smithy-security · northdpole · Sep 19, 2024 · Sep 18, 2024 · Sep 18, 2024 · Sep 18, 2024
diff --git a/components/producers/producer.go b/components/producers/producer.go
@@ -123,6 +123,12 @@ func WriteDraconOut(
 
 	stat, err := os.Stat(OutFile)
 	if Append && err == nil && stat.Size() > 0 {
+		slog.Info(
+			"appending",
+			slog.Int("issues", len(cleanIssues)),
+			slog.String("tool", toolName),
+			slog.String("to", OutFile),
+		)
 		return putil.AppendResults(cleanIssues, OutFile)
 	}
 	return putil.WriteResults(toolName, cleanIssues, OutFile, scanUUUID, scanStartTime, scanTags)

diff --git a/components/producers/snyk-docker/exampleData/snyk-container-example.sarif b/components/producers/snyk-docker/exampleData/snyk-container-example.sarif
diff --git a/components/producers/snyk-docker/exampleData/snyk-container-out.pb b/components/producers/snyk-docker/exampleData/snyk-container-out.pb
@@ -0,0 +1,14 @@
+
+����ȷ��snyk�
+ubuntu_latest:1-1!SNYK-UBUNTU2404-COREUTILS-6727355VThis file introduces a vulnerable coreutils package with a low severity vulnerability. :�MatchedRule: {"id":"SNYK-UBUNTU2404-COREUTILS-6727355","shortDescription":{"text":"Low severity - Improper Input Validation vulnerability in coreutils"},"fullDescription":{"text":"(CVE-2016-2781) [email protected]"},"defaultConfiguration":{"level":"warning"},"help":{"text":"","markdown":"## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `coreutils` package and not the `coreutils` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nchroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal\u0026#39;s input buffer.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `coreutils`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781)\n- [https://security-tracker.debian.org/tracker/CVE-2016-2781](https://security-tracker.debian.org/tracker/CVE-2016-2781)\n- [https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E](https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E)\n- [http://www.openwall.com/lists/oss-security/2016/02/28/2](http://www.openwall.com/lists/oss-security/2016/02/28/2)\n- [http://www.openwall.com/lists/oss-security/2016/02/28/3](http://www.openwall.com/lists/oss-security/2016/02/28/3)\n- [https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E](https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E)\n"},"properties":{"cvssv3_baseScore":6.5,"security-severity":"6.5","tags":["security","CWE-20","deb"]}} 
+ Message: This file introduces a vulnerable coreutils package with a low severity vulnerability.Bunknown�
+ubuntu_latest:1-1SNYK-UBUNTU2404-GLIBC-6727419RThis file introduces a vulnerable glibc package with a low severity vulnerability. :�MatchedRule: {"id":"SNYK-UBUNTU2404-GLIBC-6727419","shortDescription":{"text":"Low severity - Allocation of Resources Without Limits or Throttling vulnerability in glibc"},"fullDescription":{"text":"(CVE-2016-20013) glibc/[email protected]"},"defaultConfiguration":{"level":"warning"},"help":{"text":"","markdown":"## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nsha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm\u0026#39;s runtime is proportional to the square of the length of the password.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `glibc`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013)\n- [https://akkadia.org/drepper/SHA-crypt.txt](https://akkadia.org/drepper/SHA-crypt.txt)\n- [https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/](https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/)\n- [https://twitter.com/solardiz/status/795601240151457793](https://twitter.com/solardiz/status/795601240151457793)\n"},"properties":{"cvssv3_baseScore":7.5,"security-severity":"7.5","tags":["security","CWE-770","deb"]}} 
+ Message: This file introduces a vulnerable glibc package with a low severity vulnerability.Bunknown�
+ubuntu_latest:1-1SNYK-UBUNTU2404-GNUPG2-6702792SThis file introduces a vulnerable gnupg2 package with a low severity vulnerability. :�MatchedRule: {"id":"SNYK-UBUNTU2404-GNUPG2-6702792","shortDescription":{"text":"Low severity - Out-of-bounds Write vulnerability in gnupg2"},"fullDescription":{"text":"(CVE-2022-3219) gnupg2/[email protected]"},"defaultConfiguration":{"level":"warning"},"help":{"text":"","markdown":"## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gnupg2` package and not the `gnupg2` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nGnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `gnupg2`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219)\n- [https://access.redhat.com/security/cve/CVE-2022-3219](https://access.redhat.com/security/cve/CVE-2022-3219)\n- [https://bugzilla.redhat.com/show_bug.cgi?id=2127010](https://bugzilla.redhat.com/show_bug.cgi?id=2127010)\n- [https://dev.gnupg.org/D556](https://dev.gnupg.org/D556)\n- [https://dev.gnupg.org/T5993](https://dev.gnupg.org/T5993)\n- [https://marc.info/?l=oss-security\u0026m=165696590211434\u0026w=4](https://marc.info/?l=oss-security\u0026m=165696590211434\u0026w=4)\n- [https://security.netapp.com/advisory/ntap-20230324-0001/](https://security.netapp.com/advisory/ntap-20230324-0001/)\n"},"properties":{"cvssv3_baseScore":3.3,"security-severity":"3.3","tags":["security","CWE-787","deb"]}} 
+ Message: This file introduces a vulnerable gnupg2 package with a low severity vulnerability.Bunknown�
+ubuntu_latest:1-1#SNYK-UBUNTU2404-LIBGCRYPT20-6693674[This file introduces a vulnerable libgcrypt20 package with a medium severity vulnerability. :�MatchedRule: {"id":"SNYK-UBUNTU2404-LIBGCRYPT20-6693674","shortDescription":{"text":"Medium severity - Information Exposure vulnerability in libgcrypt20"},"fullDescription":{"text":"(CVE-2024-2236) [email protected]"},"defaultConfiguration":{"level":"warning"},"help":{"text":"","markdown":"## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libgcrypt20` package and not the `libgcrypt20` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nA timing-based side-channel flaw was found in libgcrypt\u0026#39;s RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `libgcrypt20`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236)\n- [https://access.redhat.com/security/cve/CVE-2024-2236](https://access.redhat.com/security/cve/CVE-2024-2236)\n- [https://bugzilla.redhat.com/show_bug.cgi?id=2268268](https://bugzilla.redhat.com/show_bug.cgi?id=2268268)\n- [https://bugzilla.redhat.com/show_bug.cgi?id=2245218](https://bugzilla.redhat.com/show_bug.cgi?id=2245218)\n"},"properties":{"cvssv3_baseScore":null,"security-severity":"null","tags":["security","CWE-208","deb"]}} 
+ Message: This file introduces a vulnerable libgcrypt20 package with a medium severity vulnerability.Bunknown�
+ubuntu_latest:1-1SNYK-UBUNTU2404-OPENSSL-7838291WThis file introduces a vulnerable openssl package with a medium severity vulnerability. :�MatchedRule: {"id":"SNYK-UBUNTU2404-OPENSSL-7838291","shortDescription":{"text":"Medium severity - CVE-2024-41996 vulnerability in openssl"},"fullDescription":{"text":"(CVE-2024-41996) openssl/[email protected]"},"defaultConfiguration":{"level":"warning"},"help":{"text":"","markdown":"## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nValidating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.\n## Remediation\nThere is no fixed version for `Ubuntu:24.04` `openssl`.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996)\n- [https://dheatattack.gitlab.io/details/](https://dheatattack.gitlab.io/details/)\n- [https://dheatattack.gitlab.io/faq/](https://dheatattack.gitlab.io/faq/)\n- [https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1](https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1)\n"},"properties":{"cvssv3_baseScore":null,"security-severity":"null","tags":["security","deb"]}} 
+ Message: This file introduces a vulnerable openssl package with a medium severity vulnerability.Bunknown�
+ubuntu_latest:1-1SNYK-UBUNTU2404-OPENSSL-7886358WThis file introduces a vulnerable openssl package with a medium severity vulnerability. :�MatchedRule: {"id":"SNYK-UBUNTU2404-OPENSSL-7886358","shortDescription":{"text":"Medium severity - CVE-2024-6119 vulnerability in openssl"},"fullDescription":{"text":"(CVE-2024-6119) openssl/[email protected]"},"defaultConfiguration":{"level":"warning"},"help":{"text":"","markdown":"## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Ubuntu`._\n_See `How to fix?` for `Ubuntu:24.04` relevant fixed versions and status._\n\nIssue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don\u0026#39;t perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain.  So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n## Remediation\nUpgrade `Ubuntu:24.04` `openssl` to version 3.0.13-0ubuntu3.4 or higher.\n## References\n- [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-6119](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-6119)\n- [https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f](https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f)\n- [https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6](https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6)\n- [https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2](https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2)\n- [https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0](https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0)\n- [https://openssl-library.org/news/secadv/20240903.txt](https://openssl-library.org/news/secadv/20240903.txt)\n"},"properties":{"cvssv3_baseScore":null,"security-severity":"null","tags":["security","deb"]}} 
+ Message: This file introduces a vulnerable openssl package with a medium severity vulnerability.Bunknown