From 7e41a33feace0d79373409b631525206ff086a23 Mon Sep 17 00:00:00 2001 From: Rex P Date: Wed, 22 Jan 2025 11:37:32 +1100 Subject: [PATCH 1/2] feat: Use new chainID method with empty layers --- .../baseimagematcher/baseimagematcher.go | 46 ++++--------------- 1 file changed, 8 insertions(+), 38 deletions(-) diff --git a/internal/clients/clientimpl/baseimagematcher/baseimagematcher.go b/internal/clients/clientimpl/baseimagematcher/baseimagematcher.go index 2fd851549b0..299cc81a1a0 100644 --- a/internal/clients/clientimpl/baseimagematcher/baseimagematcher.go +++ b/internal/clients/clientimpl/baseimagematcher/baseimagematcher.go @@ -10,7 +10,6 @@ import ( "math/rand/v2" "net/http" "slices" - "strings" "time" "github.com/google/osv-scanner/pkg/models" @@ -22,6 +21,9 @@ import ( const ( maxConcurrentRequests = 1000 APIEndpoint = "https://api.deps.dev/v3alpha/querycontainerimages/" + // DigestSHA256EmptyTar is the canonical sha256 digest of empty tar file - + // (1024 NULL bytes) + DigestSHA256EmptyTar = digest.Digest("sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef") ) // OSVMatcher implements the VulnerabilityMatcher interface with a osv.dev client. @@ -39,14 +41,15 @@ func (matcher *DepsDevBaseImageMatcher) MatchBaseImages(ctx context.Context, lay var runningDigest digest.Digest for i, l := range layerMetadata { - if l.DiffID == "" { - continue + diffID := l.DiffID + if diffID == "" { + diffID = DigestSHA256EmptyTar } if runningDigest == "" { - runningDigest = l.DiffID + runningDigest = diffID } else { - runningDigest = digest.FromBytes([]byte(runningDigest + " " + l.DiffID)) + runningDigest = digest.FromBytes([]byte(runningDigest + " " + diffID)) } chainID := runningDigest @@ -201,39 +204,6 @@ func buildBaseImageDetails(layerMetadata []models.LayerMetadata, baseImagesMap [ allBaseImages = append(allBaseImages, baseImages) currentBaseImageIndex += 1 layerMetadata[i].BaseImageIndex = currentBaseImageIndex - - // Backfill with heuristic: - // The goal here is to replace empty layers that is currently categorized as the previous base image - // with this base image if it actually belongs to this layer. - // - // We do this by guessing the boundary of empty layers by checking for the following commands, - // which are commonly the *last* layer. - // - // Remember we are looping backwards in the outer loop, - // so this backfill is actually filling down the layer stack, not up. - possibleFinalBaseImageCommands := []string{ - "/bin/sh -c #(nop) CMD", - "CMD", - "/bin/sh -c #(nop) ENTRYPOINT", - "ENTRYPOINT", - } - BackfillLoop: - for i2 := i; i2 < len(layerMetadata); i2++ { - if !layerMetadata[i2].IsEmpty { - // If the layer is not empty, whatever base image it is current assigned - // would be already correct, we only need to adjust empty layers. - break - } - buildCommand := layerMetadata[i2].Command - layerMetadata[i2].BaseImageIndex = currentBaseImageIndex - - // Check if this is the last layer and we can stop looping - for _, prefix := range possibleFinalBaseImageCommands { - if strings.HasPrefix(buildCommand, prefix) { - break BackfillLoop - } - } - } } return allBaseImages From 38ad3f9aac054ed8871e887c5e0bc3e47cb41f06 Mon Sep 17 00:00:00 2001 From: Rex P Date: Thu, 23 Jan 2025 15:33:14 +1100 Subject: [PATCH 2/2] Update snapshot --- cmd/osv-scanner/__snapshots__/main_test.snap | 171 +++++++++++++++++++ 1 file changed, 171 insertions(+) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 252bfbe8393..b27e4c8ab42 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -556,7 +556,20 @@ Filtered 9 local/unscannable package/s from the scan. +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml | | https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml | +| https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4535-1 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3910-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | | https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -573,12 +586,170 @@ Filtered 9 local/unscannable package/s from the scan. | https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | +| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-2236 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3263-1 | | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2016-3709 | 6.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-2309 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-25062 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3012-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3172-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3405-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3878-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5103-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5139-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5169-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-3817 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-5678 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-6237 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-0727 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-13176 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-2511 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-4603 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-4741 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-5535 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5764-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-9143 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3008-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3325-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3449-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3530-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3942-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3942-2 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2020-16156 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-31484 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3926-1 | | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-39804 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3755-1 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5650-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3782-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ +| Unimportant vulnerabilities | | | | | | ++-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ +| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-18276 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-6829 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2011-4116 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-48522 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-31486 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-20193 | 3.3 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-7738 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | ++-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ ---