "fullpath": ["tini_mini.tar", "498654318d0999ce36c7b90901ed8bd8cb63d86837cb101ea1ec9bb092f44e59/layer.tar", "lib/libssl.so.44.0.1"], "type": "native", "source-match": "libssl"}, {"confidence": 0.7921044253422477, "sha1": "bb6944297fab37c9609d451ea2dc99884d2b93fb", "name": "libcrypto.so.42.0.0", "timestamp": 1510257703, "binary-type": "elf-shared-x86_64", "matching-method": "signature", "fullpath": ["tini_mini.tar", "498654318d0999ce36c7b90901ed8bd8cb63d86837cb101ea1ec9bb092f44e59/layer.tar", "lib/libcrypto.so.42.0.0"], "type": "native"}], "objects": ["libssl.so.44.0.1", "libcrypto.so.42.0.0"], "version": "2.6.3-r0", "lib": "libressl", "distro_version": "2.6.3-r0", "distro": "alpine", "latest_version": null, "vuln-count": {"total": 2, "exact": 0, "historical": 2}, "vulns": [{"vuln": {"cve": "CVE-2017-8301", "summary": "LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.", "cvss": 2.6, "published": "2017-04-27T17:59:00", "modified": "2017-05-10T16:49:58", "published-epoch": "1493315940", "modified-epoch": "1494434998", "cwe": "CWE-254", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "HIGH", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "NONE", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-05-10T02:12:29", "cvss_created-epoch": "1494382349", "cvss2_vector": "AV:N/AC:H/Au:N:/C:N/I:P/A:N", "cvss3_vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "cvss3_score": "5.3"}, "exact": false}, {"vuln": {"cve": "CVE-2014-9424", "summary": "Double free vulnerability in the ssl_parse_clienthello_use_srtp_ext function in d1_srtp.c in LibreSSL before 2.1.2 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a certain length-verification error during processing of a DTLS handshake.", "cvss": 7.5, "published": "2014-12-29T00:59:01", "modified": "2014-12-30T15:35:22", "published-epoch": "1419814741", "modified-epoch": "1419953722", "cwe": null, "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2014-12-30T15:00:31", "cvss_created-epoch": "1419951631", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}], "tags": ["crypto", "protocol"], "short_version": "2.6.3-r0", "latest_cmp": null, "homepage": null, "url": null, "codetype": "Native", "coverity_scan": null}, {"extended-objects": [{"confidence": 0.967391304347826, "sha1": "c67dff6bb8d4b62d1506a7facce301be561f3f4d", "name": "ld-musl-x86_64.so.1", "timestamp": 1510953106, "binary-type": "elf-shared-x86_64", "matching-method": "signature", "fullpath": ["tini_mini.tar", "498654318d0999ce36c7b90901ed8bd8cb63d86837cb101ea1ec9bb092f44e59/layer.tar", "lib/ld-musl-x86_64.so.1"], "type": "native"}], "objects": ["ld-musl-x86_64.so.1"], "version": "1.1.18-r2", "lib": "musl", "distro_version": "1.1.18-r2", "distro": "alpine", "latest_version": null, "vuln-count": {"total": 4, "exact": 0, "historical": 4}, "vulns": [{"vuln": {"cve": "CVE-2016-8859", "summary": "Multiple integer overflows in the TRE library and musl libc allow attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggers an out-of-bounds write.", "cvss": 7.5, "published": "2017-02-13T18:59:00", "modified": "2017-07-01T01:30:11", "published-epoch": "1487012340", "modified-epoch": "1498872611", "cwe": "CWE-190", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-03-03T15:57:08", "cvss_created-epoch": "1488556628", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3_score": "9.8"}, "exact": false}, {"vuln": {"cve": "CVE-2017-15650", "summary": "musl libc before 1.1.17 has a buffer overflow via crafted DNS replies because dns_parse_callback in network/lookup_name.c does not restrict the number of addresses, and thus an attacker can provide an unexpected number by sending A records in a reply to an AAAA query.", "cvss": 5.0, "published": "2017-10-19T23:29:00", "modified": "2017-11-08T16:21:30", "published-epoch": "1508455740", "modified-epoch": "1510158090", "cwe": "CWE-119", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-11-07T18:12:12", "cvss_created-epoch": "1510078332", "cvss2_vector": "AV:N/AC:L/Au:N:/C:N/I:N/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3_score": "7.5"}, "exact": false}, {"vuln": {"cve": "CVE-2012-2114", "summary": "Stack-based buffer overflow in fprintf in musl before 0.8.8 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string to an unbuffered stream such as stderr.", "cvss": 7.5, "published": "2012-08-31T22:55:01", "modified": "2012-12-19T04:52:43", "published-epoch": "1346453701", "modified-epoch": "1355892763", "cwe": "CWE-119", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2012-09-03T18:39:00", "cvss_created-epoch": "1346697540", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2015-1817", "summary": "Stack-based buffer overflow in the inet_pton function in network/inet_pton.c in musl libc 0.9.15 through 1.0.4, and 1.1.0 through 1.1.7 allows attackers to have unspecified impact via unknown vectors.", "cvss": 7.5, "published": "2017-08-18T16:29:00", "modified": "2017-08-29T14:04:14", "published-epoch": "1503073740", "modified-epoch": "1504015454", "cwe": "CWE-119", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-08-28T20:12:45", "cvss_created-epoch": "1503951165", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3_score": "9.8"}, "exact": false}], "tags": ["framework"], "short_version": "1.1.18-r2", "latest_cmp": null, "homepage": null, "url": null, "codetype": "Native", "coverity_scan": null}, {"extended-objects": [{"confidence": 0.9782608695652174, "sha1": "6f7ca1f52820a319587eafaa32c3b97f3bb1b8cb", "name": "scanelf", "timestamp": 1509459679, "binary-type": "elf-shared-x86_64", "matching-method": "signature", "fullpath": ["tini_mini.tar", "498654318d0999ce36c7b90901ed8bd8cb63d86837cb101ea1ec9bb092f44e59/layer.tar", "usr/bin/scanelf"], "type": "native"}], "objects": ["scanelf"], "version": "1.2.2-r1", "lib": "pax-utils", "distro_version": "1.2.2-r1", "distro": "alpine", "latest_version": null, "vuln-count": {"total": 0, "exact": 0, "historical": 0}, "vulns": [], "tags": ["parser", "security", "utility"], "short_version": "1.2.2-r1", "latest_cmp": null, "homepage": null, "url": null, "codetype": "Native", "coverity_scan": null}, {"extended-objects": [{"confidence": 0.8333333333333334, "sha1": "c67dff6bb8d4b62d1506a7facce301be561f3f4d", "name": "ld-musl-x86_64.so.1", "timestamp": 1510953106, "binary-type": "elf-shared-x86_64", "matching-method": "signature", "fullpath": ["tini_mini.tar", "498654318d0999ce36c7b90901ed8bd8cb63d86837cb101ea1ec9bb092f44e59/layer.tar", "lib/ld-musl-x86_64.so.1"], "type": "native"}], "objects": ["ld-musl-x86_64.so.1"], "version": "1.1.18", "lib": "tre", "distro_version": "1.1.18", "distro": "alpine", "latest_version": "0.8.0", "vuln-count": {"total": 0, "exact": 0, "historical": 0}, "vulns": [], "tags": ["regexp"], "homepage": "https://laurikari.net/tre/", "upstream-source": "https://laurikari.net/tre/tre-0.8.0.tar.bz2", "latest-version": "0.8.0", "short_version": "1.1.18", "latest_cmp": true, "url": "https://laurikari.net/tre/tre-0.8.0.tar.bz2", "codetype": "Native", "coverity_scan": null}, {"extended-objects": [{"confidence": 0.9, "sha1": "b6632b194765f9367824efe8a4ba4a11af71c53a", "name": "libz.so.1.2.11", "timestamp": 1509456391, "binary-type": "elf-shared-x86_64", "matching-method": "signature", "fullpath": ["tini_mini.tar", "498654318d0999ce36c7b90901ed8bd8cb63d86837cb101ea1ec9bb092f44e59/layer.tar", "lib/libz.so.1.2.11"], "type": "native"}], "objects": ["libz.so.1.2.11"], "version": "1.2.11-r1", "lib": "zlib", "distro_version": "1.2.11-r1", "distro": "alpine", "cpe": ["cpe:/a:gnu:zlib:1.2.11-r1"], "latest_version": "1.2.11", "vuln-count": {"total": 9, "exact": 0, "historical": 9}, "vulns": [{"vuln": {"cve": "CVE-2016-9841", "summary": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cvss": 7.5, "published": "2017-05-23T04:29:01", "modified": "2018-01-05T02:31:24", "published-epoch": "1495513741", "modified-epoch": "1515119484", "cwe": "CWE-189", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-05-30T17:04:11", "cvss_created-epoch": "1496163851", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3_score": "9.8"}, "exact": false}, {"vuln": {"cve": "CVE-2016-9840", "summary": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cvss": 6.8, "published": "2017-05-23T04:29:01", "modified": "2018-01-05T02:31:24", "published-epoch": "1495513741", "modified-epoch": "1515119484", "cwe": "CWE-189", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "MEDIUM", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-05-30T17:01:03", "cvss_created-epoch": "1496163663", "cvss2_vector": "AV:N/AC:M/Au:N:/C:P/I:P/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "8.8"}, "exact": false}, {"vuln": {"cve": "CVE-2004-0797", "summary": "The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).", "cvss": 2.1, "published": "2004-10-20T04:00:00", "modified": "2017-07-11T01:30:28", "published-epoch": "1098244800", "modified-epoch": "1499736628", "cwe": null, "cvss_access_vector": "LOCAL", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2004-01-01T05:00:00", "cvss_created-epoch": "1072933200", "cvss2_vector": "AV:L/AC:L/Au:N:/C:N/I:N/A:P", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2016-9842", "summary": "The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.", "cvss": 6.8, "published": "2017-05-23T04:29:01", "modified": "2018-01-05T02:31:24", "published-epoch": "1495513741", "modified-epoch": "1515119484", "cwe": "CWE-189", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "MEDIUM", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-05-30T17:04:28", "cvss_created-epoch": "1496163868", "cvss2_vector": "AV:N/AC:M/Au:N:/C:P/I:P/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "8.8"}, "exact": false}, {"vuln": {"cve": "CVE-2005-2096", "summary": "zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.", "cvss": 7.5, "published": "2005-07-06T04:00:00", "modified": "2017-07-11T01:32:46", "published-epoch": "1120622400", "modified-epoch": "1499736766", "cwe": null, "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2005-07-07T14:15:00", "cvss_created-epoch": "1120745700", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2002-0059", "summary": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.", "cvss": 7.5, "published": "2002-03-15T05:00:00", "modified": "2008-09-10T19:11:10", "published-epoch": "1016168400", "modified-epoch": "1221073870", "cwe": null, "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2004-01-01T05:00:00", "cvss_created-epoch": "1072933200", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2016-9843", "summary": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.", "cvss": 7.5, "published": "2017-05-23T04:29:01", "modified": "2018-01-05T02:31:24", "published-epoch": "1495513741", "modified-epoch": "1515119484", "cwe": "CWE-189", "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2017-05-30T17:04:51", "cvss_created-epoch": "1496163891", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3_score": "9.8"}, "exact": false}, {"vuln": {"cve": "CVE-2003-0107", "summary": "Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.", "cvss": 7.5, "published": "2003-03-07T05:00:00", "modified": "2017-01-03T02:59:00", "published-epoch": "1047013200", "modified-epoch": "1483412340", "cwe": null, "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "PARTIAL", "cvss_integrity_impact": "PARTIAL", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2004-01-01T05:00:00", "cvss_created-epoch": "1072933200", "cvss2_vector": "AV:N/AC:L/Au:N:/C:P/I:P/A:P", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}, {"vuln": {"cve": "CVE-2005-1849", "summary": "inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.", "cvss": 5.0, "published": "2005-07-26T04:00:00", "modified": "2017-10-11T01:30:10", "published-epoch": "1122350400", "modified-epoch": "1507685410", "cwe": null, "cvss_access_vector": "NETWORK", "cvss_access_complexity": "LOW", "cvss_authentication": "NONE", "cvss_confidentiality_impact": "NONE", "cvss_integrity_impact": "NONE", "cvss_availability_impact": "PARTIAL", "cvss_source": "http://nvd.nist.gov", "cvss_created": "2005-07-27T20:25:00", "cvss_created-epoch": "1122495900", "cvss2_vector": "AV:N/AC:L/Au:N:/C:N/I:N/A:P", "cvss3_vector": null, "cvss3_score": "0"}, "exact": false}], "tags": ["compression"], "homepage": "https://zlib.net/", "upstream-source": "https://zlib.net/zlib-1.2.11.tar.gz", "latest-version": "1.2.11", "short_version": "1.2.11-r1", "latest_cmp": true, "url": "https://zlib.net/zlib-1.2.11.tar.gz", "codetype": "Native", "coverity_scan": {"name": "zlib", "language": "C/C++", "id": 256, "homepage_url": null, "details": {"loc": 27341, "defect_density": {"comparison": 0.35, "over_time": [null], "score": 0.11, "verdict": "low", "loc_range": "less than 100,000"}, "build_date": "2015-09-22", "project_url": "https://scan.coverity.com/projects/zlib", "version": "1.2.8", "cwe": []}, "repo_url": null, "slug": "zlib", "mapped-name": "zlib"}}], "summary": {"vuln-count": {"exact": 0, "historical": 29}, "verdict": {"short": "Pass", "detailed": "No known vulnerabilities were found during the scan."}}, "status": "R", "sha1sum": "6498230e910f7c295a60ebae318b6aad25ac3db6", "id": 4490, "product_id": 4490, "report_url": "https://protecode.mo.sap.corp/products/4490/", "filename": "tini_mini.tar", "rescan-possible": false, "stale": false, "custom_data": {}, "last_updated": "2018-03-06T09:40:34", "details": {"metadata": null, "flagged": {}, "filetypes": {"POSIX tar archive (GNU)": 2, "POSIX shell script": 18, "POSIX tar archive": 4, "UTF-8 Unicode text": 2, "timezone data": 1, "ELF 64-bit LSB shared object": 13, "ASCII text": 56, "empty": 1}, "errors": []}}}
Reference in New Issue View Git Blame Copy Permalink