Skip to content

Commit

Permalink
issue 362 a base snyk producer that supports snyk docker
Browse files Browse the repository at this point in the history
  • Loading branch information
@northdpole
northdpole committed Sep 19, 2024
1 parent 68faead commit 7cb559a
Show file tree
Hide file tree
Showing 6 changed files with 1,244 additions and 0 deletions.
339 changes: 339 additions & 0 deletions components/producers/snyk-docker/exampleData/snyk-container-example.sarif
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,339 @@
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Snyk Container",
"semanticVersion": "1.1293.1",
"version": "1.1293.1",
"informationUri": "https://docs.snyk.io/",
"properties": {
"artifactsScanned": 91
},
"rules": [
{
"id": "SNYK-UBUNTU2404-COREUTILS-6727355",
"shortDescription": {
"text": "Low severity - Improper Input Validation vulnerability in coreutils"
},
"fullDescription": {
"text": "(CVE-2016-2781) [email protected]"
},
"help": {
"text": "",
"markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `coreutils` package and not the `coreutils` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nchroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `coreutils`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781)\n- [https://security-tracker.debian.org/tracker/CVE-2016-2781](https://security-tracker.debian.org/tracker/CVE-2016-2781)\n- [https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E](https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E)\n- [http://www.openwall.com/lists/oss-security/2016/02/28/2](http://www.openwall.com/lists/oss-security/2016/02/28/2)\n- [http://www.openwall.com/lists/oss-security/2016/02/28/3](http://www.openwall.com/lists/oss-security/2016/02/28/3)\n- [https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E](https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E)\n"
},
"defaultConfiguration": {
"level": "warning"
},
"properties": {
"tags": [
"security",
"CWE-20",
"deb"
],
"cvssv3_baseScore": 6.5,
"security-severity": "6.5"
}
},
{
"id": "SNYK-UBUNTU2404-GLIBC-6727419",
"shortDescription": {
"text": "Low severity - Allocation of Resources Without Limits or Throttling vulnerability in glibc"
},
"fullDescription": {
"text": "(CVE-2016-20013) glibc/[email protected]"
},
"help": {
"text": "",
"markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nsha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `glibc`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013)\n- [https://akkadia.org/drepper/SHA-crypt.txt](https://akkadia.org/drepper/SHA-crypt.txt)\n- [https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/](https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/)\n- [https://twitter.com/solardiz/status/795601240151457793](https://twitter.com/solardiz/status/795601240151457793)\n"
},
"defaultConfiguration": {
"level": "warning"
},
"properties": {
"tags": [
"security",
"CWE-770",
"deb"
],
"cvssv3_baseScore": 7.5,
"security-severity": "7.5"
}
},
{
"id": "SNYK-UBUNTU2404-GNUPG2-6702792",
"shortDescription": {
"text": "Low severity - Out-of-bounds Write vulnerability in gnupg2"
},
"fullDescription": {
"text": "(CVE-2022-3219) gnupg2/[email protected]"
},
"help": {
"text": "",
"markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gnupg2` package and not the `gnupg2` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nGnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `gnupg2`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219)\n- [https://access.redhat.com/security/cve/CVE-2022-3219](https://access.redhat.com/security/cve/CVE-2022-3219)\n- [https://bugzilla.redhat.com/show_bug.cgi?id=2127010](https://bugzilla.redhat.com/show_bug.cgi?id=2127010)\n- [https://dev.gnupg.org/D556](https://dev.gnupg.org/D556)\n- [https://dev.gnupg.org/T5993](https://dev.gnupg.org/T5993)\n- [https://marc.info/?l=oss-security&m=165696590211434&w=4](https://marc.info/?l=oss-security&m=165696590211434&w=4)\n- [https://security.netapp.com/advisory/ntap-20230324-0001/](https://security.netapp.com/advisory/ntap-20230324-0001/)\n"
},
"defaultConfiguration": {
"level": "warning"
},
"properties": {
"tags": [
"security",
"CWE-787",
"deb"
],
"cvssv3_baseScore": 3.3,
"security-severity": "3.3"
}
},
{
"id": "SNYK-UBUNTU2404-LIBGCRYPT20-6693674",
"shortDescription": {
"text": "Medium severity - Information Exposure vulnerability in libgcrypt20"
},
"fullDescription": {
"text": "(CVE-2024-2236) [email protected]"
},
"help": {
"text": "",
"markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libgcrypt20` package and not the `libgcrypt20` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nA timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `libgcrypt20`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236)\n- [https://access.redhat.com/security/cve/CVE-2024-2236](https://access.redhat.com/security/cve/CVE-2024-2236)\n- [https://bugzilla.redhat.com/show_bug.cgi?id=2268268](https://bugzilla.redhat.com/show_bug.cgi?id=2268268)\n- [https://bugzilla.redhat.com/show_bug.cgi?id=2245218](https://bugzilla.redhat.com/show_bug.cgi?id=2245218)\n"
},
"defaultConfiguration": {
"level": "warning"
},
"properties": {
"tags": [
"security",
"CWE-208",
"deb"
],
"cvssv3_baseScore": null,
"security-severity": "null"
}
},
{
"id": "SNYK-UBUNTU2404-OPENSSL-7838291",
"shortDescription": {
"text": "Medium severity - CVE-2024-41996 vulnerability in openssl"
},
"fullDescription": {
"text": "(CVE-2024-41996) openssl/[email protected]"
},
"help": {
"text": "",
"markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nValidating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `openssl`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996)\n- [https://dheatattack.gitlab.io/details/](https://dheatattack.gitlab.io/details/)\n- [https://dheatattack.gitlab.io/faq/](https://dheatattack.gitlab.io/faq/)\n- [https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1](https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1)\n"
},
"defaultConfiguration": {
"level": "warning"
},
"properties": {
"tags": [
"security",
"deb"
],
"cvssv3_baseScore": null,
"security-severity": "null"
}
},
{
"id": "SNYK-UBUNTU2404-OPENSSL-7886358",
"shortDescription": {
"text": "Medium severity - CVE-2024-6119 vulnerability in openssl"
},
"fullDescription": {
"text": "(CVE-2024-6119) openssl/[email protected]"
},
"help": {
"text": "",
"markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nIssue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Ubuntu:24.04` `openssl` to version 3.0.13-0ubuntu3.4 or higher.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-6119](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-6119)\n- [https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f](https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f)\n- [https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6](https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6)\n- [https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2](https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2)\n- [https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0](https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0)\n- [https://openssl-library.org/news/secadv/20240903.txt](https://openssl-library.org/news/secadv/20240903.txt)\n"
},
"defaultConfiguration": {
"level": "warning"
},
"properties": {
"tags": [
"security",
"deb"
],
"cvssv3_baseScore": null,
"security-severity": "null"
}
}
]
}
},
"results": [
{
"ruleId": "SNYK-UBUNTU2404-COREUTILS-6727355",
"level": "note",
"message": {
"text": "This file introduces a vulnerable coreutils package with a low severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "ubuntu_latest"
},
"region": {
"startLine": 1
}
},
"logicalLocations": [
{
"fullyQualifiedName": "[email protected]"
}
]
}
]
},
{
"ruleId": "SNYK-UBUNTU2404-GLIBC-6727419",
"level": "note",
"message": {
"text": "This file introduces a vulnerable glibc package with a low severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "ubuntu_latest"
},
"region": {
"startLine": 1
}
},
"logicalLocations": [
{
"fullyQualifiedName": "[email protected]"
}
]
}
]
},
{
"ruleId": "SNYK-UBUNTU2404-GNUPG2-6702792",
"level": "note",
"message": {
"text": "This file introduces a vulnerable gnupg2 package with a low severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "ubuntu_latest"
},
"region": {
"startLine": 1
}
},
"logicalLocations": [
{
"fullyQualifiedName": "[email protected]"
}
]
}
]
},
{
"ruleId": "SNYK-UBUNTU2404-LIBGCRYPT20-6693674",
"level": "warning",
"message": {
"text": "This file introduces a vulnerable libgcrypt20 package with a medium severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "ubuntu_latest"
},
"region": {
"startLine": 1
}
},
"logicalLocations": [
{
"fullyQualifiedName": "[email protected]"
}
]
}
]
},
{
"ruleId": "SNYK-UBUNTU2404-OPENSSL-7838291",
"level": "warning",
"message": {
"text": "This file introduces a vulnerable openssl package with a medium severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "ubuntu_latest"
},
"region": {
"startLine": 1
}
},
"logicalLocations": [
{
"fullyQualifiedName": "[email protected]"
}
]
}
]
},
{
"ruleId": "SNYK-UBUNTU2404-OPENSSL-7886358",
"level": "warning",
"message": {
"text": "This file introduces a vulnerable openssl package with a medium severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "ubuntu_latest"
},
"region": {
"startLine": 1
}
},
"logicalLocations": [
{
"fullyQualifiedName": "[email protected]"
}
]
}
],
"fixes": [
{
"description": {
"text": "Upgrade to openssl/[email protected]"
},
"artifactChanges": [
{
"artifactLocation": {
"uri": "ubuntu_latest"
},
"replacements": [
{
"deletedRegion": {
"startLine": 1
},
"insertedContent": {
"text": "openssl/[email protected]"
}
}
]
}
]
}
]
}
]
}
]
}
Loading

0 comments on commit 7cb559a

Please sign in to comment.