From 8971b5fe959021e0a8964f8606b7cca237e162ea Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Wed, 15 Mar 2023 02:38:12 +0000 Subject: [PATCH 01/13] Ignore aliases with IgnoredVulns --- pkg/config/config.go | 11 +++- pkg/osvscanner/osvscanner.go | 59 +++++++++++++------ pkg/osvscanner/vulnerability_result.go | 23 ++++++-- .../vulnerability_result_internal_test.go | 3 +- 4 files changed, 68 insertions(+), 28 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index 91c32262976..e2df86413b2 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -29,9 +29,14 @@ type Config struct { } type IgnoreEntry struct { - ID string `toml:"id"` - IgnoreUntil time.Time `toml:"ignoreUntil"` - Reason string `toml:"reason"` + ID string `toml:"id"` + IgnoreUntil time.Time `toml:"ignoreUntil"` + Reason string `toml:"reason"` + IncludeAliases *bool `toml:"includeAliases"` // Use pointer to tell apart unset (treated as true) and false +} + +func (e *IgnoreEntry) ShouldIncludeAliases() bool { + return e.IncludeAliases == nil || *(e.IncludeAliases) } func (c *Config) ShouldIgnore(vulnID string) (bool, IgnoreEntry) { diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 8dd6e5bd28d..432dfc980d6 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -346,29 +346,52 @@ func scanDebianDocker(r *output.Reporter, query *osv.BatchedQuery, dockerImageNa return nil } -// Filters response according to config, returns number of responses removed -func filterResponse(r *output.Reporter, query osv.BatchedQuery, resp *osv.BatchedResponse, configManager *config.ConfigManager) int { +// filters vulnerabilities and groups according to config, returns filtered vulnerabilities and groups +func filterVulns(r *output.Reporter, configToUse config.Config, vulns []models.Vulnerability, groups []models.GroupInfo) ([]models.Vulnerability, []models.GroupInfo) { hiddenVulns := map[string]config.IgnoreEntry{} + outGroups := []models.GroupInfo{} + outVulns := []models.Vulnerability{} - for i, result := range resp.Results { - var filteredVulns []osv.MinimalVulnerability - configToUse := configManager.Get(r, query.Queries[i].Source.Path) - for _, vuln := range result.Vulns { - ignore, ignoreLine := configToUse.ShouldIgnore(vuln.ID) + for _, group := range groups { + keepIDs := []string{} + for i, id := range group.IDs { + ignore, ignoreLine := configToUse.ShouldIgnore(id) if ignore { - hiddenVulns[vuln.ID] = ignoreLine + hiddenVulns[id] = ignoreLine + if ignoreLine.ShouldIncludeAliases() { + for _, id := range keepIDs { + hiddenVulns[id] = ignoreLine + } + for _, id := range group.IDs[i+1:] { + hiddenVulns[id] = ignoreLine + } + keepIDs = []string{} + break + } } else { - filteredVulns = append(filteredVulns, vuln) + keepIDs = append(keepIDs, id) } } - resp.Results[i].Vulns = filteredVulns + if len(keepIDs) > 0 { + group.IDs = keepIDs + outGroups = append(outGroups, group) + } } - for id, ignoreLine := range hiddenVulns { - r.PrintText(fmt.Sprintf("%s has been filtered out because: %s\n", id, ignoreLine.Reason)) + for _, vuln := range vulns { + ignoreLine, ok := hiddenVulns[vuln.ID] + if ok { + if ignoreLine.ID == vuln.ID { + r.PrintText(fmt.Sprintf("%s has been filtered out because: %s\n", vuln.ID, ignoreLine.Reason)) + } else { + r.PrintText(fmt.Sprintf("%s (alias of %s) has been filtered out because: %s\n", vuln.ID, ignoreLine.ID, ignoreLine.Reason)) + } + } else { + outVulns = append(outVulns, vuln) + } } - return len(hiddenVulns) + return outVulns, outGroups } func parseLockfilePath(lockfileElem string) (string, string) { @@ -456,16 +479,16 @@ func DoScan(actions ScannerActions, r *output.Reporter) (models.VulnerabilityRes return models.VulnerabilityResults{}, fmt.Errorf("scan failed %w", err) } - filtered := filterResponse(r, query, resp, &configManager) - if filtered > 0 { - r.PrintText(fmt.Sprintf("Filtered %d vulnerabilities from output\n", filtered)) - } hydratedResp, err := osv.Hydrate(resp) if err != nil { return models.VulnerabilityResults{}, fmt.Errorf("failed to hydrate OSV response: %w", err) } - vulnerabilityResults := groupResponseBySource(r, query, hydratedResp, actions.ExperimentalCallAnalysis) + filter := func(sourcePath string, vulns []models.Vulnerability, groups []models.GroupInfo) ([]models.Vulnerability, []models.GroupInfo) { + return filterVulns(r, configManager.Get(r, sourcePath), vulns, groups) + } + + vulnerabilityResults := groupResponseBySource(r, query, hydratedResp, actions.ExperimentalCallAnalysis, filter) // if vulnerability exists it should return error if len(vulnerabilityResults.Results) > 0 { // If any vulnerabilities are called, then we return VulnerabilitiesFoundErr diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go index fab5381a77a..61e9feef3c0 100644 --- a/pkg/osvscanner/vulnerability_result.go +++ b/pkg/osvscanner/vulnerability_result.go @@ -11,17 +11,26 @@ import ( "github.com/google/osv-scanner/pkg/osv" ) +// Function used to filter vulnerabilities and groups. +type vulnFilterFn func(sourcePath string, vulns []models.Vulnerability, groups []models.GroupInfo) ([]models.Vulnerability, []models.GroupInfo) + // groupResponseBySource converts raw OSV API response into structured vulnerability information // grouped by source location. -func groupResponseBySource(r *output.Reporter, query osv.BatchedQuery, resp *osv.HydratedBatchedResponse, callAnalysis bool) models.VulnerabilityResults { +func groupResponseBySource(r *output.Reporter, query osv.BatchedQuery, resp *osv.HydratedBatchedResponse, callAnalysis bool, filter vulnFilterFn) models.VulnerabilityResults { output := models.VulnerabilityResults{ Results: []models.PackageSource{}, } groupedBySource := map[models.SourceInfo][]models.PackageVulns{} + totalFiltered := 0 + for i, query := range query.Queries { - response := resp.Results[i] - if len(response.Vulns) == 0 { + vulns := resp.Results[i].Vulns + vulnCount := len(vulns) + groups := grouper.Group(grouper.ConvertVulnerabilityToIDAliases(vulns)) + vulns, groups = filter(query.Source.Path, vulns, groups) + totalFiltered += vulnCount - len(vulns) + if len(vulns) == 0 { continue } var pkg models.PackageVulns @@ -47,13 +56,15 @@ func groupResponseBySource(r *output.Reporter, query osv.BatchedQuery, resp *osv } } - pkg.Vulnerabilities = response.Vulns - - groups := grouper.Group(grouper.ConvertVulnerabilityToIDAliases(pkg.Vulnerabilities)) + pkg.Vulnerabilities = vulns pkg.Groups = groups groupedBySource[query.Source] = append(groupedBySource[query.Source], pkg) } + if totalFiltered > 0 { + r.PrintText(fmt.Sprintf("Filtered %d vulnerabilities from output\n", totalFiltered)) + } + for source, packages := range groupedBySource { if callAnalysis { sourceanalysis.Run(r, source, packages) diff --git a/pkg/osvscanner/vulnerability_result_internal_test.go b/pkg/osvscanner/vulnerability_result_internal_test.go index 79e860b7ab9..0667192462d 100644 --- a/pkg/osvscanner/vulnerability_result_internal_test.go +++ b/pkg/osvscanner/vulnerability_result_internal_test.go @@ -16,6 +16,7 @@ func Test_groupResponseBySource(t *testing.T) { query osv.BatchedQuery resp *osv.HydratedBatchedResponse callAnalysis bool + filter vulnFilterFn } tests := []struct { name string @@ -26,7 +27,7 @@ func Test_groupResponseBySource(t *testing.T) { tt := tt // Reinitialize for t.Parallel() t.Run(tt.name, func(t *testing.T) { t.Parallel() - if got := groupResponseBySource(tt.args.r, tt.args.query, tt.args.resp, tt.args.callAnalysis); !reflect.DeepEqual(got, tt.want) { + if got := groupResponseBySource(tt.args.r, tt.args.query, tt.args.resp, tt.args.callAnalysis, tt.args.filter); !reflect.DeepEqual(got, tt.want) { t.Errorf("groupResponse() = %v, want %v", got, tt.want) } }) From e5096389923d450f4b29e4725ef0a2c69bdff421 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Wed, 15 Mar 2023 03:08:41 +0000 Subject: [PATCH 02/13] Update docs --- docs/configuration.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuration.md b/docs/configuration.md index 76afee555df..fc4c4bddba4 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -21,9 +21,12 @@ To ignore a vulnerability, enter the ID under the `IgnoreVulns` key. Optionally, id = "GO-2022-0968" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No ssh servers are connected to or hosted in Go lang" +# includeAliases = true # Optional whether to include vulnerability aliases. Default true [[IgnoredVulns]] id = "GO-2022-1059" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No external http servers are written in Go lang." +includeAliases = false ``` +By default, ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of the vulnerability. To only ignore the exact vulnerability ID, set `includeAliases` to `false`. From 7ebddadeb42797033b06df5e5bb0f2a65e0cb570 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Wed, 15 Mar 2023 03:10:47 +0000 Subject: [PATCH 03/13] lint --- pkg/osvscanner/osvscanner.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 432dfc980d6..3e23acdb1fe 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -366,6 +366,7 @@ func filterVulns(r *output.Reporter, configToUse config.Config, vulns []models.V hiddenVulns[id] = ignoreLine } keepIDs = []string{} + break } } else { From 1fb6a3b82a9f29dfc637684b7160be04f1b67c65 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Wed, 15 Mar 2023 03:19:39 +0000 Subject: [PATCH 04/13] F --- pkg/osvscanner/osvscanner.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 3e23acdb1fe..fc027fe8894 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -346,7 +346,7 @@ func scanDebianDocker(r *output.Reporter, query *osv.BatchedQuery, dockerImageNa return nil } -// filters vulnerabilities and groups according to config, returns filtered vulnerabilities and groups +// Filters vulnerabilities and groups according to config, returns filtered vulnerabilities and groups func filterVulns(r *output.Reporter, configToUse config.Config, vulns []models.Vulnerability, groups []models.GroupInfo) ([]models.Vulnerability, []models.GroupInfo) { hiddenVulns := map[string]config.IgnoreEntry{} outGroups := []models.GroupInfo{} From 07c13a5e42e9f63341ac328a6f62bf9399752c43 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Wed, 15 Mar 2023 05:04:29 +0000 Subject: [PATCH 05/13] Exclusion is not an option --- docs/configuration.md | 5 ++--- pkg/config/config.go | 11 +++-------- pkg/osvscanner/osvscanner.go | 25 ++++++++----------------- 3 files changed, 13 insertions(+), 28 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index fc4c4bddba4..2618a1fe2cc 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -21,12 +21,11 @@ To ignore a vulnerability, enter the ID under the `IgnoreVulns` key. Optionally, id = "GO-2022-0968" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No ssh servers are connected to or hosted in Go lang" -# includeAliases = true # Optional whether to include vulnerability aliases. Default true [[IgnoredVulns]] id = "GO-2022-1059" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No external http servers are written in Go lang." -includeAliases = false ``` -By default, ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of the vulnerability. To only ignore the exact vulnerability ID, set `includeAliases` to `false`. + +Ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability. diff --git a/pkg/config/config.go b/pkg/config/config.go index e2df86413b2..91c32262976 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -29,14 +29,9 @@ type Config struct { } type IgnoreEntry struct { - ID string `toml:"id"` - IgnoreUntil time.Time `toml:"ignoreUntil"` - Reason string `toml:"reason"` - IncludeAliases *bool `toml:"includeAliases"` // Use pointer to tell apart unset (treated as true) and false -} - -func (e *IgnoreEntry) ShouldIncludeAliases() bool { - return e.IncludeAliases == nil || *(e.IncludeAliases) + ID string `toml:"id"` + IgnoreUntil time.Time `toml:"ignoreUntil"` + Reason string `toml:"reason"` } func (c *Config) ShouldIgnore(vulnID string) (bool, IgnoreEntry) { diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index ca3f518b806..c01e8806eb7 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -364,28 +364,19 @@ func filterVulns(r *output.Reporter, configToUse config.Config, vulns []models.V outVulns := []models.Vulnerability{} for _, group := range groups { - keepIDs := []string{} - for i, id := range group.IDs { + keepGroup := true + for _, id := range group.IDs { ignore, ignoreLine := configToUse.ShouldIgnore(id) if ignore { - hiddenVulns[id] = ignoreLine - if ignoreLine.ShouldIncludeAliases() { - for _, id := range keepIDs { - hiddenVulns[id] = ignoreLine - } - for _, id := range group.IDs[i+1:] { - hiddenVulns[id] = ignoreLine - } - keepIDs = []string{} - - break + keepGroup = false + for _, id := range group.IDs { + hiddenVulns[id] = ignoreLine } - } else { - keepIDs = append(keepIDs, id) + + break } } - if len(keepIDs) > 0 { - group.IDs = keepIDs + if keepGroup { outGroups = append(outGroups, group) } } From 35029c3565944cccb8459c705102508129d2d088 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Wed, 15 Mar 2023 06:01:01 +0000 Subject: [PATCH 06/13] Filter on `VulnerabilityResults` --- pkg/osvscanner/osvscanner.go | 82 +++++++++++-------- pkg/osvscanner/vulnerability_result.go | 23 ++---- .../vulnerability_result_internal_test.go | 3 +- 3 files changed, 55 insertions(+), 53 deletions(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index c01e8806eb7..7e4405495d3 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -357,44 +357,56 @@ func scanDebianDocker(r *output.Reporter, query *osv.BatchedQuery, dockerImageNa return nil } -// Filters vulnerabilities and groups according to config, returns filtered vulnerabilities and groups -func filterVulns(r *output.Reporter, configToUse config.Config, vulns []models.Vulnerability, groups []models.GroupInfo) ([]models.Vulnerability, []models.GroupInfo) { - hiddenVulns := map[string]config.IgnoreEntry{} - outGroups := []models.GroupInfo{} - outVulns := []models.Vulnerability{} - - for _, group := range groups { - keepGroup := true - for _, id := range group.IDs { - ignore, ignoreLine := configToUse.ShouldIgnore(id) - if ignore { - keepGroup = false +// Filters results according to config, returns number of responses removed +func filterResults(r *output.Reporter, results *models.VulnerabilityResults, configManager *config.ConfigManager) int { + removedCount := 0 + newResults := []models.PackageSource{} + for _, pkgSrc := range results.Results { + configToUse := configManager.Get(r, pkgSrc.Source.Path) + newPackages := []models.PackageVulns{} + for _, pkgVuln := range pkgSrc.Packages { + hiddenVulns := map[string]bool{} + newGroups := []models.GroupInfo{} + for _, group := range pkgVuln.Groups { + keepGroup := true for _, id := range group.IDs { - hiddenVulns[id] = ignoreLine + if ignore, ignoreLine := configToUse.ShouldIgnore(id); ignore { + keepGroup = false + for _, id := range group.IDs { + hiddenVulns[id] = true + } + r.PrintText(fmt.Sprintf("%s has been filtered out because: %s\n", ignoreLine.ID, ignoreLine.Reason)) + removedCount += len(group.IDs) + + break + } + } + if keepGroup { + newGroups = append(newGroups, group) } - - break } - } - if keepGroup { - outGroups = append(outGroups, group) - } - } - - for _, vuln := range vulns { - ignoreLine, ok := hiddenVulns[vuln.ID] - if ok { - if ignoreLine.ID == vuln.ID { - r.PrintText(fmt.Sprintf("%s has been filtered out because: %s\n", vuln.ID, ignoreLine.Reason)) - } else { - r.PrintText(fmt.Sprintf("%s (alias of %s) has been filtered out because: %s\n", vuln.ID, ignoreLine.ID, ignoreLine.Reason)) + if len(newGroups) == 0 { + continue } - } else { - outVulns = append(outVulns, vuln) + newVulns := []models.Vulnerability{} + for _, vuln := range pkgVuln.Vulnerabilities { + if _, filtered := hiddenVulns[vuln.ID]; !filtered { + newVulns = append(newVulns, vuln) + } + } + + pkgVuln.Groups = newGroups + pkgVuln.Vulnerabilities = newVulns + newPackages = append(newPackages, pkgVuln) + } + if len(newPackages) > 0 { + pkgSrc.Packages = newPackages + newResults = append(newResults, pkgSrc) } } + results.Results = newResults - return outVulns, outGroups + return removedCount } func parseLockfilePath(lockfileElem string) (string, string) { @@ -487,11 +499,13 @@ func DoScan(actions ScannerActions, r *output.Reporter) (models.VulnerabilityRes return models.VulnerabilityResults{}, fmt.Errorf("failed to hydrate OSV response: %w", err) } - filter := func(sourcePath string, vulns []models.Vulnerability, groups []models.GroupInfo) ([]models.Vulnerability, []models.GroupInfo) { - return filterVulns(r, configManager.Get(r, sourcePath), vulns, groups) + vulnerabilityResults := groupResponseBySource(r, query, hydratedResp, actions.ExperimentalCallAnalysis) + + filtered := filterResults(r, &vulnerabilityResults, &configManager) + if filtered > 0 { + r.PrintText(fmt.Sprintf("Filtered %d vulnerabilities from output\n", filtered)) } - vulnerabilityResults := groupResponseBySource(r, query, hydratedResp, actions.ExperimentalCallAnalysis, filter) // if vulnerability exists it should return error if len(vulnerabilityResults.Results) > 0 { // If any vulnerabilities are called, then we return VulnerabilitiesFoundErr diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go index 61e9feef3c0..fab5381a77a 100644 --- a/pkg/osvscanner/vulnerability_result.go +++ b/pkg/osvscanner/vulnerability_result.go @@ -11,26 +11,17 @@ import ( "github.com/google/osv-scanner/pkg/osv" ) -// Function used to filter vulnerabilities and groups. -type vulnFilterFn func(sourcePath string, vulns []models.Vulnerability, groups []models.GroupInfo) ([]models.Vulnerability, []models.GroupInfo) - // groupResponseBySource converts raw OSV API response into structured vulnerability information // grouped by source location. -func groupResponseBySource(r *output.Reporter, query osv.BatchedQuery, resp *osv.HydratedBatchedResponse, callAnalysis bool, filter vulnFilterFn) models.VulnerabilityResults { +func groupResponseBySource(r *output.Reporter, query osv.BatchedQuery, resp *osv.HydratedBatchedResponse, callAnalysis bool) models.VulnerabilityResults { output := models.VulnerabilityResults{ Results: []models.PackageSource{}, } groupedBySource := map[models.SourceInfo][]models.PackageVulns{} - totalFiltered := 0 - for i, query := range query.Queries { - vulns := resp.Results[i].Vulns - vulnCount := len(vulns) - groups := grouper.Group(grouper.ConvertVulnerabilityToIDAliases(vulns)) - vulns, groups = filter(query.Source.Path, vulns, groups) - totalFiltered += vulnCount - len(vulns) - if len(vulns) == 0 { + response := resp.Results[i] + if len(response.Vulns) == 0 { continue } var pkg models.PackageVulns @@ -56,15 +47,13 @@ func groupResponseBySource(r *output.Reporter, query osv.BatchedQuery, resp *osv } } - pkg.Vulnerabilities = vulns + pkg.Vulnerabilities = response.Vulns + + groups := grouper.Group(grouper.ConvertVulnerabilityToIDAliases(pkg.Vulnerabilities)) pkg.Groups = groups groupedBySource[query.Source] = append(groupedBySource[query.Source], pkg) } - if totalFiltered > 0 { - r.PrintText(fmt.Sprintf("Filtered %d vulnerabilities from output\n", totalFiltered)) - } - for source, packages := range groupedBySource { if callAnalysis { sourceanalysis.Run(r, source, packages) diff --git a/pkg/osvscanner/vulnerability_result_internal_test.go b/pkg/osvscanner/vulnerability_result_internal_test.go index 0667192462d..79e860b7ab9 100644 --- a/pkg/osvscanner/vulnerability_result_internal_test.go +++ b/pkg/osvscanner/vulnerability_result_internal_test.go @@ -16,7 +16,6 @@ func Test_groupResponseBySource(t *testing.T) { query osv.BatchedQuery resp *osv.HydratedBatchedResponse callAnalysis bool - filter vulnFilterFn } tests := []struct { name string @@ -27,7 +26,7 @@ func Test_groupResponseBySource(t *testing.T) { tt := tt // Reinitialize for t.Parallel() t.Run(tt.name, func(t *testing.T) { t.Parallel() - if got := groupResponseBySource(tt.args.r, tt.args.query, tt.args.resp, tt.args.callAnalysis, tt.args.filter); !reflect.DeepEqual(got, tt.want) { + if got := groupResponseBySource(tt.args.r, tt.args.query, tt.args.resp, tt.args.callAnalysis); !reflect.DeepEqual(got, tt.want) { t.Errorf("groupResponse() = %v, want %v", got, tt.want) } }) From d6f5f309e532040c524fbffed499875cca807711 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Thu, 16 Mar 2023 00:54:47 +0000 Subject: [PATCH 07/13] Extract function --- pkg/osvscanner/osvscanner.go | 78 +++++++++++++++++++++--------------- 1 file changed, 45 insertions(+), 33 deletions(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 7e4405495d3..ba3e2ddaa5a 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -357,7 +357,7 @@ func scanDebianDocker(r *output.Reporter, query *osv.BatchedQuery, dockerImageNa return nil } -// Filters results according to config, returns number of responses removed +// Filters results according to config, preserving order. Returns total number of vulnerabilities removed. func filterResults(r *output.Reporter, results *models.VulnerabilityResults, configManager *config.ConfigManager) int { removedCount := 0 newResults := []models.PackageSource{} @@ -365,39 +365,11 @@ func filterResults(r *output.Reporter, results *models.VulnerabilityResults, con configToUse := configManager.Get(r, pkgSrc.Source.Path) newPackages := []models.PackageVulns{} for _, pkgVuln := range pkgSrc.Packages { - hiddenVulns := map[string]bool{} - newGroups := []models.GroupInfo{} - for _, group := range pkgVuln.Groups { - keepGroup := true - for _, id := range group.IDs { - if ignore, ignoreLine := configToUse.ShouldIgnore(id); ignore { - keepGroup = false - for _, id := range group.IDs { - hiddenVulns[id] = true - } - r.PrintText(fmt.Sprintf("%s has been filtered out because: %s\n", ignoreLine.ID, ignoreLine.Reason)) - removedCount += len(group.IDs) - - break - } - } - if keepGroup { - newGroups = append(newGroups, group) - } - } - if len(newGroups) == 0 { - continue - } - newVulns := []models.Vulnerability{} - for _, vuln := range pkgVuln.Vulnerabilities { - if _, filtered := hiddenVulns[vuln.ID]; !filtered { - newVulns = append(newVulns, vuln) - } + newVuln := filterPackageVulns(r, pkgVuln, configToUse) + removedCount += len(pkgVuln.Vulnerabilities) - len(newVuln.Vulnerabilities) + if len(newVuln.Vulnerabilities) > 0 { + newPackages = append(newPackages, pkgVuln) } - - pkgVuln.Groups = newGroups - pkgVuln.Vulnerabilities = newVulns - newPackages = append(newPackages, pkgVuln) } if len(newPackages) > 0 { pkgSrc.Packages = newPackages @@ -409,6 +381,46 @@ func filterResults(r *output.Reporter, results *models.VulnerabilityResults, con return removedCount } +// Filters package-grouped vulnerabilities according to config, preserving ordering. Returns filtered package vulnerabilities. +func filterPackageVulns(r *output.Reporter, pkgVuln models.PackageVulns, configToUse config.Config) models.PackageVulns { + hiddenVulns := map[string]bool{} + // Iterate over groups first to remove all aliases of ignored vulnerabilities. + newGroups := []models.GroupInfo{} + for _, group := range pkgVuln.Groups { + ignore := false + for _, id := range group.IDs { + var ignoreLine config.IgnoreEntry + if ignore, ignoreLine = configToUse.ShouldIgnore(id); ignore { + for _, id := range group.IDs { + hiddenVulns[id] = true + } + // NB: This only prints the first reason encountered in all the aliases. + r.PrintText(fmt.Sprintf("%s has been filtered out because: %s\n", ignoreLine.ID, ignoreLine.Reason)) + + break + } + } + if !ignore { + newGroups = append(newGroups, group) + } + } + + newVulns := []models.Vulnerability{} + if len(newGroups) > 0 { // If there are no groups left then there would be no vulnerabilities. + for _, vuln := range pkgVuln.Vulnerabilities { + if _, filtered := hiddenVulns[vuln.ID]; !filtered { + newVulns = append(newVulns, vuln) + } + } + } + + // Passed by value. We don't want to alter the original PackageVulns. + pkgVuln.Groups = newGroups + pkgVuln.Vulnerabilities = newVulns + + return pkgVuln +} + func parseLockfilePath(lockfileElem string) (string, string) { if !strings.Contains(lockfileElem, ":") { lockfileElem = ":" + lockfileElem From 5b157e2e247f818428372d6263fa7d01d95b93bd Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Thu, 16 Mar 2023 01:19:38 +0000 Subject: [PATCH 08/13] fix and plurals --- pkg/osvscanner/osvscanner.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index ba3e2ddaa5a..0980c8df8eb 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -364,11 +364,11 @@ func filterResults(r *output.Reporter, results *models.VulnerabilityResults, con for _, pkgSrc := range results.Results { configToUse := configManager.Get(r, pkgSrc.Source.Path) newPackages := []models.PackageVulns{} - for _, pkgVuln := range pkgSrc.Packages { - newVuln := filterPackageVulns(r, pkgVuln, configToUse) - removedCount += len(pkgVuln.Vulnerabilities) - len(newVuln.Vulnerabilities) - if len(newVuln.Vulnerabilities) > 0 { - newPackages = append(newPackages, pkgVuln) + for _, pkgVulns := range pkgSrc.Packages { + newVulns := filterPackageVulns(r, pkgVulns, configToUse) + removedCount += len(pkgVulns.Vulnerabilities) - len(newVulns.Vulnerabilities) + if len(newVulns.Vulnerabilities) > 0 { + newPackages = append(newPackages, newVulns) } } if len(newPackages) > 0 { @@ -382,11 +382,11 @@ func filterResults(r *output.Reporter, results *models.VulnerabilityResults, con } // Filters package-grouped vulnerabilities according to config, preserving ordering. Returns filtered package vulnerabilities. -func filterPackageVulns(r *output.Reporter, pkgVuln models.PackageVulns, configToUse config.Config) models.PackageVulns { +func filterPackageVulns(r *output.Reporter, pkgVulns models.PackageVulns, configToUse config.Config) models.PackageVulns { hiddenVulns := map[string]bool{} // Iterate over groups first to remove all aliases of ignored vulnerabilities. newGroups := []models.GroupInfo{} - for _, group := range pkgVuln.Groups { + for _, group := range pkgVulns.Groups { ignore := false for _, id := range group.IDs { var ignoreLine config.IgnoreEntry @@ -407,7 +407,7 @@ func filterPackageVulns(r *output.Reporter, pkgVuln models.PackageVulns, configT newVulns := []models.Vulnerability{} if len(newGroups) > 0 { // If there are no groups left then there would be no vulnerabilities. - for _, vuln := range pkgVuln.Vulnerabilities { + for _, vuln := range pkgVulns.Vulnerabilities { if _, filtered := hiddenVulns[vuln.ID]; !filtered { newVulns = append(newVulns, vuln) } @@ -415,10 +415,10 @@ func filterPackageVulns(r *output.Reporter, pkgVuln models.PackageVulns, configT } // Passed by value. We don't want to alter the original PackageVulns. - pkgVuln.Groups = newGroups - pkgVuln.Vulnerabilities = newVulns + pkgVulns.Groups = newGroups + pkgVulns.Vulnerabilities = newVulns - return pkgVuln + return pkgVulns } func parseLockfilePath(lockfileElem string) (string, string) { From d9cd42ddd7991d64ee9e030d7b93e1c1e2ad8c27 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Thu, 16 Mar 2023 03:48:34 +0000 Subject: [PATCH 09/13] Print number of aliases removed --- pkg/osvscanner/osvscanner.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 0980c8df8eb..dcbe9423ec1 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -395,7 +395,14 @@ func filterPackageVulns(r *output.Reporter, pkgVulns models.PackageVulns, config hiddenVulns[id] = true } // NB: This only prints the first reason encountered in all the aliases. - r.PrintText(fmt.Sprintf("%s has been filtered out because: %s\n", ignoreLine.ID, ignoreLine.Reason)) + switch len(group.IDs) { + case 1: + r.PrintText(fmt.Sprintf("%s has been filtered out because: %s\n", ignoreLine.ID, ignoreLine.Reason)) + case 2: + r.PrintText(fmt.Sprintf("%s and 1 alias have been filtered out because: %s\n", ignoreLine.ID, ignoreLine.Reason)) + default: + r.PrintText(fmt.Sprintf("%s and %d aliases have been filtered out because: %s\n", ignoreLine.ID, len(group.IDs), ignoreLine.Reason)) + } break } From bf8b57fa126274e182e2774d33d946eea9e690e7 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Thu, 16 Mar 2023 23:43:01 +0000 Subject: [PATCH 10/13] Add filter tests --- internal/testutility/utility.go | 2 +- pkg/osvscanner/fixtures/filter/.gitignore | 1 + .../filter/all/configs/a/osv-scanner.toml | 15 + .../filter/all/configs/b/osv-scanner.toml | 11 + .../filter/all/configs/c/osv-scanner.toml | 15 + pkg/osvscanner/fixtures/filter/all/input.json | 1427 +++++++++++++++++ pkg/osvscanner/fixtures/filter/all/want.json | 3 + .../fixtures/filter/none/configs/a/no_config | 0 .../filter/none/configs/b/osv-scanner.toml | 0 .../filter/none/configs/c/osv-scanner.toml | 11 + .../fixtures/filter/none/input.json | 1427 +++++++++++++++++ pkg/osvscanner/fixtures/filter/none/want.json | 1427 +++++++++++++++++ .../filter/some/configs/a/osv-scanner.toml | 7 + .../filter/some/configs/b/osv-scanner.toml | 7 + .../filter/some/configs/c/osv-scanner.toml | 7 + .../fixtures/filter/some/input.json | 1427 +++++++++++++++++ pkg/osvscanner/fixtures/filter/some/want.json | 540 +++++++ pkg/osvscanner/osvscanner_internal_test.go | 73 + 18 files changed, 6399 insertions(+), 1 deletion(-) create mode 100644 pkg/osvscanner/fixtures/filter/.gitignore create mode 100644 pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml create mode 100644 pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml create mode 100644 pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml create mode 100644 pkg/osvscanner/fixtures/filter/all/input.json create mode 100644 pkg/osvscanner/fixtures/filter/all/want.json create mode 100644 pkg/osvscanner/fixtures/filter/none/configs/a/no_config create mode 100644 pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml create mode 100644 pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml create mode 100644 pkg/osvscanner/fixtures/filter/none/input.json create mode 100644 pkg/osvscanner/fixtures/filter/none/want.json create mode 100644 pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml create mode 100644 pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml create mode 100644 pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml create mode 100644 pkg/osvscanner/fixtures/filter/some/input.json create mode 100644 pkg/osvscanner/fixtures/filter/some/want.json create mode 100644 pkg/osvscanner/osvscanner_internal_test.go diff --git a/internal/testutility/utility.go b/internal/testutility/utility.go index ff6497983a5..d9987191ed2 100644 --- a/internal/testutility/utility.go +++ b/internal/testutility/utility.go @@ -49,7 +49,7 @@ func AssertMatchFixtureJSON[V any](t *testing.T, path string, val V) { // can be used with AssertMatchFixtureJSON to compare against future values. func CreateJSONFixture[V any](t *testing.T, path string, val V) { t.Helper() - file, err := os.Open(path) + file, err := os.Create(path) if err != nil { t.Fatalf("Failed to open file to write: %s", err) } diff --git a/pkg/osvscanner/fixtures/filter/.gitignore b/pkg/osvscanner/fixtures/filter/.gitignore new file mode 100644 index 00000000000..c6539c1a14b --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/.gitignore @@ -0,0 +1 @@ +out.json \ No newline at end of file diff --git a/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml new file mode 100644 index 00000000000..8930bb0f015 --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml @@ -0,0 +1,15 @@ +[[IgnoredVulns]] +id = "GHSA-mc8h-8q98-g5hr" +reason = "Ignore 1" + +[[IgnoredVulns]] +id = "RUSTSEC-2023-0018" +reason = "Redundant Ignore 1" + +[[IgnoredVulns]] +id = "GHSA-wcg3-cvx6-7396" +reason = "Ignore 2" + +[[IgnoredVulns]] +id = "RUSTSEC-2020-0071" +reason = "Redundant Ignore 2" \ No newline at end of file diff --git a/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml new file mode 100644 index 00000000000..151c522699a --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml @@ -0,0 +1,11 @@ +[[IgnoredVulns]] +id = "GHSA-fxg5-wq6x-vr4w" +reason = "Ignore 1" + +[[IgnoredVulns]] +id = "GO-2022-1144" +reason = "Ignore 2" + +[[IgnoredVulns]] +id = "GO-2023-1571" +reason = "Ignore 3" \ No newline at end of file diff --git a/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml new file mode 100644 index 00000000000..013ac72a245 --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml @@ -0,0 +1,15 @@ +[[IgnoredVulns]] +id = "GHSA-mc8h-8q98-g5hr" +reason = "Ignore 1" + +[[IgnoredVulns]] +id = "RUSTSEC-2020-0071" +reason = "Ignore 2" + +[[IgnoredVulns]] +id = "RUSTSEC-2023-0015" +reason = "Ignore 3" + +[[IgnoredVulns]] +id = "GHSA-mrrw-grhq-86gf" +reason = "Ignore 4" diff --git a/pkg/osvscanner/fixtures/filter/all/input.json b/pkg/osvscanner/fixtures/filter/all/input.json new file mode 100644 index 00000000000..0188dfeddf4 --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/all/input.json @@ -0,0 +1,1427 @@ +{ + "results": [ + { + "source": { + "path": "fixtures/filter/all/configs/a/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "remove_dir_all", + "version": "0.5.3", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mc8h-8q98-g5hr", + "modified": "2023-02-24T16:23:59Z", + "published": "2023-02-24T16:23:59Z", + "aliases": null, + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", + "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "PACKAGE", + "url": "https://github.com/XAMPPRocky/remove_dir_all" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-366", + "CWE-367" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-24T16:23:59Z", + "nvd_published_at": null, + "severity": "LOW" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0018", + "modified": "2023-03-04T21:50:30Z", + "published": "2023-02-24T12:00:00Z", + "aliases": [ + "GHSA-mc8h-8q98-g5hr" + ], + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", + "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "categories": [], + "cvss": null, + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "remove_dir_all::ensure_empty_dir", + "remove_dir_all::remove_dir_all", + "remove_dir_all::remove_dir_contents" + ], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/remove_dir_all" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mc8h-8q98-g5hr", + "RUSTSEC-2023-0018" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/all/configs/b/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "golang.org/x/net", + "version": "0.1.0", + "ecosystem": "Go" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-fxg5-wq6x-vr4w", + "modified": "2023-01-24T18:56:46Z", + "published": "2023-01-14T00:30:23Z", + "aliases": [ + "CVE-2022-41721" + ], + "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack", + "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net/http2/h2c", + "purl": "pkg:golang/golang.org/x/net/http2/h2c" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" + }, + { + "type": "PACKAGE", + "url": "https://cs.opensource.google/go/x/net" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/447396" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/56352" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1495" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-01-20T22:40:06Z", + "nvd_published_at": "2023-01-13T23:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1495", + "modified": "2023-01-31T21:39:17Z", + "published": "2023-01-13T22:39:40Z", + "aliases": [ + "CVE-2022-41721", + "GHSA-fxg5-wq6x-vr4w" + ], + "summary": "", + "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1495.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1495" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2/h2c", + "symbols": [ + "h2cHandler.ServeHTTP", + "h2cUpgrade" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56352" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/447396" + } + ] + }, + { + "schema_version": "1.4.0", + "id": "GO-2022-1144", + "modified": "2023-01-31T21:39:15Z", + "published": "2022-12-08T19:01:21Z", + "aliases": [ + "CVE-2022-41717", + "GHSA-xrjj-mj9h-534m" + ], + "summary": "", + "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.9" + }, + { + "introduced": "1.19.0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2022-1144.json", + "url": "https://pkg.go.dev/vuln/GO-2022-1144" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2022-1144.json", + "url": "https://pkg.go.dev/vuln/GO-2022-1144" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56350" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455717" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455635" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" + } + ] + }, + { + "schema_version": "1.4.0", + "id": "GHSA-vvpx-j8f3-3w6h", + "modified": "2023-03-09T21:20:44Z", + "published": "2023-02-17T14:00:02Z", + "aliases": [ + "CVE-2022-41723" + ], + "summary": "Uncontrolled Resource Consumption", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468135" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/57855" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + { + "type": "WEB", + "url": "https://vuln.go.dev/ID/GO-2023-1571.json" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-17T14:00:02Z", + "nvd_published_at": "2023-02-28T18:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1571", + "modified": "2023-02-22T20:13:12Z", + "published": "2023-02-16T22:31:36Z", + "aliases": [ + "CVE-2022-41723", + "GHSA-vvpx-j8f3-3w6h" + ], + "summary": "", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http" + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2" + }, + { + "path": "golang.org/x/net/http2/hpack", + "symbols": [ + "Decoder.DecodeFull", + "Decoder.Write", + "Decoder.parseFieldLiteral", + "Decoder.readString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/57855" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468135" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-fxg5-wq6x-vr4w", + "GO-2023-1495" + ] + }, + { + "ids": [ + "GO-2022-1144" + ] + }, + { + "ids": [ + "GHSA-vvpx-j8f3-3w6h", + "GO-2023-1571" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/all/configs/c/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "ascii", + "version": "0.8.7", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mrrw-grhq-86gf", + "modified": "2023-02-28T20:30:10Z", + "published": "2023-02-28T20:30:10Z", + "aliases": null, + "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + }, + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tomprogrammer/rust-ascii" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + } + ], + "database_specific": { + "cwe_ids": [], + "github_reviewed": true, + "github_reviewed_at": "2023-02-28T20:30:10Z", + "nvd_published_at": null, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0015", + "modified": "2023-02-25T15:13:09Z", + "published": "2023-02-25T12:00:00Z", + "aliases": null, + "summary": "Ascii allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.1-0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "categories": [ + "memory-corruption" + ], + "cvss": null, + "informational": "unsound", + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/ascii" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + }, + { + "type": "REPORT", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mrrw-grhq-86gf" + ] + }, + { + "ids": [ + "RUSTSEC-2023-0015" + ] + } + ] + }, + { + "package": { + "name": "remove_dir_all", + "version": "0.5.3", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mc8h-8q98-g5hr", + "modified": "2023-02-24T16:23:59Z", + "published": "2023-02-24T16:23:59Z", + "aliases": null, + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", + "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "PACKAGE", + "url": "https://github.com/XAMPPRocky/remove_dir_all" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-366", + "CWE-367" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-24T16:23:59Z", + "nvd_published_at": null, + "severity": "LOW" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0018", + "modified": "2023-03-04T21:50:30Z", + "published": "2023-02-24T12:00:00Z", + "aliases": [ + "GHSA-mc8h-8q98-g5hr" + ], + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", + "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "categories": [], + "cvss": null, + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "remove_dir_all::ensure_empty_dir", + "remove_dir_all::remove_dir_all", + "remove_dir_all::remove_dir_contents" + ], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/remove_dir_all" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mc8h-8q98-g5hr", + "RUSTSEC-2023-0018" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + } + ] +} diff --git a/pkg/osvscanner/fixtures/filter/all/want.json b/pkg/osvscanner/fixtures/filter/all/want.json new file mode 100644 index 00000000000..8932c426303 --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/all/want.json @@ -0,0 +1,3 @@ +{ + "results": [] +} diff --git a/pkg/osvscanner/fixtures/filter/none/configs/a/no_config b/pkg/osvscanner/fixtures/filter/none/configs/a/no_config new file mode 100644 index 00000000000..e69de29bb2d diff --git a/pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml new file mode 100644 index 00000000000..151c522699a --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml @@ -0,0 +1,11 @@ +[[IgnoredVulns]] +id = "GHSA-fxg5-wq6x-vr4w" +reason = "Ignore 1" + +[[IgnoredVulns]] +id = "GO-2022-1144" +reason = "Ignore 2" + +[[IgnoredVulns]] +id = "GO-2023-1571" +reason = "Ignore 3" \ No newline at end of file diff --git a/pkg/osvscanner/fixtures/filter/none/input.json b/pkg/osvscanner/fixtures/filter/none/input.json new file mode 100644 index 00000000000..32716a6056b --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/none/input.json @@ -0,0 +1,1427 @@ +{ + "results": [ + { + "source": { + "path": "fixtures/filter/none/configs/a/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "remove_dir_all", + "version": "0.5.3", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mc8h-8q98-g5hr", + "modified": "2023-02-24T16:23:59Z", + "published": "2023-02-24T16:23:59Z", + "aliases": null, + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", + "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "PACKAGE", + "url": "https://github.com/XAMPPRocky/remove_dir_all" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-366", + "CWE-367" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-24T16:23:59Z", + "nvd_published_at": null, + "severity": "LOW" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0018", + "modified": "2023-03-04T21:50:30Z", + "published": "2023-02-24T12:00:00Z", + "aliases": [ + "GHSA-mc8h-8q98-g5hr" + ], + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", + "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "categories": [], + "cvss": null, + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "remove_dir_all::ensure_empty_dir", + "remove_dir_all::remove_dir_all", + "remove_dir_all::remove_dir_contents" + ], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/remove_dir_all" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mc8h-8q98-g5hr", + "RUSTSEC-2023-0018" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/none/configs/b/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "golang.org/x/net", + "version": "0.1.0", + "ecosystem": "Go" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-fxg5-wq6x-vr4w", + "modified": "2023-01-24T18:56:46Z", + "published": "2023-01-14T00:30:23Z", + "aliases": [ + "CVE-2022-41721" + ], + "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack", + "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net/http2/h2c", + "purl": "pkg:golang/golang.org/x/net/http2/h2c" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" + }, + { + "type": "PACKAGE", + "url": "https://cs.opensource.google/go/x/net" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/447396" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/56352" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1495" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-01-20T22:40:06Z", + "nvd_published_at": "2023-01-13T23:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1495", + "modified": "2023-01-31T21:39:17Z", + "published": "2023-01-13T22:39:40Z", + "aliases": [ + "CVE-2022-41721", + "GHSA-fxg5-wq6x-vr4w" + ], + "summary": "", + "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1495.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1495" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2/h2c", + "symbols": [ + "h2cHandler.ServeHTTP", + "h2cUpgrade" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56352" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/447396" + } + ] + }, + { + "schema_version": "1.4.0", + "id": "GO-2022-1144", + "modified": "2023-01-31T21:39:15Z", + "published": "2022-12-08T19:01:21Z", + "aliases": [ + "CVE-2022-41717", + "GHSA-xrjj-mj9h-534m" + ], + "summary": "", + "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.9" + }, + { + "introduced": "1.19.0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2022-1144.json", + "url": "https://pkg.go.dev/vuln/GO-2022-1144" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2022-1144.json", + "url": "https://pkg.go.dev/vuln/GO-2022-1144" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56350" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455717" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455635" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" + } + ] + }, + { + "schema_version": "1.4.0", + "id": "GHSA-vvpx-j8f3-3w6h", + "modified": "2023-03-09T21:20:44Z", + "published": "2023-02-17T14:00:02Z", + "aliases": [ + "CVE-2022-41723" + ], + "summary": "Uncontrolled Resource Consumption", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468135" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/57855" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + { + "type": "WEB", + "url": "https://vuln.go.dev/ID/GO-2023-1571.json" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-17T14:00:02Z", + "nvd_published_at": "2023-02-28T18:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1571", + "modified": "2023-02-22T20:13:12Z", + "published": "2023-02-16T22:31:36Z", + "aliases": [ + "CVE-2022-41723", + "GHSA-vvpx-j8f3-3w6h" + ], + "summary": "", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http" + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2" + }, + { + "path": "golang.org/x/net/http2/hpack", + "symbols": [ + "Decoder.DecodeFull", + "Decoder.Write", + "Decoder.parseFieldLiteral", + "Decoder.readString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/57855" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468135" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-fxg5-wq6x-vr4w", + "GO-2023-1495" + ] + }, + { + "ids": [ + "GO-2022-1144" + ] + }, + { + "ids": [ + "GHSA-vvpx-j8f3-3w6h", + "GO-2023-1571" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/none/configs/c/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "ascii", + "version": "0.8.7", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mrrw-grhq-86gf", + "modified": "2023-02-28T20:30:10Z", + "published": "2023-02-28T20:30:10Z", + "aliases": null, + "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + }, + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tomprogrammer/rust-ascii" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + } + ], + "database_specific": { + "cwe_ids": [], + "github_reviewed": true, + "github_reviewed_at": "2023-02-28T20:30:10Z", + "nvd_published_at": null, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0015", + "modified": "2023-02-25T15:13:09Z", + "published": "2023-02-25T12:00:00Z", + "aliases": null, + "summary": "Ascii allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.1-0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "categories": [ + "memory-corruption" + ], + "cvss": null, + "informational": "unsound", + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/ascii" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + }, + { + "type": "REPORT", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mrrw-grhq-86gf" + ] + }, + { + "ids": [ + "RUSTSEC-2023-0015" + ] + } + ] + }, + { + "package": { + "name": "remove_dir_all", + "version": "0.5.3", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mc8h-8q98-g5hr", + "modified": "2023-02-24T16:23:59Z", + "published": "2023-02-24T16:23:59Z", + "aliases": null, + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", + "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "PACKAGE", + "url": "https://github.com/XAMPPRocky/remove_dir_all" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-366", + "CWE-367" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-24T16:23:59Z", + "nvd_published_at": null, + "severity": "LOW" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0018", + "modified": "2023-03-04T21:50:30Z", + "published": "2023-02-24T12:00:00Z", + "aliases": [ + "GHSA-mc8h-8q98-g5hr" + ], + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", + "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "categories": [], + "cvss": null, + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "remove_dir_all::ensure_empty_dir", + "remove_dir_all::remove_dir_all", + "remove_dir_all::remove_dir_contents" + ], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/remove_dir_all" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mc8h-8q98-g5hr", + "RUSTSEC-2023-0018" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + } + ] +} diff --git a/pkg/osvscanner/fixtures/filter/none/want.json b/pkg/osvscanner/fixtures/filter/none/want.json new file mode 100644 index 00000000000..32716a6056b --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/none/want.json @@ -0,0 +1,1427 @@ +{ + "results": [ + { + "source": { + "path": "fixtures/filter/none/configs/a/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "remove_dir_all", + "version": "0.5.3", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mc8h-8q98-g5hr", + "modified": "2023-02-24T16:23:59Z", + "published": "2023-02-24T16:23:59Z", + "aliases": null, + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", + "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "PACKAGE", + "url": "https://github.com/XAMPPRocky/remove_dir_all" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-366", + "CWE-367" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-24T16:23:59Z", + "nvd_published_at": null, + "severity": "LOW" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0018", + "modified": "2023-03-04T21:50:30Z", + "published": "2023-02-24T12:00:00Z", + "aliases": [ + "GHSA-mc8h-8q98-g5hr" + ], + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", + "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "categories": [], + "cvss": null, + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "remove_dir_all::ensure_empty_dir", + "remove_dir_all::remove_dir_all", + "remove_dir_all::remove_dir_contents" + ], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/remove_dir_all" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mc8h-8q98-g5hr", + "RUSTSEC-2023-0018" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/none/configs/b/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "golang.org/x/net", + "version": "0.1.0", + "ecosystem": "Go" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-fxg5-wq6x-vr4w", + "modified": "2023-01-24T18:56:46Z", + "published": "2023-01-14T00:30:23Z", + "aliases": [ + "CVE-2022-41721" + ], + "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack", + "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net/http2/h2c", + "purl": "pkg:golang/golang.org/x/net/http2/h2c" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" + }, + { + "type": "PACKAGE", + "url": "https://cs.opensource.google/go/x/net" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/447396" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/56352" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1495" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-01-20T22:40:06Z", + "nvd_published_at": "2023-01-13T23:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1495", + "modified": "2023-01-31T21:39:17Z", + "published": "2023-01-13T22:39:40Z", + "aliases": [ + "CVE-2022-41721", + "GHSA-fxg5-wq6x-vr4w" + ], + "summary": "", + "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1495.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1495" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2/h2c", + "symbols": [ + "h2cHandler.ServeHTTP", + "h2cUpgrade" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56352" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/447396" + } + ] + }, + { + "schema_version": "1.4.0", + "id": "GO-2022-1144", + "modified": "2023-01-31T21:39:15Z", + "published": "2022-12-08T19:01:21Z", + "aliases": [ + "CVE-2022-41717", + "GHSA-xrjj-mj9h-534m" + ], + "summary": "", + "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.9" + }, + { + "introduced": "1.19.0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2022-1144.json", + "url": "https://pkg.go.dev/vuln/GO-2022-1144" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2022-1144.json", + "url": "https://pkg.go.dev/vuln/GO-2022-1144" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56350" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455717" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455635" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" + } + ] + }, + { + "schema_version": "1.4.0", + "id": "GHSA-vvpx-j8f3-3w6h", + "modified": "2023-03-09T21:20:44Z", + "published": "2023-02-17T14:00:02Z", + "aliases": [ + "CVE-2022-41723" + ], + "summary": "Uncontrolled Resource Consumption", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468135" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/57855" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + { + "type": "WEB", + "url": "https://vuln.go.dev/ID/GO-2023-1571.json" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-17T14:00:02Z", + "nvd_published_at": "2023-02-28T18:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1571", + "modified": "2023-02-22T20:13:12Z", + "published": "2023-02-16T22:31:36Z", + "aliases": [ + "CVE-2022-41723", + "GHSA-vvpx-j8f3-3w6h" + ], + "summary": "", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http" + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2" + }, + { + "path": "golang.org/x/net/http2/hpack", + "symbols": [ + "Decoder.DecodeFull", + "Decoder.Write", + "Decoder.parseFieldLiteral", + "Decoder.readString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/57855" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468135" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-fxg5-wq6x-vr4w", + "GO-2023-1495" + ] + }, + { + "ids": [ + "GO-2022-1144" + ] + }, + { + "ids": [ + "GHSA-vvpx-j8f3-3w6h", + "GO-2023-1571" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/none/configs/c/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "ascii", + "version": "0.8.7", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mrrw-grhq-86gf", + "modified": "2023-02-28T20:30:10Z", + "published": "2023-02-28T20:30:10Z", + "aliases": null, + "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + }, + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tomprogrammer/rust-ascii" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + } + ], + "database_specific": { + "cwe_ids": [], + "github_reviewed": true, + "github_reviewed_at": "2023-02-28T20:30:10Z", + "nvd_published_at": null, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0015", + "modified": "2023-02-25T15:13:09Z", + "published": "2023-02-25T12:00:00Z", + "aliases": null, + "summary": "Ascii allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.1-0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "categories": [ + "memory-corruption" + ], + "cvss": null, + "informational": "unsound", + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/ascii" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + }, + { + "type": "REPORT", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mrrw-grhq-86gf" + ] + }, + { + "ids": [ + "RUSTSEC-2023-0015" + ] + } + ] + }, + { + "package": { + "name": "remove_dir_all", + "version": "0.5.3", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mc8h-8q98-g5hr", + "modified": "2023-02-24T16:23:59Z", + "published": "2023-02-24T16:23:59Z", + "aliases": null, + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", + "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "PACKAGE", + "url": "https://github.com/XAMPPRocky/remove_dir_all" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-366", + "CWE-367" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-24T16:23:59Z", + "nvd_published_at": null, + "severity": "LOW" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0018", + "modified": "2023-03-04T21:50:30Z", + "published": "2023-02-24T12:00:00Z", + "aliases": [ + "GHSA-mc8h-8q98-g5hr" + ], + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", + "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "categories": [], + "cvss": null, + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "remove_dir_all::ensure_empty_dir", + "remove_dir_all::remove_dir_all", + "remove_dir_all::remove_dir_contents" + ], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/remove_dir_all" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mc8h-8q98-g5hr", + "RUSTSEC-2023-0018" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + } + ] +} diff --git a/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml new file mode 100644 index 00000000000..f9c51673b68 --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml @@ -0,0 +1,7 @@ +[[IgnoredVulns]] +id = "GHSA-mc8h-8q98-g5hr" +reason = "Ignore 1" + +[[IgnoredVulns]] +id = "RUSTSEC-2020-0071" +reason = "Ignore 2" diff --git a/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml new file mode 100644 index 00000000000..7006bad6c7a --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml @@ -0,0 +1,7 @@ +[[IgnoredVulns]] +id = "GHSA-fxg5-wq6x-vr4w" +reason = "Ignore 1" + +[[IgnoredVulns]] +id = "GO-2022-1144" +reason = "Ignore 2" diff --git a/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml new file mode 100644 index 00000000000..4329f94c997 --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml @@ -0,0 +1,7 @@ +[[IgnoredVulns]] +id = "GHSA-mc8h-8q98-g5hr" +reason = "Ignore 1" + +[[IgnoredVulns]] +id = "RUSTSEC-2023-0015" +reason = "Ignore 2" diff --git a/pkg/osvscanner/fixtures/filter/some/input.json b/pkg/osvscanner/fixtures/filter/some/input.json new file mode 100644 index 00000000000..7a70a02ecac --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/some/input.json @@ -0,0 +1,1427 @@ +{ + "results": [ + { + "source": { + "path": "fixtures/filter/some/configs/a/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "remove_dir_all", + "version": "0.5.3", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mc8h-8q98-g5hr", + "modified": "2023-02-24T16:23:59Z", + "published": "2023-02-24T16:23:59Z", + "aliases": null, + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", + "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "PACKAGE", + "url": "https://github.com/XAMPPRocky/remove_dir_all" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-366", + "CWE-367" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-24T16:23:59Z", + "nvd_published_at": null, + "severity": "LOW" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0018", + "modified": "2023-03-04T21:50:30Z", + "published": "2023-02-24T12:00:00Z", + "aliases": [ + "GHSA-mc8h-8q98-g5hr" + ], + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", + "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "categories": [], + "cvss": null, + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "remove_dir_all::ensure_empty_dir", + "remove_dir_all::remove_dir_all", + "remove_dir_all::remove_dir_contents" + ], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/remove_dir_all" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mc8h-8q98-g5hr", + "RUSTSEC-2023-0018" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/some/configs/b/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "golang.org/x/net", + "version": "0.1.0", + "ecosystem": "Go" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-fxg5-wq6x-vr4w", + "modified": "2023-01-24T18:56:46Z", + "published": "2023-01-14T00:30:23Z", + "aliases": [ + "CVE-2022-41721" + ], + "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack", + "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net/http2/h2c", + "purl": "pkg:golang/golang.org/x/net/http2/h2c" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" + }, + { + "type": "PACKAGE", + "url": "https://cs.opensource.google/go/x/net" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/447396" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/56352" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1495" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-01-20T22:40:06Z", + "nvd_published_at": "2023-01-13T23:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1495", + "modified": "2023-01-31T21:39:17Z", + "published": "2023-01-13T22:39:40Z", + "aliases": [ + "CVE-2022-41721", + "GHSA-fxg5-wq6x-vr4w" + ], + "summary": "", + "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1495.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1495" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2/h2c", + "symbols": [ + "h2cHandler.ServeHTTP", + "h2cUpgrade" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56352" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/447396" + } + ] + }, + { + "schema_version": "1.4.0", + "id": "GO-2022-1144", + "modified": "2023-01-31T21:39:15Z", + "published": "2022-12-08T19:01:21Z", + "aliases": [ + "CVE-2022-41717", + "GHSA-xrjj-mj9h-534m" + ], + "summary": "", + "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.9" + }, + { + "introduced": "1.19.0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2022-1144.json", + "url": "https://pkg.go.dev/vuln/GO-2022-1144" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2022-1144.json", + "url": "https://pkg.go.dev/vuln/GO-2022-1144" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56350" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455717" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455635" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" + } + ] + }, + { + "schema_version": "1.4.0", + "id": "GHSA-vvpx-j8f3-3w6h", + "modified": "2023-03-09T21:20:44Z", + "published": "2023-02-17T14:00:02Z", + "aliases": [ + "CVE-2022-41723" + ], + "summary": "Uncontrolled Resource Consumption", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468135" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/57855" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + { + "type": "WEB", + "url": "https://vuln.go.dev/ID/GO-2023-1571.json" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-17T14:00:02Z", + "nvd_published_at": "2023-02-28T18:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1571", + "modified": "2023-02-22T20:13:12Z", + "published": "2023-02-16T22:31:36Z", + "aliases": [ + "CVE-2022-41723", + "GHSA-vvpx-j8f3-3w6h" + ], + "summary": "", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http" + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2" + }, + { + "path": "golang.org/x/net/http2/hpack", + "symbols": [ + "Decoder.DecodeFull", + "Decoder.Write", + "Decoder.parseFieldLiteral", + "Decoder.readString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/57855" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468135" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-fxg5-wq6x-vr4w", + "GO-2023-1495" + ] + }, + { + "ids": [ + "GO-2022-1144" + ] + }, + { + "ids": [ + "GHSA-vvpx-j8f3-3w6h", + "GO-2023-1571" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/some/configs/c/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "ascii", + "version": "0.8.7", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mrrw-grhq-86gf", + "modified": "2023-02-28T20:30:10Z", + "published": "2023-02-28T20:30:10Z", + "aliases": null, + "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + }, + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tomprogrammer/rust-ascii" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + } + ], + "database_specific": { + "cwe_ids": [], + "github_reviewed": true, + "github_reviewed_at": "2023-02-28T20:30:10Z", + "nvd_published_at": null, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0015", + "modified": "2023-02-25T15:13:09Z", + "published": "2023-02-25T12:00:00Z", + "aliases": null, + "summary": "Ascii allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.1-0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "categories": [ + "memory-corruption" + ], + "cvss": null, + "informational": "unsound", + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/ascii" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + }, + { + "type": "REPORT", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mrrw-grhq-86gf" + ] + }, + { + "ids": [ + "RUSTSEC-2023-0015" + ] + } + ] + }, + { + "package": { + "name": "remove_dir_all", + "version": "0.5.3", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mc8h-8q98-g5hr", + "modified": "2023-02-24T16:23:59Z", + "published": "2023-02-24T16:23:59Z", + "aliases": null, + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", + "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "PACKAGE", + "url": "https://github.com/XAMPPRocky/remove_dir_all" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-366", + "CWE-367" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-24T16:23:59Z", + "nvd_published_at": null, + "severity": "LOW" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2023-0018", + "modified": "2023-03-04T21:50:30Z", + "published": "2023-02-24T12:00:00Z", + "aliases": [ + "GHSA-mc8h-8q98-g5hr" + ], + "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", + "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "remove_dir_all", + "purl": "pkg:cargo/remove_dir_all" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.8.0" + } + ] + } + ], + "database_specific": { + "categories": [], + "cvss": null, + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "remove_dir_all::ensure_empty_dir", + "remove_dir_all::remove_dir_all", + "remove_dir_all::remove_dir_contents" + ], + "os": [] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/remove_dir_all" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" + }, + { + "type": "WEB", + "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-mc8h-8q98-g5hr", + "RUSTSEC-2023-0018" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + } + ] +} diff --git a/pkg/osvscanner/fixtures/filter/some/want.json b/pkg/osvscanner/fixtures/filter/some/want.json new file mode 100644 index 00000000000..6c7bd2c7b11 --- /dev/null +++ b/pkg/osvscanner/fixtures/filter/some/want.json @@ -0,0 +1,540 @@ +{ + "results": [ + { + "source": { + "path": "fixtures/filter/some/configs/b/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "golang.org/x/net", + "version": "0.1.0", + "ecosystem": "Go" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-vvpx-j8f3-3w6h", + "modified": "2023-03-09T21:20:44Z", + "published": "2023-02-17T14:00:02Z", + "aliases": [ + "CVE-2022-41723" + ], + "summary": "Uncontrolled Resource Consumption", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468135" + }, + { + "type": "WEB", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/57855" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + { + "type": "WEB", + "url": "https://vuln.go.dev/ID/GO-2023-1571.json" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-17T14:00:02Z", + "nvd_published_at": "2023-02-28T18:15:00Z", + "severity": "HIGH" + } + }, + { + "schema_version": "1.4.0", + "id": "GO-2023-1571", + "modified": "2023-02-22T20:13:12Z", + "published": "2023-02-16T22:31:36Z", + "aliases": [ + "CVE-2022-41723", + "GHSA-vvpx-j8f3-3w6h" + ], + "summary": "", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "stdlib", + "purl": "pkg:golang/stdlib" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "net/http" + } + ] + } + }, + { + "package": { + "ecosystem": "Go", + "name": "golang.org/x/net", + "purl": "pkg:golang/golang.org/x/net" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "database_specific": { + "source": "https://vuln.go.dev/ID/GO-2023-1571.json", + "url": "https://pkg.go.dev/vuln/GO-2023-1571" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2" + }, + { + "path": "golang.org/x/net/http2/hpack", + "symbols": [ + "Decoder.DecodeFull", + "Decoder.Write", + "Decoder.parseFieldLiteral", + "Decoder.readString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/57855" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468135" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-vvpx-j8f3-3w6h", + "GO-2023-1571" + ] + } + ] + } + ] + }, + { + "source": { + "path": "fixtures/filter/some/configs/c/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "ascii", + "version": "0.8.7", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-mrrw-grhq-86gf", + "modified": "2023-02-28T20:30:10Z", + "published": "2023-02-28T20:30:10Z", + "aliases": null, + "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", + "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "ascii", + "purl": "pkg:cargo/ascii" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.6.0" + }, + { + "fixed": "0.9.3" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" + }, + { + "type": "WEB", + "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tomprogrammer/rust-ascii" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" + } + ], + "database_specific": { + "cwe_ids": [], + "github_reviewed": true, + "github_reviewed_at": "2023-02-28T20:30:10Z", + "nvd_published_at": null, + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-mrrw-grhq-86gf" + ] + } + ] + }, + { + "package": { + "name": "time", + "version": "0.1.45", + "ecosystem": "crates.io" + }, + "vulnerabilities": [ + { + "schema_version": "1.4.0", + "id": "GHSA-wcg3-cvx6-7396", + "modified": "2022-12-06T00:16:25Z", + "published": "2021-08-25T20:56:46Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Segmentation fault in time", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.1" + }, + { + "last_affected": "0.2" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + } + }, + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.2.7" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_local_offset_at", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::try_current_local_offset", + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local" + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" + }, + { + "type": "WEB", + "url": "https://github.com/time-rs/time/issues/293" + }, + { + "type": "WEB", + "url": "https://crates.io/crates/time/0.2.23" + }, + { + "type": "PACKAGE", + "url": "https://github.com/time-rs/time" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "github_reviewed": true, + "severity": "MODERATE" + } + }, + { + "schema_version": "1.4.0", + "id": "RUSTSEC-2020-0071", + "modified": "2023-02-08T15:06:38Z", + "published": "2020-11-18T12:00:00Z", + "aliases": [ + "CVE-2020-26235" + ], + "summary": "Potential segfault in the time crate", + "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "time", + "purl": "pkg:cargo/time" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-0" + }, + { + "fixed": "0.2.0" + }, + { + "introduced": "0.2.1-0" + }, + { + "fixed": "0.2.1" + }, + { + "introduced": "0.2.2-0" + }, + { + "fixed": "0.2.2" + }, + { + "introduced": "0.2.3-0" + }, + { + "fixed": "0.2.3" + }, + { + "introduced": "0.2.4-0" + }, + { + "fixed": "0.2.4" + }, + { + "introduced": "0.2.5-0" + }, + { + "fixed": "0.2.5" + }, + { + "introduced": "0.2.6-0" + }, + { + "fixed": "0.2.6" + }, + { + "introduced": "0.2.7-0" + }, + { + "fixed": "0.2.23" + } + ] + } + ], + "database_specific": { + "categories": [ + "code-execution", + "memory-corruption" + ], + "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "informational": null, + "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" + }, + "ecosystem_specific": { + "affects": { + "arch": [], + "functions": [ + "time::OffsetDateTime::now_local", + "time::OffsetDateTime::try_now_local", + "time::UtcOffset::current_local_offset", + "time::UtcOffset::local_offset_at", + "time::UtcOffset::try_current_local_offset", + "time::UtcOffset::try_local_offset_at", + "time::at", + "time::at_utc", + "time::now" + ], + "os": [ + "linux", + "redox", + "solaris", + "android", + "ios", + "macos", + "netbsd", + "openbsd", + "freebsd" + ] + } + } + } + ], + "references": [ + { + "type": "PACKAGE", + "url": "https://crates.io/crates/time" + }, + { + "type": "ADVISORY", + "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" + }, + { + "type": "REPORT", + "url": "https://github.com/time-rs/time/issues/293" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-wcg3-cvx6-7396", + "RUSTSEC-2020-0071" + ] + } + ] + } + ] + } + ] +} diff --git a/pkg/osvscanner/osvscanner_internal_test.go b/pkg/osvscanner/osvscanner_internal_test.go new file mode 100644 index 00000000000..440f3f969e5 --- /dev/null +++ b/pkg/osvscanner/osvscanner_internal_test.go @@ -0,0 +1,73 @@ +package osvscanner + +import ( + "path/filepath" + "reflect" + "testing" + + "github.com/google/osv-scanner/internal/output" + "github.com/google/osv-scanner/internal/testutility" + "github.com/google/osv-scanner/pkg/config" + "github.com/google/osv-scanner/pkg/models" +) + +func Test_filterResults(t *testing.T) { + t.Parallel() + + type testCase struct { + input models.VulnerabilityResults + want models.VulnerabilityResults + numFiltered int + path string + } + + loadTestCase := func(path string) testCase { + var testCase testCase + testCase.input = testutility.LoadJSONFixture[models.VulnerabilityResults](t, filepath.Join(path, "input.json")) + testCase.want = testutility.LoadJSONFixture[models.VulnerabilityResults](t, filepath.Join(path, "want.json")) + testCase.numFiltered = len(testCase.input.Flatten()) - len(testCase.want.Flatten()) + testCase.path = path + + return testCase + } + tests := []struct { + name string + testCase testCase + }{ + { + name: "", + testCase: loadTestCase("fixtures/filter/all/"), + }, + { + name: "", + testCase: loadTestCase("fixtures/filter/none/"), + }, + { + name: "", + testCase: loadTestCase("fixtures/filter/some/"), + }, + } + for _, tt := range tests { + tt := tt // Reinitialize for t.Parallel() + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + r := output.NewVoidReporter() + // ConfigManager looks for osv-scanner.toml in the source path. + // Sources in the test input should point to files/folders in the text fixture folder for this to work correctly. + configManager := config.ConfigManager{ + DefaultConfig: config.Config{}, + ConfigMap: make(map[string]config.Config), + } + got := tt.testCase.input + filtered := filterResults(r, &got, &configManager) + if !reflect.DeepEqual(got, tt.testCase.want) { + out := filepath.Join(tt.testCase.path, "out.json") + testutility.CreateJSONFixture(t, out, got) + t.Errorf("filterResults() did not match expected output. Output written to %s", out) + } + if filtered != tt.testCase.numFiltered { + t.Errorf("filterResults() = %v, want %v", filtered, tt.testCase.numFiltered) + } + }) + } +} From 7b0c96ead27519245c7dfd2c592f7485c40b6523 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Sun, 19 Mar 2023 22:47:19 +0000 Subject: [PATCH 11/13] Review fixes --- pkg/osvscanner/osvscanner.go | 16 +++++++++------- pkg/osvscanner/osvscanner_internal_test.go | 13 +++++++------ 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index dcbe9423ec1..1477edef2bb 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -360,17 +360,19 @@ func scanDebianDocker(r *output.Reporter, query *osv.BatchedQuery, dockerImageNa // Filters results according to config, preserving order. Returns total number of vulnerabilities removed. func filterResults(r *output.Reporter, results *models.VulnerabilityResults, configManager *config.ConfigManager) int { removedCount := 0 - newResults := []models.PackageSource{} + newResults := []models.PackageSource{} // Want 0 vulnerabilities to show in JSON as an empty list, not null. for _, pkgSrc := range results.Results { configToUse := configManager.Get(r, pkgSrc.Source.Path) - newPackages := []models.PackageVulns{} + var newPackages []models.PackageVulns for _, pkgVulns := range pkgSrc.Packages { newVulns := filterPackageVulns(r, pkgVulns, configToUse) removedCount += len(pkgVulns.Vulnerabilities) - len(newVulns.Vulnerabilities) + // Don't want to include the package at all if there are no vulns. if len(newVulns.Vulnerabilities) > 0 { newPackages = append(newPackages, newVulns) } } + // Don't want to include the package source at all if there are no vulns. if len(newPackages) > 0 { pkgSrc.Packages = newPackages newResults = append(newResults, pkgSrc) @@ -383,16 +385,16 @@ func filterResults(r *output.Reporter, results *models.VulnerabilityResults, con // Filters package-grouped vulnerabilities according to config, preserving ordering. Returns filtered package vulnerabilities. func filterPackageVulns(r *output.Reporter, pkgVulns models.PackageVulns, configToUse config.Config) models.PackageVulns { - hiddenVulns := map[string]bool{} + ignoredVulns := map[string]struct{}{} // Iterate over groups first to remove all aliases of ignored vulnerabilities. - newGroups := []models.GroupInfo{} + var newGroups []models.GroupInfo for _, group := range pkgVulns.Groups { ignore := false for _, id := range group.IDs { var ignoreLine config.IgnoreEntry if ignore, ignoreLine = configToUse.ShouldIgnore(id); ignore { for _, id := range group.IDs { - hiddenVulns[id] = true + ignoredVulns[id] = struct{}{} } // NB: This only prints the first reason encountered in all the aliases. switch len(group.IDs) { @@ -412,10 +414,10 @@ func filterPackageVulns(r *output.Reporter, pkgVulns models.PackageVulns, config } } - newVulns := []models.Vulnerability{} + var newVulns []models.Vulnerability if len(newGroups) > 0 { // If there are no groups left then there would be no vulnerabilities. for _, vuln := range pkgVulns.Vulnerabilities { - if _, filtered := hiddenVulns[vuln.ID]; !filtered { + if _, filtered := ignoredVulns[vuln.ID]; !filtered { newVulns = append(newVulns, vuln) } } diff --git a/pkg/osvscanner/osvscanner_internal_test.go b/pkg/osvscanner/osvscanner_internal_test.go index 440f3f969e5..fa7f31034c5 100644 --- a/pkg/osvscanner/osvscanner_internal_test.go +++ b/pkg/osvscanner/osvscanner_internal_test.go @@ -2,9 +2,9 @@ package osvscanner import ( "path/filepath" - "reflect" "testing" + "github.com/google/go-cmp/cmp" "github.com/google/osv-scanner/internal/output" "github.com/google/osv-scanner/internal/testutility" "github.com/google/osv-scanner/pkg/config" @@ -35,15 +35,15 @@ func Test_filterResults(t *testing.T) { testCase testCase }{ { - name: "", + name: "filter_everything", testCase: loadTestCase("fixtures/filter/all/"), }, { - name: "", + name: "filter_nothing", testCase: loadTestCase("fixtures/filter/none/"), }, { - name: "", + name: "filter_partially", testCase: loadTestCase("fixtures/filter/some/"), }, } @@ -60,10 +60,11 @@ func Test_filterResults(t *testing.T) { } got := tt.testCase.input filtered := filterResults(r, &got, &configManager) - if !reflect.DeepEqual(got, tt.testCase.want) { + if diff := cmp.Diff(tt.testCase.want, got); diff != "" { out := filepath.Join(tt.testCase.path, "out.json") + t.Errorf("filterResults() returned an unexpected results (-want, +got):\n%s\n"+ + "Full json output written to %s", diff, out) testutility.CreateJSONFixture(t, out, got) - t.Errorf("filterResults() did not match expected output. Output written to %s", out) } if filtered != tt.testCase.numFiltered { t.Errorf("filterResults() = %v, want %v", filtered, tt.testCase.numFiltered) From 3e238a83f921133bcf6b0eb036cd63013bac8527 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Mon, 20 Mar 2023 03:00:09 +0000 Subject: [PATCH 12/13] Add comments to test config files --- .../fixtures/filter/all/configs/a/osv-scanner.toml | 8 +++++++- .../fixtures/filter/all/configs/b/osv-scanner.toml | 7 ++++++- .../fixtures/filter/all/configs/c/osv-scanner.toml | 6 ++++++ .../fixtures/filter/none/configs/b/osv-scanner.toml | 1 + .../fixtures/filter/none/configs/c/osv-scanner.toml | 4 +++- .../fixtures/filter/some/configs/a/osv-scanner.toml | 4 ++++ .../fixtures/filter/some/configs/b/osv-scanner.toml | 7 +++++++ .../fixtures/filter/some/configs/c/osv-scanner.toml | 11 +++++++++++ 8 files changed, 45 insertions(+), 3 deletions(-) diff --git a/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml index 8930bb0f015..a74d4aea05b 100644 --- a/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml +++ b/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml @@ -1,15 +1,21 @@ +# An entry for every vulnerability (including aliases) + [[IgnoredVulns]] id = "GHSA-mc8h-8q98-g5hr" reason = "Ignore 1" +# Alias of RUSTSEC-2023-0018 [[IgnoredVulns]] id = "RUSTSEC-2023-0018" reason = "Redundant Ignore 1" +# Redundant ignore statement - Alias of GHSA-mc8h-8q98-g5hr [[IgnoredVulns]] id = "GHSA-wcg3-cvx6-7396" reason = "Ignore 2" +# Alias of RUSTSEC-2020-0071 [[IgnoredVulns]] id = "RUSTSEC-2020-0071" -reason = "Redundant Ignore 2" \ No newline at end of file +reason = "Redundant Ignore 2" +# Redundant ignore statement - Alias of GHSA-wcg3-cvx6-7396 diff --git a/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml index 151c522699a..5c4e69766d9 100644 --- a/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml +++ b/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml @@ -1,11 +1,16 @@ +# One entry for each vulnerability group + [[IgnoredVulns]] id = "GHSA-fxg5-wq6x-vr4w" reason = "Ignore 1" +# Alias of GO-2023-1495 [[IgnoredVulns]] id = "GO-2022-1144" reason = "Ignore 2" +# Alias of GHSA-xrjj-mj9h-534m [[IgnoredVulns]] id = "GO-2023-1571" -reason = "Ignore 3" \ No newline at end of file +reason = "Ignore 3" +# Alias of GHSA-vvpx-j8f3-3w6h diff --git a/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml index 013ac72a245..070641befdb 100644 --- a/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml +++ b/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml @@ -1,15 +1,21 @@ +# One entry for each vulnerability group + [[IgnoredVulns]] id = "GHSA-mc8h-8q98-g5hr" reason = "Ignore 1" +# Alias of RUSTSEC-2023-0018 [[IgnoredVulns]] id = "RUSTSEC-2020-0071" reason = "Ignore 2" +# Alias of GHSA-wcg3-cvx6-7396 [[IgnoredVulns]] id = "RUSTSEC-2023-0015" reason = "Ignore 3" +# No aliases [[IgnoredVulns]] id = "GHSA-mrrw-grhq-86gf" reason = "Ignore 4" +# No aliases diff --git a/pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml index e69de29bb2d..b46c993a122 100644 --- a/pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml +++ b/pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml @@ -0,0 +1 @@ +# An empty config file diff --git a/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml index 151c522699a..7b908840fd5 100644 --- a/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml +++ b/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml @@ -1,3 +1,5 @@ +# These vulnerabilities do not appear in this 'source' + [[IgnoredVulns]] id = "GHSA-fxg5-wq6x-vr4w" reason = "Ignore 1" @@ -8,4 +10,4 @@ reason = "Ignore 2" [[IgnoredVulns]] id = "GO-2023-1571" -reason = "Ignore 3" \ No newline at end of file +reason = "Ignore 3" diff --git a/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml index f9c51673b68..21fc9d646ac 100644 --- a/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml +++ b/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml @@ -1,7 +1,11 @@ +# Every vulnerability in this source is ignored. Should not show up at all after filtering. + [[IgnoredVulns]] id = "GHSA-mc8h-8q98-g5hr" reason = "Ignore 1" +# Alias of RUSTSEC-2023-0018 [[IgnoredVulns]] id = "RUSTSEC-2020-0071" reason = "Ignore 2" +# Alias of GHSA-wcg3-cvx6-7396 diff --git a/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml index 7006bad6c7a..c121b8461fe 100644 --- a/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml +++ b/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml @@ -1,7 +1,14 @@ +# golang.org/x/net is the only vulnerable package, but has multiple unique vulnerabilities. +# Ignore some vulnerabilities while keeping others. Package should remain in filtered output. + [[IgnoredVulns]] id = "GHSA-fxg5-wq6x-vr4w" reason = "Ignore 1" +# Alias of GO-2023-1495 [[IgnoredVulns]] id = "GO-2022-1144" reason = "Ignore 2" +# No aliases + +# GHSA-vvpx-j8f3-3w6h (and alias GO-2023-1571) should remain unfiltered. diff --git a/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml index 4329f94c997..5b0a7423530 100644 --- a/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml +++ b/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml @@ -1,7 +1,18 @@ +# Ignore all vulnerabilities from one package (remove_dir_all), one from one package (ascii), none from other (time). +# remove_dir_all should be removed from filtered output, other two packages should remain with filtered vulns. + +# remove_dir_all: [[IgnoredVulns]] id = "GHSA-mc8h-8q98-g5hr" reason = "Ignore 1" +# Alias of RUSTSEC-2023-0018 +# ascii: [[IgnoredVulns]] id = "RUSTSEC-2023-0015" reason = "Ignore 2" +# No Aliases + +# Remaining packages/vulns: +# ascii - GHSA-mrrw-grhq-86gf (no aliases) +# time - GHSA-wcg3-cvx6-7396 (& alias RUSTSEC-2020-0071) From 244efc9e6c61ed99462fa3e0bcc384ced1cca269 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Mon, 20 Mar 2023 03:05:45 +0000 Subject: [PATCH 13/13] Fix filter print number --- pkg/osvscanner/osvscanner.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 1477edef2bb..c5023021c8d 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -403,7 +403,7 @@ func filterPackageVulns(r *output.Reporter, pkgVulns models.PackageVulns, config case 2: r.PrintText(fmt.Sprintf("%s and 1 alias have been filtered out because: %s\n", ignoreLine.ID, ignoreLine.Reason)) default: - r.PrintText(fmt.Sprintf("%s and %d aliases have been filtered out because: %s\n", ignoreLine.ID, len(group.IDs), ignoreLine.Reason)) + r.PrintText(fmt.Sprintf("%s and %d aliases have been filtered out because: %s\n", ignoreLine.ID, len(group.IDs)-1, ignoreLine.Reason)) } break