Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump github.com/aquasecurity/trivy from 0.20.0 to 0.22.0 #1350

Merged
merged 10 commits into from
Jan 17, 2022
Merged

chore(deps): bump github.com/aquasecurity/trivy from 0.20.0 to 0.22.0 #1350

merged 10 commits into from
Jan 17, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 25, 2021
edited
Loading

Bumps github.com/aquasecurity/trivy from 0.20.0 to 0.22.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.22.0

Changelog

42f795fa fix(java/pom): ignore unsupported requirements (#1514) 8f737cc6 feat(cli): warning for root command (#1516) 76249bdc BREAKING: disable JAR detection in fs/repo scanning (#1512) 59957d4c feat(scan): support --offline-scan option (#1511) da8b72d2 fix: improve memory usage (#1509) b713ad0f feat(java): support pom.xml (#1501) 56115e9d docs: fixing rust link to security advisory (#1504) 7f859afa Add missing IacMetdata (#1505) 628a7964 feat(jar): add file path (#1498) 82fba771 feat(rpm): support NDB (#1497) d5269da5 feat: added misconfiguration field for html.tpl (#1444)

Docker images

  • docker pull aquasec/trivy:0.22.0
  • docker pull ghcr.io/aquasecurity/trivy:0.22.0
  • docker pull public.ecr.aws/aquasecurity/trivy:0.22.0

v0.21.3

Changelog

8e57dee8 fix(docs): typo (#1488) 8bfbc84a feat(plugin): Add option to update plugin (#1462) 1e811de2 fix: fixed skipFiles/skipDirs flags for relative path (#1482) 8b5796f7 feat (plugin): add list and info command for plugin (#1452) a2199bb4 fix: set up a vulnerability severity (#1458) 279e76f7 chore: add arm64 deb package (#1480) 52625908 Link to trivy tutorial on Semaphore (#1449) c275a841 refactor(helm): externalize env vars to configMap (#1345)

Docker images

  • docker pull aquasec/trivy:0.21.3
  • docker pull ghcr.io/aquasecurity/trivy:0.21.3
  • docker pull public.ecr.aws/aquasecurity/trivy:0.21.3

v0.21.2

Changelog

7beed301 docs: provide more information on scanning Google's GCR (#1426) f50e1f42 docs(misconfiguration): added instruction for misconfiguration detection (#1428) 3ae4de58 Update git-repository.md (#1430) 6e35b8f5 fix(hooks): exclude unrelated lib types from system files filtering (#1431) beb60b05 chore: run go fmt (#1429) 582e7fd1 fix(sarif): change help field in the sarif template. (#1423)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Dec 25, 2021
@MaineK00n
Copy link
Collaborator

@dependabot rebase

@dependabot
chore(deps): bump github.com/aquasecurity/trivy from 0.20.0 to 0.22.0
ed85bac 
Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.20.0 to 0.22.0.
- [Release notes](https://github.com/aquasecurity/trivy/releases)
- [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml)
- [Commits](aquasecurity/trivy@v0.20.0...v0.22.0)

---
updated-dependencies:
- dependency-name: github.com/aquasecurity/trivy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.22.0 branch from dc71249 to ed85bac Compare January 11, 2022 04:22
@MaineK00n
Copy link
Collaborator

MaineK00n commented Jan 11, 2022
edited
Loading

Vuls via Trivy v0.22.0 vs Trivy v0.22.0

diff

environment

$ vuls -v
vuls-v0.19.1-build-20220113_085202_3f63bbe

$ trivy --version
Version: v0.22.0
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2022-01-12 18:41:01.368432432 +0000 UTC
  NextUpdate: 2022-01-13 00:41:01.368431832 +0000 UTC
  DownloadedAt: 2022-01-12 20:16:53.249734575 +0000 UTC

lockfile

I verified with a file in integration/data/lockfile.

bundler

In Trivy, CVE-2018-8048 (loofah, nokogiri) is counted in two cases, so the total number of cases is 57 in Trivy and 56 in Vuls.

  • Trivy
Gemfile.lock (bundler)
======================
Total: 57 (UNKNOWN: 1, LOW: 1, MEDIUM: 22, HIGH: 27, CRITICAL: 6)

+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
|       LIBRARY        |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                    TITLE                     |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| actionpack           | CVE-2021-22885      | HIGH     | 4.2.6             | ~> 5.2.4.6, ~> 5.2.6, ~>       | rubygem-actionpack: Possible                 |
|                      |                     |          |                   | 6.0.3, >= 6.0.3.7, >= 6.1.3.2  | Information Disclosure / Unintended          |
|                      |                     |          |                   |                                | Method Execution in Action Pack              |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-22885        |
+                      +---------------------+          +                   +                                +----------------------------------------------+
|                      | CVE-2021-22904      |          |                   |                                | rails: Possible DoS                          |
|                      |                     |          |                   |                                | Vulnerability in Action                      |
|                      |                     |          |                   |                                | Controller Token Authentication              |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-22904        |
+                      +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-8164       | MEDIUM   |                   | ~> 5.2.4, >= 5.2.4.3, >=       | rubygem-actionpack: possible                 |
|                      |                     |          |                   | 6.0.3.1                        | strong parameters bypass                     |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8164         |
+                      +---------------------+          +                   +                                +----------------------------------------------+
|                      | CVE-2020-8166       |          |                   |                                | rubygem-actionpack: ability                  |
|                      |                     |          |                   |                                | to forge per-form CSRF tokens                |
|                      |                     |          |                   |                                | given a global CSRF token...                 |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8166         |
+----------------------+---------------------+----------+                   +--------------------------------+----------------------------------------------+
| actionview           | CVE-2019-5418       | HIGH     |                   | ~> 4.2.11, >= 4.2.11.1, ~>     | rubygem-actionpack: render file              |
|                      |                     |          |                   | 5.0.7, >= 5.0.7.2, ~> 5.1.6,   | directory traversal in Action View           |
|                      |                     |          |                   | >= 5.1.6.2, ~> 5.2.2, >=       | -->avd.aquasec.com/nvd/cve-2019-5418         |
|                      |                     |          |                   | 5.2.2.1, >= 6.0.0.beta3        |                                              |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2019-5419       |          |                   | >= 6.0.0.beta3, ~> 5.2.2, >=   | rubygem-actionpack: denial of                |
|                      |                     |          |                   | 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, | service vulnerability in Action View         |
|                      |                     |          |                   | ~> 5.0.7, >= 5.0.7.2, ~>       | -->avd.aquasec.com/nvd/cve-2019-5419         |
|                      |                     |          |                   | 4.2.11, >= 4.2.11.1            |                                              |
+                      +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                      | CVE-2016-6316       | MEDIUM   |                   | ~> 4.2.7.1, ~> 4.2.8, >=       | rubygem-actionview: cross-site               |
|                      |                     |          |                   | 5.0.0.1                        | scripting flaw in Action View                |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2016-6316         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-15169      |          |                   | ~> 5.2.4, >= 5.2.4.4, >=       | rubygem-activeview: Cross-site               |
|                      |                     |          |                   | 6.0.3.3                        | scripting in translation helpers             |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-15169        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-5267       |          |                   | ~> 5.2.4, >= 5.2.4.2, >=       | rubygem-actionview: views that               |
|                      |                     |          |                   | 6.0.2.2                        | use the `j` or `escape_javascript`           |
|                      |                     |          |                   |                                | methods are susceptible to...                |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-5267         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-8163       |          |                   | >= 4.2.11.2                    | rubygem-rails: potential                     |
|                      |                     |          |                   |                                | remote code execution of                     |
|                      |                     |          |                   |                                | user-provided local names                    |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8163         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-8167       |          |                   | ~> 5.2.4, >= 5.2.4.3, >=       | rubygem-actionview: CSRF                     |
|                      |                     |          |                   | 6.0.3.1                        | vulnerability in rails-ujs                   |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8167         |
+----------------------+---------------------+----------+                   +--------------------------------+----------------------------------------------+
| activejob            | CVE-2018-16476      | HIGH     |                   | ~> 4.2.11, ~> 5.0.7.1, ~>      | activejob: Information                       |
|                      |                     |          |                   | 5.1.6.1, ~> 5.1.7, >= 5.2.1.1  | Exposure through                             |
|                      |                     |          |                   |                                | deserialization using GlobalId               |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-16476        |
+----------------------+---------------------+          +                   +--------------------------------+----------------------------------------------+
| activerecord         | CVE-2016-6317       |          |                   | >= 4.2.7.1                     | rubygem-activerecord: unsafe                 |
|                      |                     |          |                   |                                | query generation in Active Record            |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2016-6317         |
+                      +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                      | CVE-2021-22880      | MEDIUM   |                   | ~> 5.2.4, >= 5.2.4.5, ~>       | rubygem-activerecord: crafted input          |
|                      |                     |          |                   | 6.0.3, >= 6.0.3.5, >= 6.1.2.1  | may cause a regular expression DoS           |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-22880        |
+----------------------+---------------------+----------+                   +--------------------------------+----------------------------------------------+
| activesupport        | CVE-2020-8165       | HIGH     |                   | ~> 5.2.4, >= 5.2.4.3, >=       | rubygem-activesupport: potentially           |
|                      |                     |          |                   | 6.0.3.1                        | unintended unmarshalling                     |
|                      |                     |          |                   |                                | of user-provided objects in                  |
|                      |                     |          |                   |                                | MemCacheStore and RedisCacheStore            |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8165         |
+----------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| addressable          | CVE-2021-32740      |          | 2.4.0             | >= 2.8.0                       | rubygem-addressable:                         |
|                      |                     |          |                   |                                | ReDoS in templates                           |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-32740        |
+----------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| ffi                  | CVE-2018-1000201    |          | 1.9.10            | >= 1.9.24                      | ruby-ffi DDL loading                         |
|                      |                     |          |                   |                                | issue on Windows OS                          |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-1000201      |
+----------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| i18n                 | CVE-2014-10077      |          | 0.7.0             | >= 0.8.0                       | rubygem-i18n: denial of                      |
|                      |                     |          |                   |                                | service in Hash#slice in                     |
|                      |                     |          |                   |                                | lib/i18n/core_ext/hash.rb                    |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2014-10077        |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| jquery-rails         | CVE-2019-11358      | MEDIUM   | 3.1.4             | >= 4.3.4                       | jquery: Prototype pollution in               |
|                      |                     |          |                   |                                | object's prototype leading to                |
|                      |                     |          |                   |                                | denial of service, remote...                 |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-11358        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-11023      |          |                   | >= 4.4.0                       | jquery: Untrusted code execution via         |
|                      |                     |          |                   |                                | <option> tag in HTML passed to DOM...        |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-11023        |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| json                 | CVE-2020-10663      | HIGH     | 1.8.3             | >= 2.3.0                       | rubygem-json: Unsafe object                  |
|                      |                     |          |                   |                                | creation vulnerability in JSON               |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-10663        |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| loofah               | CVE-2018-16468      | MEDIUM   | 2.0.3             | >= 2.2.3                       | rubygem-loofah: XXS when a                   |
|                      |                     |          |                   |                                | crafted SVG element is republished           |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-16468        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2018-8048       |          |                   | >= 2.2.1                       | rubygem-loofah: XSS vulnerability            |
|                      |                     |          |                   |                                | due to unescaped comments                    |
|                      |                     |          |                   |                                | within attributes by libxml2                 |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-8048         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2019-15587      |          |                   | >= 2.3.1                       | rubygem-loofah: XXS when a                   |
|                      |                     |          |                   |                                | crafted SVG element is republished           |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-15587        |
+----------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| net-ldap             | CVE-2017-17718      |          | 0.12.1            | >= 0.16.0                      | rubygem-net-ldap: Missing                    |
|                      |                     |          |                   |                                | SSL Certificate Validation                   |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-17718        |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| nokogiri             | CVE-2016-4658       | CRITICAL | 1.6.7.2           | >= 1.7.1                       | libxml2: Use after free via                  |
|                      |                     |          |                   |                                | namespace node in XPointer ranges            |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2016-4658         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2019-11068      |          |                   | >= 1.10.3                      | libxslt: xsltCheckRead and                   |
|                      |                     |          |                   |                                | xsltCheckWrite routines                      |
|                      |                     |          |                   |                                | security bypass by crafted URL               |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-11068        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2019-5477       |          |                   | >= 1.10.4                      | Rexical Command                              |
|                      |                     |          |                   |                                | Injection Vulnerability                      |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-5477         |
+                      +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                      | CVE-2015-8806       | HIGH     |                   | >= 1.6.8                       | libxml2: heap-buffer                         |
|                      |                     |          |                   |                                | overread in dict.c                           |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2015-8806         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2017-15412      |          |                   | >= 1.8.2                       | libxml2: Use after free in                   |
|                      |                     |          |                   |                                | xmlXPathCompOpEvalPositionalPredicate()      |
|                      |                     |          |                   |                                | function in xpath.c                          |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-15412        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2017-16932      |          |                   | >= 1.8.1                       | libxml2: Infinite recursion                  |
|                      |                     |          |                   |                                | in parameter entities                        |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-16932        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2017-5029       |          |                   | >= 1.7.2                       | chromium-browser: integer                    |
|                      |                     |          |                   |                                | overflow in libxslt                          |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-5029         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2017-9050       |          |                   | >= 1.8.1                       | libxml2: Heap-based buffer over-read         |
|                      |                     |          |                   |                                | in function xmlDictAddString                 |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-9050         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2018-14404      |          |                   | >= 1.8.5                       | libxml2: NULL pointer dereference            |
|                      |                     |          |                   |                                | in xmlXPathCompOpEval()                      |
|                      |                     |          |                   |                                | function in xpath.c                          |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-14404        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2019-13117      |          |                   | >= 1.10.5                      | libxslt: an xsl number with certain          |
|                      |                     |          |                   |                                | format strings could lead to a...            |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-13117        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-7595       |          |                   | >= 1.10.8                      | libxml2: infinite loop in                    |
|                      |                     |          |                   |                                | xmlStringLenDecodeEntities in                |
|                      |                     |          |                   |                                | some end-of-file situations                  |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-7595         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2021-41098      |          |                   | >= 1.12.5                      | rubygem-nokogiri: XEE on JRuby               |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-41098        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | GHSA-7rrm-v45f-jp64 |          |                   | >= 1.11.4                      | Update packaged dependency                   |
|                      |                     |          |                   |                                | libxml2 from 2.9.10 to 2.9.12                |
|                      |                     |          |                   |                                | -->github.com/advisories/GHSA-7rrm-v45f-jp64 |
+                      +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                      | CVE-2017-18258      | MEDIUM   |                   | 1.8.2                          | libxml2: Unrestricted memory usage           |
|                      |                     |          |                   |                                | in xz_head() function in xzlib.c             |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-18258        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2018-8048       |          |                   | >= 1.8.3                       | rubygem-loofah: XSS vulnerability            |
|                      |                     |          |                   |                                | due to unescaped comments                    |
|                      |                     |          |                   |                                | within attributes by libxml2                 |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-8048         |
+                      +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-26247      | LOW      |                   | >= 1.11.0.rc4                  | rubygem-nokogiri: XML external entity        |
|                      |                     |          |                   |                                | injection via Nokogiri::XML::Schema          |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26247        |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| rack                 | CVE-2020-8184       | HIGH     | 1.6.4             | ~> 2.1.4, >= 2.2.3             | rubygem-rack: percent-encoded                |
|                      |                     |          |                   |                                | cookies can be used to overwrite             |
|                      |                     |          |                   |                                | existing prefixed cookie names...            |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8184         |
+                      +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                      | CVE-2018-16471      | MEDIUM   |                   | ~> 1.6.11, >= 2.0.6            | rubygem-rack: Cross-site                     |
|                      |                     |          |                   |                                | scripting (XSS) via `scheme`                 |
|                      |                     |          |                   |                                | method on `Rack::Request`                    |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-16471        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2019-16782      |          |                   | ~> 1.6.12, >= 2.0.8            | rubygem-rack: hijack sessions                |
|                      |                     |          |                   |                                | by using timing attacks                      |
|                      |                     |          |                   |                                | targeting the session id                     |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-16782        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2020-8161       |          |                   | ~> 2.1.3, >= 2.2.0             | rubygem-rack: directory                      |
|                      |                     |          |                   |                                | traversal in Rack::Directory                 |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8161         |
+----------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| rails-html-sanitizer | CVE-2018-3741       |          | 1.0.3             | >= 1.0.4                       | rubygem-rails-html-sanitizer:                |
|                      |                     |          |                   |                                | non-whitelisted attributes are               |
|                      |                     |          |                   |                                | present in sanitized output when             |
|                      |                     |          |                   |                                | input with specially-crafted...              |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-3741         |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| rake                 | CVE-2020-8130       | HIGH     | 11.1.2            | >= 12.3.3                      | rake: OS Command Injection                   |
|                      |                     |          |                   |                                | via egrep in Rake::FileList                  |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8130         |
+----------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| rdoc                 | CVE-2021-31799      |          | 4.2.2             | >= 6.3.1                       | rubygem-rdoc: Command                        |
|                      |                     |          |                   |                                | injection vulnerability in RDoc              |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-31799        |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| redcarpet            | CVE-2020-26298      | MEDIUM   | 3.3.4             | >= 3.5.1                       | rubygem-redcarpet: does not                  |
|                      |                     |          |                   |                                | escape HTML when processing                  |
|                      |                     |          |                   |                                | quotes which could result in...              |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26298        |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| ruby-openid          | CVE-2019-11027      | CRITICAL | 2.3.0             | >= 2.9.0                       | rubygem-ruby-openid: Unknown                 |
|                      |                     |          |                   |                                | remotely exploitable flaw                    |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-11027        |
+----------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| rubyzip              | CVE-2017-5946       |          | 1.2.0             | >= 1.2.1                       | rubygem-rubyzip: Directory                   |
|                      |                     |          |                   |                                | traversal in the Zip::File component         |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-5946         |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2018-1000544    |          |                   | >= 1.2.2                       | rubyzip: arbitrary file write                |
|                      |                     |          |                   |                                | vulnerability / arbitrary code               |
|                      |                     |          |                   |                                | execution using a specially...               |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-1000544      |
+                      +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                      | CVE-2019-16892      | MEDIUM   |                   | >= 1.3.0                       | cfme: rubygem-rubyzip denial                 |
|                      |                     |          |                   |                                | of service via crafted ZIP file              |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-16892        |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| sprockets            | CVE-2018-3760       | HIGH     | 3.6.0             | >= 2.12.5, < 3.0.0, >= 3.7.2,  | rubygem-sprockets: Path                      |
|                      |                     |          |                   | < 4.0.0, >= 4.0.0.beta8        | traversal in forbidden_request?()            |
|                      |                     |          |                   |                                | can allow remote attackers                   |
|                      |                     |          |                   |                                | to read arbitrary...                         |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-3760         |
+----------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| yard                 | CVE-2017-17042      |          | 0.8.7.6           | >= 0.9.11                      | rubygem-yard:                                |
|                      |                     |          |                   |                                | (lib/yard/core_ext/file.rb)                  |
|                      |                     |          |                   |                                | is vulnerable to directory                   |
|                      |                     |          |                   |                                | traversal attacks                            |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-17042        |
+                      +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                      | CVE-2019-1020001    |          |                   | >= 0.9.20                      | Arbitrary path traversal and                 |
|                      |                     |          |                   |                                | file access via `yard server`                |
|                      |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-1020001      |
+                      +---------------------+----------+                   +                                +----------------------------------------------+
|                      | GHSA-xfhh-rx56-rxcr | UNKNOWN  |                   |                                | Possible arbitrary path traversal            |
|                      |                     |          |                   |                                | and file access via `yard server`            |
|                      |                     |          |                   |                                | -->github.com/advisories/GHSA-xfhh-rx56-rxcr |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
  • Vuls
bundler (pseudo)
================
Total: 56 (Critical:7 High:31 Medium:17 Low:0 ?:1)
56/56 Fixed, 17 poc, 1 exploits, cisa: 0, uscert: 1, jpcert: 0 alerts
0 installed, 111 libs

+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                        NVD                        |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
| CVE-2016-4658       | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2016-4658    |
| CVE-2017-5946       | 10.0 |  AV:L  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-5946    |
| CVE-2018-1000544    | 10.0 |  AV:L  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-1000544 |
| CVE-2019-11027      | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11027   |
| CVE-2019-11068      | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11068   |
| CVE-2019-5477       | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-5477    |
| CVE-2020-8165       | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8165    |
| CVE-2014-10077      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2014-10077   |
| CVE-2015-8806       |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2015-8806    |
| CVE-2016-6317       |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2016-6317    |
| CVE-2017-15412      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-15412   |
| CVE-2017-16932      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-16932   |
| CVE-2017-17042      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-17042   |
| CVE-2017-5029       |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-5029    |
| CVE-2017-9050       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-9050    |
| CVE-2018-1000201    |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-1000201 |
| CVE-2018-14404      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-14404   |
| CVE-2018-16476      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-16476   |
| CVE-2018-3760       |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-3760    |
| CVE-2019-1020001    |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-1020001 |
| CVE-2019-13117      |  8.9 |  AV:L  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-13117   |
| CVE-2019-5418       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-5418    |
| CVE-2019-5419       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-5419    |
| CVE-2020-10663      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-10663   |
| CVE-2020-7595       |  8.9 |  AV:N  |     |      CERT |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7595    |
| CVE-2020-8161       |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8161    |
| CVE-2020-8163       |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8163    |
| CVE-2020-8164       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8164    |
| CVE-2020-8184       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8184    |
| CVE-2021-22880      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-22880   |
| CVE-2021-22885      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-22885   |
| CVE-2021-22904      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-22904   |
| CVE-2021-31799      |  8.9 |  AV:L  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-31799   |
| CVE-2021-32740      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-32740   |
| CVE-2021-41098      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-41098   |
| GHSA-7rrm-v45f-jp64 |  8.9 |        |     |           |   fixed |                                                   |
| CVE-2020-8130       |  8.1 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8130    |
| CVE-2020-8167       |  7.5 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8167    |
| CVE-2016-6316       |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2016-6316    |
| CVE-2017-17718      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-17718   |
| CVE-2017-18258      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-18258   |
| CVE-2018-16468      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-16468   |
| CVE-2018-16471      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-16471   |
| CVE-2018-3741       |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-3741    |
| CVE-2018-8048       |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-8048    |
| CVE-2019-11358      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11358   |
| CVE-2019-15587      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-15587   |
| CVE-2019-16782      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-16782   |
| CVE-2019-16892      |  6.9 |  AV:L  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-16892   |
| CVE-2020-11023      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-11023   |
| CVE-2020-15169      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-15169   |
| CVE-2020-26247      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-26247   |
| CVE-2020-26298      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-26298   |
| CVE-2020-5267       |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-5267    |
| CVE-2020-8166       |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8166    |
| GHSA-xfhh-rx56-rxcr |  0.0 |        |     |           |   fixed |                                                   |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+

pip

  • Trivy
requirements.txt (pip)
======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| numpy   | CVE-2021-33430   | HIGH     | 1.18.5            |          1.21 | numpy: buffer overflow in the         |
|         |                  |          |                   |               | PyArray_NewFromDescr_int() in ctors.c |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33430 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
  • Vuls
pip (pseudo)
============
Total: 1 (Critical:0 High:1 Medium:0 Low:0 ?:0)
1/1 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                       NVD                       |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2021-33430 |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-33430 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+

pipenv

  • Trivy
Pipfile.lock (pipenv)
=====================
Total: 16 (UNKNOWN: 4, LOW: 0, MEDIUM: 4, HIGH: 7, CRITICAL: 1)

+----------+------------------+----------+-------------------+---------------+-----------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+----------+------------------+----------+-------------------+---------------+-----------------------------------------+
| babel    | CVE-2021-42771   | HIGH     | 0.9.0             | 2.9.1         | CVE-2021-20095 CVE-2021-42771           |
|          |                  |          |                   |               | python-babel: Relative path             |
|          |                  |          |                   |               | traversal allows attacker               |
|          |                  |          |                   |               | to load arbitrary locale...             |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42771   |
+----------+------------------+          +-------------------+---------------+-----------------------------------------+
| flask    | CVE-2018-1000656 |          | 0.1.2             | 0.12.3        | python-flask: Denial of                 |
|          |                  |          |                   |               | Service via crafted JSON file           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-1000656 |
+          +------------------+          +                   +---------------+-----------------------------------------+
|          | CVE-2019-1010083 |          |                   |           1.0 | python-flask: unexpected                |
|          |                  |          |                   |               | memory usage can lead to denial         |
|          |                  |          |                   |               | of service via crafted...               |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010083 |
+          +------------------+----------+                   +---------------+-----------------------------------------+
|          | pyup.io-25820    | UNKNOWN  |                   | 0.6.1         | flask 0.6.1 fixes a security            |
|          |                  |          |                   |               | problem that allowed clients            |
|          |                  |          |                   |               | to download arbitrary...                |
+----------+------------------+----------+-------------------+---------------+-----------------------------------------+
| jinja2   | CVE-2016-10745   | HIGH     | 0.11.3            | 2.8.1         | python-jinja2: Sandbox escape due to    |
|          |                  |          |                   |               | information disclosure via str.format   |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2016-10745   |
+          +------------------+          +                   +---------------+-----------------------------------------+
|          | CVE-2019-10906   |          |                   | 2.10.1        | python-jinja2: str.format_map           |
|          |                  |          |                   |               | allows sandbox escape                   |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-10906   |
+          +------------------+----------+                   +---------------+-----------------------------------------+
|          | CVE-2014-1402    | MEDIUM   |                   | 2.7.3         | python-jinja2:                          |
|          |                  |          |                   |               | FileSystemBytecodeCache insecure        |
|          |                  |          |                   |               | cache temporary file use                |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2014-1402    |
+          +------------------+          +                   +---------------+-----------------------------------------+
|          | CVE-2020-28493   |          |                   | 2.11.3        | python-jinja2: ReDoS                    |
|          |                  |          |                   |               | vulnerability in the urlize filter      |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28493   |
+          +------------------+----------+                   +---------------+-----------------------------------------+
|          | pyup.io-25865    | UNKNOWN  |                   | 2.7.2         | jinja2 2.7.2 fixes a security           |
|          |                  |          |                   |               | issue: Changed the default              |
|          |                  |          |                   |               | folder for the...                       |
+----------+------------------+----------+-------------------+---------------+-----------------------------------------+
| urllib3  | CVE-2018-20060   | CRITICAL | 0.26.3            |          1.23 | python-urllib3: Cross-host redirect     |
|          |                  |          |                   |               | does not remove Authorization header    |
|          |                  |          |                   |               | allow for credential exposure...        |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20060   |
+          +------------------+----------+                   +---------------+-----------------------------------------+
|          | CVE-2019-11324   | HIGH     |                   | 1.24.2        | python-urllib3: Certification           |
|          |                  |          |                   |               | mishandle when error should be thrown   |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-11324   |
+          +------------------+          +                   +---------------+-----------------------------------------+
|          | CVE-2021-33503   |          |                   | 1.26.5        | python-urllib3: ReDoS in the            |
|          |                  |          |                   |               | parsing of authority part of URL        |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33503   |
+          +------------------+----------+                   +---------------+-----------------------------------------+
|          | CVE-2019-11236   | MEDIUM   |                   |               | python-urllib3: CRLF injection          |
|          |                  |          |                   |               | due to not encoding the                 |
|          |                  |          |                   |               | '\r\n' sequence leading to...           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-11236   |
+          +------------------+          +                   +---------------+-----------------------------------------+
|          | CVE-2020-26137   |          |                   | 1.25.9        | python-urllib3: CRLF injection          |
|          |                  |          |                   |               | via HTTP request method                 |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-26137   |
+          +------------------+----------+                   +---------------+-----------------------------------------+
|          | pyup.io-39094    | UNKNOWN  |                   |           1.8 | Urllib3 1.8 improves the                |
|          |                  |          |                   |               | default SSL/TLS settings to             |
|          |                  |          |                   |               | avoid vulnerabilities.                  |
+----------+------------------+          +-------------------+---------------+-----------------------------------------+
| werkzeug | pyup.io-42050    |          | 1.0.1             | 2.0.2         | Werkzeug version 2.0.2                  |
|          |                  |          |                   |               | improves the security of the            |
|          |                  |          |                   |               | debugger cookies. "SameSite"            |
|          |                  |          |                   |               | attribute...                            |
+----------+------------------+----------+-------------------+---------------+-----------------------------------------+
  • Vuls
pipenv (pseudo)
================
Total: 16 (Critical:3 High:6 Medium:3 Low:0 ?:4)
16/16 Fixed, 3 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 19 libs

+------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
|      CVE-ID      | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                        NVD                        |
+------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
| CVE-2018-20060   | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-20060   |
| CVE-2016-10745   |  9.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2016-10745   |
| CVE-2019-10906   |  9.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-10906   |
| CVE-2018-1000656 |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-1000656 |
| CVE-2019-1010083 |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-1010083 |
| CVE-2019-11324   |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11324   |
| CVE-2021-33503   |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-33503   |
| CVE-2021-42771   |  8.9 |  AV:L  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-42771   |
| CVE-2020-28493   |  7.5 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-28493   |
| CVE-2014-1402    |  6.9 |  AV:L  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2014-1402    |
| CVE-2019-11236   |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11236   |
| CVE-2020-26137   |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-26137   |
| pyup.io-25820    |  0.0 |        |     |           |   fixed |                                                   |
| pyup.io-25865    |  0.0 |        |     |           |   fixed |                                                   |
| pyup.io-39094    |  0.0 |        |     |           |   fixed |                                                   |
| pyup.io-42050    |  0.0 |        |     |           |   fixed |                                                   |
+------------------+------+--------+-----+-----------+---------+---------------------------------------------------+

poetry

  • Trivy
poetry.lock (poetry)
====================
Total: 8 (UNKNOWN: 1, LOW: 1, MEDIUM: 3, HIGH: 3, CRITICAL: 0)

+----------+------------------+----------+-------------------+-------------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |                 TITLE                 |
+----------+------------------+----------+-------------------+-------------------+---------------------------------------+
| html5lib | CVE-2016-9909    | MEDIUM   |               0.1 | 0.99999999, 1.0b9 | The serializer in html5lib            |
|          |                  |          |                   |                   | before 0.99999999 might allow         |
|          |                  |          |                   |                   | remote attackers to conduct...        |
|          |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2016-9909  |
+          +------------------+          +                   +                   +---------------------------------------+
|          | CVE-2016-9910    |          |                   |                   | The serializer in html5lib            |
|          |                  |          |                   |                   | before 0.99999999 might allow         |
|          |                  |          |                   |                   | remote attackers to conduct...        |
|          |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2016-9910  |
+----------+------------------+----------+-------------------+-------------------+---------------------------------------+
| keyring  | CVE-2012-5577    | HIGH     | 0.3.0             |              0.10 | Python keyring lib before 0.10        |
|          |                  |          |                   |                   | created keyring files with            |
|          |                  |          |                   |                   | world-readable permissions. See:...   |
|          |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2012-5577  |
+          +------------------+----------+                   +-------------------+---------------------------------------+
|          | CVE-2012-5578    | MEDIUM   |                   |                   | Python keyring has insecure           |
|          |                  |          |                   |                   | permissions on new databases          |
|          |                  |          |                   |                   | allowing world-readable files to...   |
|          |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2012-5578  |
+          +------------------+----------+                   +-------------------+---------------------------------------+
|          | CVE-2012-4571    | LOW      |                   | 0.9.1             | python-keyring: weak                  |
|          |                  |          |                   |                   | encryption in keyring                 |
|          |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2012-4571  |
+----------+------------------+----------+-------------------+-------------------+---------------------------------------+
| msgpack  | pyup.io-36700    | UNKNOWN  | 0.0.2             | 0.6.0             | msgpack 0.6.0 contains some           |
|          |                  |          |                   |                   | backward incompatible changes         |
|          |                  |          |                   |                   | for security reason (DoS).            |
+----------+------------------+----------+-------------------+-------------------+---------------------------------------+
| py       | CVE-2020-29651   | HIGH     | 0.10.0            |                   | python-py: ReDoS in the py.path.svnwc |
|          |                  |          |                   |                   | component via mailicious input        |
|          |                  |          |                   |                   | to blame functionality...             |
|          |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2020-29651 |
+----------+------------------+          +-------------------+-------------------+---------------------------------------+
| urllib3  | CVE-2021-33503   |          | 1.26.4            | 1.26.5            | python-urllib3: ReDoS in the          |
|          |                  |          |                   |                   | parsing of authority part of URL      |
|          |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-33503 |
+----------+------------------+----------+-------------------+-------------------+---------------------------------------+
  • Vuls
poetry (pseudo)
===============
Total: 8 (Critical:0 High:3 Medium:3 Low:1 ?:1)
8/8 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 62 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                       NVD                       |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2012-5577  |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2012-5577  |
| CVE-2020-29651 |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-29651 |
| CVE-2021-33503 |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-33503 |
| CVE-2012-5578  |  6.9 |  AV:L  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2012-5578  |
| CVE-2016-9909  |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2016-9909  |
| CVE-2016-9910  |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2016-9910  |
| CVE-2012-4571  |  3.9 |  AV:L  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2012-4571  |
| pyup.io-36700  |  0.0 |        |     |           |   fixed |                                                 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+

composer

  • Trivy
composer.lock (composer)
========================
Total: 13 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 9, CRITICAL: 2)

+-------------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
|         LIBRARY         |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                    TITLE                     |
+-------------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| erusev/parsedown        | CVE-2019-10905      | HIGH     | 1.7.1             | 1.7.2                          | Class-Name Injection                         |
|                         |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-10905        |
+-------------------------+---------------------+          +-------------------+--------------------------------+----------------------------------------------+
| laravel/framework       | CVE-2020-19316      |          | v5.7.9            | 5.8.17                         | OS Command Injection                         |
|                         |                     |          |                   |                                | in Laravel Framework                         |
|                         |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-19316        |
+                         +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                         | CVE-2020-24941      |          |                   | 7.24.0, 6.18.35                | Improper Input Validation in Laravel         |
|                         |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-24941        |
+                         +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                         | CVE-2021-21263      |          |                   | 8.22.1, 7.30.3, 6.20.12        | Unexpected bindings in QueryBuilder          |
|                         |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21263        |
+                         +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                         | GHSA-4mg9-vhxq-vm7j |          |                   | 6.20.26, 8.40.0                | SQL Server LIMIT / OFFSET SQL Injection in   |
|                         |                     |          |                   |                                | laravel/framework and illuminate/database    |
|                         |                     |          |                   |                                | -->github.com/advisories/GHSA-4mg9-vhxq-vm7j |
+                         +---------------------+          +                   +--------------------------------+----------------------------------------------+
|                         | GHSA-x7p5-p2c9-phvg |          |                   | 8.24.0, 7.30.4, 6.20.14        | Unexpected database bindings                 |
|                         |                     |          |                   |                                | -->github.com/advisories/GHSA-x7p5-p2c9-phvg |
+                         +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                         | CVE-2021-43808      | MEDIUM   |                   | 6.20.42, 7.30.6, 8.75.0        | Possible cross-site scripting                |
|                         |                     |          |                   |                                | (XSS) vulnerability in the                   |
|                         |                     |          |                   |                                | Blade templating engine                      |
|                         |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-43808        |
+-------------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| league/flysystem        | CVE-2021-32708      | CRITICAL | 1.0.48            | 1.1.4, 2.1.1                   | TOCTOU Race Condition                        |
|                         |                     |          |                   |                                | enabling remote code execution               |
|                         |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-32708        |
+-------------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| phpseclib/phpseclib     | CVE-2021-30130      | HIGH     | 2.0.11            | 2.0.31, 3.0.7                  | Improper Certificate                         |
|                         |                     |          |                   |                                | Validation in phpseclib                      |
|                         |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-30130        |
+-------------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| symfony/http-foundation | CVE-2019-10913      | CRITICAL | v4.1.6            | 3.2.0, 3.3.0, 3.4.0, 3.4.26,   | CVE-2019-10913: Reject                       |
|                         |                     |          |                   | 4.1.12, 2.7.51, 3.1.0, 4.1.0,  | invalid HTTP method overrides                |
|                         |                     |          |                   | 4.2.7, 2.8.50                  | -->avd.aquasec.com/nvd/cve-2019-10913        |
+                         +---------------------+----------+                   +--------------------------------+----------------------------------------------+
|                         | CVE-2019-18888      | HIGH     |                   | 2.7.0, 4.3.8, 2.1.0, 2.4.0,    | CVE-2019-18888: Prevent argument             |
|                         |                     |          |                   | 2.2.0, 3.2.0, 3.4.0, 2.3.0,    | injection in a MimeTypeGuesser               |
|                         |                     |          |                   | 2.8.0, 2.8.52, 3.1.0, 3.3.0,   | -->avd.aquasec.com/nvd/cve-2019-18888        |
|                         |                     |          |                   | 3.4.35, 4.1.0, 4.2.0, 2.5.0,   |                                              |
|                         |                     |          |                   | 2.6.0, 4.2.12                  |                                              |
+-------------------------+---------------------+          +                   +--------------------------------+----------------------------------------------+
| symfony/http-kernel     | CVE-2019-18887      |          |                   | 2.5.0, 2.7.0, 2.8.52, 3.3.0,   | CVE-2019-18887: Use constant                 |
|                         |                     |          |                   | 4.1.0, 2.4.0, 4.2.12, 4.3.8,   | time comparison in UriSigner                 |
|                         |                     |          |                   | 2.6.0, 3.1.0, 2.3.0, 2.8.0,    | -->avd.aquasec.com/nvd/cve-2019-18887        |
|                         |                     |          |                   | 3.2.0, 3.4.0, 3.4.35, 4.2.0    |                                              |
+-------------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
| twig/twig               | CVE-2019-9942       | LOW      | v1.35.4           | 1.38.0, 2.7.0                  | Sandbox Information Disclosure               |
|                         |                     |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-9942         |
+-------------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
  • Vuls
composer (pseudo)
=================
Total: 13 (Critical:1 High:9 Medium:2 Low:1 ?:0)
13/13 Fixed, 2 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 73 libs

+---------------------+------+--------+-----+-----------+---------+-------------------------------------------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                       NVD                       |
+---------------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2019-10913      | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-10913 |
| CVE-2019-10905      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-10905 |
| CVE-2019-18887      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-18887 |
| CVE-2019-18888      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-18888 |
| CVE-2020-19316      |  8.9 |        |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-19316 |
| CVE-2020-24941      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-24941 |
| CVE-2021-30130      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-30130 |
| CVE-2021-32708      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-32708 |
| GHSA-4mg9-vhxq-vm7j |  8.9 |        |     |           |   fixed |                                                 |
| GHSA-x7p5-p2c9-phvg |  8.9 |        |     |           |   fixed |                                                 |
| CVE-2021-21263      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-21263 |
| CVE-2021-43808      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-43808 |
| CVE-2019-9942       |  3.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-9942  |
+---------------------+------+--------+-----+-----------+---------+-------------------------------------------------+

npm

  • Trivy
package-lock.json (npm)
=======================
Total: 28 (UNKNOWN: 0, LOW: 5, MEDIUM: 12, HIGH: 9, CRITICAL: 2)

+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
|      LIBRARY      |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |    FIXED VERSION    |                    TITLE                     |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| color-string      | CVE-2021-29060      | MEDIUM   | 1.5.2             | 1.5.5               | nodejs-color-string: Regular                 |
|                   |                     |          |                   |                     | expression denial of service when            |
|                   |                     |          |                   |                     | the application is provided and...           |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-29060        |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| cryptiles         | CVE-2018-1000620    | CRITICAL | 3.1.2             | >=4.1.2             | nodejs-cryptiles: Insecure randomness        |
|                   |                     |          |                   |                     | causes the randomDigits() function           |
|                   |                     |          |                   |                     | returns a pseudo-random data string...       |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2018-1000620      |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| debug             | CVE-2017-16137      | LOW      | 0.7.4             | 3.1.0, 2.6.9        | nodejs-debug: Regular                        |
|                   |                     |          |                   |                     | expression Denial of Service                 |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2017-16137        |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| extend            | CVE-2018-16492      | MEDIUM   | 3.0.1             | 2.0.2, 3.0.2        | nodejs-extend: Prototype                     |
|                   |                     |          |                   |                     | pollution can allow attackers                |
|                   |                     |          |                   |                     | to modify object properties                  |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2018-16492        |
+-------------------+---------------------+          +-------------------+---------------------+----------------------------------------------+
| highlight.js      | GHSA-7wwv-vh3v-89cq |          | 9.12.0            | 10.4.1              | ReDOS vulnerabities: multiple grammars       |
|                   |                     |          |                   |                     | -->github.com/advisories/GHSA-7wwv-vh3v-89cq |
+                   +---------------------+----------+                   +---------------------+----------------------------------------------+
|                   | CVE-2020-26237      | LOW      |                   | 10.1.2, 9.18.2      | nodejs-highlight-js:                         |
|                   |                     |          |                   |                     | prototype pollution via                      |
|                   |                     |          |                   |                     | a crafted HTML code block                    |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-26237        |
+-------------------+---------------------+          +-------------------+---------------------+----------------------------------------------+
| hoek              | CVE-2018-3728       |          | 4.2.0             | >=5.0.3 >=4.2.1     | hoek: Prototype pollution                    |
|                   |                     |          |                   |                     | in utilities function                        |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2018-3728         |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| json-schema       | CVE-2021-3918       | MEDIUM   | 0.2.3             | 0.4.0               | nodejs-json-schema: Prototype                |
|                   |                     |          |                   |                     | pollution vulnerability                      |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-3918         |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| lodash            | CVE-2019-10744      | CRITICAL | 4.17.4            | 4.17.12             | nodejs-lodash: prototype                     |
|                   |                     |          |                   |                     | pollution in defaultsDeep function           |
|                   |                     |          |                   |                     | leading to modifying properties              |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2019-10744        |
+                   +---------------------+----------+                   +---------------------+----------------------------------------------+
|                   | CVE-2018-16487      | HIGH     |                   | >=4.17.11           | lodash: Prototype pollution                  |
|                   |                     |          |                   |                     | in utilities function                        |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2018-16487        |
+                   +---------------------+          +                   +---------------------+----------------------------------------------+
|                   | CVE-2020-8203       |          |                   | 4.17.19             | nodejs-lodash: prototype pollution           |
|                   |                     |          |                   |                     | in zipObjectDeep function                    |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-8203         |
+                   +---------------------+          +                   +---------------------+----------------------------------------------+
|                   | CVE-2021-23337      |          |                   | 4.17.21             | nodejs-lodash: command                       |
|                   |                     |          |                   |                     | injection via template                       |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-23337        |
+                   +---------------------+----------+                   +---------------------+----------------------------------------------+
|                   | CVE-2019-1010266    | MEDIUM   |                   | 4.17.11             | lodash: uncontrolled resource                |
|                   |                     |          |                   |                     | consumption in Data handler                  |
|                   |                     |          |                   |                     | causing denial of service                    |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2019-1010266      |
+                   +---------------------+          +                   +---------------------+----------------------------------------------+
|                   | CVE-2020-28500      |          |                   | 4.17.21             | nodejs-lodash: ReDoS via the                 |
|                   |                     |          |                   |                     | toNumber, trim and trimEnd functions         |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-28500        |
+                   +---------------------+----------+                   +---------------------+----------------------------------------------+
|                   | CVE-2018-3721       | LOW      |                   | >=4.17.5            | lodash: Prototype pollution                  |
|                   |                     |          |                   |                     | in utilities function                        |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2018-3721         |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| minimist          | CVE-2020-7598       | MEDIUM   | 0.0.8             | 1.2.3, 0.2.1        | nodejs-minimist: prototype                   |
|                   |                     |          |                   |                     | pollution allows adding                      |
|                   |                     |          |                   |                     | or modifying properties of                   |
|                   |                     |          |                   |                     | Object.prototype using a...                  |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-7598         |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| node-fetch        | CVE-2020-15168      | LOW      | 1.7.3             | 3.0.0-beta.9, 2.6.1 | node-fetch: size of data after               |
|                   |                     |          |                   |                     | fetch() JS thread leads to DoS               |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-15168        |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| path-parse        | CVE-2021-23343      | MEDIUM   | 1.0.5             | 1.0.7               | nodejs-path-parse:                           |
|                   |                     |          |                   |                     | ReDoS via splitDeviceRe,                     |
|                   |                     |          |                   |                     | splitTailRe and splitPathRe                  |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-23343        |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| remarkable        | CVE-2019-12041      | HIGH     | 1.7.1             |                     | Regular Expression Denial                    |
|                   |                     |          |                   |                     | of Service in remarkable                     |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2019-12041        |
+                   +---------------------+----------+                   +---------------------+----------------------------------------------+
|                   | CVE-2019-12043      | MEDIUM   |                   |                     | Cross-site Scripting in remarkable           |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2019-12043        |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| sshpk             | CVE-2018-3737       | HIGH     | 1.13.1            | 1.13.2              | nodejs-sshpk: ReDoS when                     |
|                   |                     |          |                   |                     | parsing crafted invalid public               |
|                   |                     |          |                   |                     | keys in lib/formats/ssh.js                   |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2018-3737         |
+                   +---------------------+          +                   +---------------------+----------------------------------------------+
|                   | NSWG-ECO-401        |          |                   | >=1.13.2            | Denial of Service                            |
|                   |                     |          |                   |                     | -->hackerone.com/reports/319593              |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| stringstream      | CVE-2018-21270      | MEDIUM   | 0.0.5             | 0.0.6               | nodejs-stringstream:                         |
|                   |                     |          |                   |                     | out-of-bounds read leading to                |
|                   |                     |          |                   |                     | uninitialized memory exposure                |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2018-21270        |
+                   +---------------------+          +                   +---------------------+----------------------------------------------+
|                   | NSWG-ECO-422        |          |                   | >=0.0.6             | Out-of-bounds Read                           |
|                   |                     |          |                   |                     | -->hackerone.com/reports/321670              |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| ua-parser-js      | CVE-2020-7733       | HIGH     | 0.7.17            | 0.7.22              | nodejs-ua-parser-js:                         |
|                   |                     |          |                   |                     | Regular expression denial                    |
|                   |                     |          |                   |                     | of service via the regex                     |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-7733         |
+                   +---------------------+          +                   +---------------------+----------------------------------------------+
|                   | CVE-2021-27292      |          |                   | 0.7.24              | nodejs-ua-parser-js: ReDoS via               |
|                   |                     |          |                   |                     | malicious User-Agent header                  |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-27292        |
+-------------------+---------------------+          +-------------------+---------------------+----------------------------------------------+
| underscore        | CVE-2021-23358      |          | 1.7.0             | 1.12.1              | nodejs-underscore: Arbitrary code            |
|                   |                     |          |                   |                     | execution via the template function          |
|                   |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-23358        |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| underscore.string | GHSA-v2p6-4mp7-3r9v | MEDIUM   | 2.4.0             | 3.3.5               | Regular Expression Denial of                 |
|                   |                     |          |                   |                     | Service in underscore.string                 |
|                   |                     |          |                   |                     | -->github.com/advisories/GHSA-v2p6-4mp7-3r9v |
+-------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
  • Vuls
npm (pseudo)
============
Total: 28 (Critical:6 High:10 Medium:12 Low:0 ?:0)
28/28 Fixed, 20 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 273 libs

+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                        NVD                        |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
| CVE-2018-1000620    | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-1000620 |
| CVE-2018-16492      | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-16492   |
| CVE-2019-10744      | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-10744   |
| CVE-2021-3918       | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-3918    |
| CVE-2018-16487      |  9.8 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-16487   |
| CVE-2020-7598       |  9.8 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7598    |
| CVE-2018-3728       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-3728    |
| CVE-2018-3737       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-3737    |
| CVE-2019-12041      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-12041   |
| CVE-2020-7733       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7733    |
| CVE-2020-8203       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8203    |
| CVE-2021-23337      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23337   |
| CVE-2021-23343      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23343   |
| CVE-2021-23358      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23358   |
| CVE-2021-27292      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-27292   |
| NSWG-ECO-401        |  8.9 |        |     |           |   fixed |                                                   |
| CVE-2017-16137      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2017-16137   |
| CVE-2018-21270      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-21270   |
| CVE-2018-3721       |  6.9 |  AV:L  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-3721    |
| CVE-2019-1010266    |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-1010266 |
| CVE-2019-12043      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-12043   |
| CVE-2020-15168      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-15168   |
| CVE-2020-26237      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-26237   |
| CVE-2020-28500      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-28500   |
| CVE-2021-29060      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-29060   |
| GHSA-7wwv-vh3v-89cq |  6.9 |        |     |           |   fixed |                                                   |
| GHSA-v2p6-4mp7-3r9v |  6.9 |        |     |           |   fixed |                                                   |
| NSWG-ECO-422        |  6.9 |        |     |           |   fixed |                                                   |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+

yarn

As in the case of bundler, Trivy also matched Vuls in terms of unique CVE-IDs with 50.

  • Trivy
yarn.lock (yarn)
================
Total: 65 (UNKNOWN: 0, LOW: 2, MEDIUM: 22, HIGH: 31, CRITICAL: 10)

+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
|      LIBRARY      |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |         FIXED VERSION         |                    TITLE                     |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| acorn             | GHSA-6chw-6frg-f759 | HIGH     | 5.7.3             | 5.7.4, 7.1.1, 6.4.1           | Regular Expression Denial                    |
|                   |                     |          |                   |                               | of Service in Acorn                          |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-6chw-6frg-f759 |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 6.0.4             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| ansi-regex        | CVE-2021-3807       | MEDIUM   | 3.0.0             | 5.0.1, 6.0.1                  | nodejs-ansi-regex: Regular                   |
|                   |                     |          |                   |                               | expression denial of service                 |
|                   |                     |          |                   |                               | (ReDoS) matching ANSI escape codes           |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-3807         |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| braces            | CVE-2018-1109       | LOW      | 1.8.5             | 2.3.1                         | nodejs-braces: Regular                       |
|                   |                     |          |                   |                               | Expression Denial of Service                 |
|                   |                     |          |                   |                               | (ReDoS) in lib/parsers.js                    |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2018-1109         |
+                   +---------------------+          +                   +                               +----------------------------------------------+
|                   | GHSA-g95f-p29q-9xw4 |          |                   |                               | Regular Expression Denial                    |
|                   |                     |          |                   |                               | of Service in braces                         |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-g95f-p29q-9xw4 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| bson              | CVE-2020-7610       | HIGH     | 1.1.0             | 1.1.4                         | bson:  Deserialization of                    |
|                   |                     |          |                   |                               | Untrusted Data could result                  |
|                   |                     |          |                   |                               | in Code injection or...                      |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7610         |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| dot-prop          | CVE-2020-8116       |          | 3.0.0             | 5.1.1, 4.2.1                  | nodejs-dot-prop: prototype pollution         |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-8116         |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 4.2.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| glob-parent       | CVE-2020-28469      |          | 2.0.0             | 5.1.2                         | nodejs-glob-parent: Regular                  |
|                   |                     |          |                   |                               | expression denial of service                 |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-28469        |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 3.1.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| handlebars        | CVE-2019-19919      | CRITICAL | 4.0.12            | 4.3.0                         | nodejs-handlebars: prototype                 |
|                   |                     |          |                   |                               | pollution leading to remote code             |
|                   |                     |          |                   |                               | execution via crafted payloads               |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-19919        |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-23369      |          |                   | 4.7.7                         | nodejs-handlebars: Remote                    |
|                   |                     |          |                   |                               | code execution when compiling                |
|                   |                     |          |                   |                               | untrusted compile templates                  |
|                   |                     |          |                   |                               | with strict:true option...                   |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23369        |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | GHSA-2cf5-4w76-r9qv | HIGH     |                   | 4.5.2, 3.0.8                  | Arbitrary Code Execution in handlebars       |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-2cf5-4w76-r9qv |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | GHSA-g9r4-xpmj-mj65 |          |                   | 4.5.3, 3.0.8                  | Prototype Pollution in handlebars            |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-g9r4-xpmj-mj65 |
+                   +---------------------+          +                   +                               +----------------------------------------------+
|                   | GHSA-q2c6-c6pm-g3gh |          |                   |                               | Arbitrary Code Execution in handlebars       |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-q2c6-c6pm-g3gh |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | GHSA-q42p-pg8m-cqh6 |          |                   | 3.0.7, 4.0.14, 4.1.2          | Prototype Pollution in handlebars            |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-q42p-pg8m-cqh6 |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | GHSA-f52g-6jhx-586p | MEDIUM   |                   | 4.4.5                         | Denial of Service in handlebars              |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-f52g-6jhx-586p |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | NSWG-ECO-519        |          |                   | >=4.6.0                       | Denial of Service                            |
|                   |                     |          |                   |                               | -->hackerone.com/reports/726364              |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| hosted-git-info   | CVE-2021-23362      |          | 2.7.1             | 2.8.9, 3.0.8                  | nodejs-hosted-git-info: Regular              |
|                   |                     |          |                   |                               | Expression denial of service                 |
|                   |                     |          |                   |                               | via shortcutMatch in fromUrl()               |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23362        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| ini               | CVE-2020-7788       | HIGH     | 1.3.5             | 1.3.6                         | nodejs-ini: Prototype pollution              |
|                   |                     |          |                   |                               | via malicious INI file                       |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7788         |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| js-yaml           | GHSA-8j8c-7jfh-h6hx |          | 3.12.0            | 3.13.1                        | Code Injection in js-yaml                    |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-8j8c-7jfh-h6hx |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | GHSA-2pr6-76vf-7546 | MEDIUM   |                   | 3.13.0                        | Denial of Service in js-yaml                 |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-2pr6-76vf-7546 |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| json-schema       | CVE-2021-3918       |          | 0.2.3             | 0.4.0                         | nodejs-json-schema: Prototype                |
|                   |                     |          |                   |                               | pollution vulnerability                      |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-3918         |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| kind-of           | CVE-2019-20149      | HIGH     | 6.0.2             | 6.0.3                         | nodejs-kind-of: ctorName in                  |
|                   |                     |          |                   |                               | index.js allows external user input          |
|                   |                     |          |                   |                               | to overwrite certain internal...             |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-20149        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| lodash            | CVE-2019-10744      | CRITICAL | 4.17.10           | 4.17.12                       | nodejs-lodash: prototype                     |
|                   |                     |          |                   |                               | pollution in defaultsDeep function           |
|                   |                     |          |                   |                               | leading to modifying properties              |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-10744        |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | CVE-2018-16487      | HIGH     |                   | >=4.17.11                     | lodash: Prototype pollution                  |
|                   |                     |          |                   |                               | in utilities function                        |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2018-16487        |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2020-8203       |          |                   | 4.17.19                       | nodejs-lodash: prototype pollution           |
|                   |                     |          |                   |                               | in zipObjectDeep function                    |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-8203         |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-23337      |          |                   | 4.17.21                       | nodejs-lodash: command                       |
|                   |                     |          |                   |                               | injection via template                       |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23337        |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | CVE-2019-1010266    | MEDIUM   |                   | 4.17.11                       | lodash: uncontrolled resource                |
|                   |                     |          |                   |                               | consumption in Data handler                  |
|                   |                     |          |                   |                               | causing denial of service                    |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-1010266      |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2020-28500      |          |                   | 4.17.21                       | nodejs-lodash: ReDoS via the                 |
|                   |                     |          |                   |                               | toNumber, trim and trimEnd functions         |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-28500        |
+                   +---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
|                   | CVE-2019-10744      | CRITICAL | 4.17.11           | 4.17.12                       | nodejs-lodash: prototype                     |
|                   |                     |          |                   |                               | pollution in defaultsDeep function           |
|                   |                     |          |                   |                               | leading to modifying properties              |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-10744        |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | CVE-2020-8203       | HIGH     |                   | 4.17.19                       | nodejs-lodash: prototype pollution           |
|                   |                     |          |                   |                               | in zipObjectDeep function                    |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-8203         |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-23337      |          |                   | 4.17.21                       | nodejs-lodash: command                       |
|                   |                     |          |                   |                               | injection via template                       |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23337        |
+                   +---------------------+----------+                   +                               +----------------------------------------------+
|                   | CVE-2020-28500      | MEDIUM   |                   |                               | nodejs-lodash: ReDoS via the                 |
|                   |                     |          |                   |                               | toNumber, trim and trimEnd functions         |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-28500        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| lodash.template   | CVE-2019-10744      | CRITICAL | 4.4.0             | 4.5.0                         | nodejs-lodash: prototype                     |
|                   |                     |          |                   |                               | pollution in defaultsDeep function           |
|                   |                     |          |                   |                               | leading to modifying properties              |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-10744        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| mem               | GHSA-4xcv-9jjx-gfj3 | MEDIUM   | 1.1.0             | 4.0.0                         | Denial of Service in mem                     |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-4xcv-9jjx-gfj3 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| merge             | CVE-2020-28499      | HIGH     | 1.2.1             | 2.1.1                         | Prototype Pollution in merge                 |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-28499        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| minimist          | CVE-2020-7598       | MEDIUM   | 0.0.10            | 1.2.3, 0.2.1                  | nodejs-minimist: prototype                   |
|                   |                     |          |                   |                               | pollution allows adding                      |
|                   |                     |          |                   |                               | or modifying properties of                   |
|                   |                     |          |                   |                               | Object.prototype using a...                  |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7598         |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 0.0.8             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 0.1.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 1.2.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| mixin-deep        | CVE-2019-10746      | CRITICAL | 1.3.1             | 2.0.1, 1.3.2                  | nodejs-mixin-deep: prototype                 |
|                   |                     |          |                   |                               | pollution in function mixin-deep             |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-10746        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| mongodb           | GHSA-mh5c-679w-hh4r | HIGH     | 3.1.10            | 3.1.13                        | Denial of Service in mongodb                 |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-mh5c-679w-hh4r |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| mongoose          | CVE-2019-17426      | CRITICAL | 5.3.15            | 5.7.5                         | Improper Input Validation                    |
|                   |                     |          |                   |                               | in Automattic Mongoose                       |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-17426        |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| mpath             | CVE-2021-23438      |          | 0.5.1             | 0.8.4                         | mpath: type confusion can lead               |
|                   |                     |          |                   |                               | to a bypass of CVE-2018-16490                |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23438        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| mquery            | CVE-2020-35149      | MEDIUM   | 3.2.0             | 3.2.3                         | mquery: Code injection via                   |
|                   |                     |          |                   |                               | merge or clone operation                     |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-35149        |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| node-notifier     | CVE-2020-7789       |          | 5.3.0             | 8.0.1                         | nodejs-node-notifier: command                |
|                   |                     |          |                   |                               | injection due to the options                 |
|                   |                     |          |                   |                               | params not being sanitised when...           |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7789         |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| path-parse        | CVE-2021-23343      |          | 1.0.6             | 1.0.7                         | nodejs-path-parse:                           |
|                   |                     |          |                   |                               | ReDoS via splitDeviceRe,                     |
|                   |                     |          |                   |                               | splitTailRe and splitPathRe                  |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23343        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| set-value         | CVE-2019-10747      | CRITICAL | 0.4.3             | 3.0.1, 2.0.1                  | nodejs-set-value: prototype                  |
|                   |                     |          |                   |                               | pollution in function set-value              |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-10747        |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-23440      | HIGH     |                   | 2.0.1, 4.0.1                  | nodejs-set-value: type confusion             |
|                   |                     |          |                   |                               | allows bypass of CVE-2019-10747              |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23440        |
+                   +---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
|                   | CVE-2019-10747      | CRITICAL | 2.0.0             | 3.0.1, 2.0.1                  | nodejs-set-value: prototype                  |
|                   |                     |          |                   |                               | pollution in function set-value              |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-10747        |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-23440      | HIGH     |                   | 2.0.1, 4.0.1                  | nodejs-set-value: type confusion             |
|                   |                     |          |                   |                               | allows bypass of CVE-2019-10747              |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23440        |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| tar               | CVE-2021-32803      |          | 4.4.8             | 6.1.2, 5.0.7, 4.4.15, 3.2.3   | nodejs-tar: Insufficient symlink             |
|                   |                     |          |                   |                               | protection allowing arbitrary                |
|                   |                     |          |                   |                               | file creation and overwrite                  |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-32803        |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-32804      |          |                   | 6.1.1, 5.0.6, 4.4.14, 3.2.2   | nodejs-tar: Insufficient absolute            |
|                   |                     |          |                   |                               | path sanitization allowing arbitrary         |
|                   |                     |          |                   |                               | file creation and overwrite                  |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-32804        |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-37701      |          |                   | 6.1.7, 5.0.8, 4.4.16          | nodejs-tar: Insufficient symlink             |
|                   |                     |          |                   |                               | protection due to directory cache            |
|                   |                     |          |                   |                               | poisoning using symbolic links...            |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37701        |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-37712      |          |                   | 6.1.9, 5.0.10, 4.4.18         | nodejs-tar: Insufficient symlink             |
|                   |                     |          |                   |                               | protection due to directory cache            |
|                   |                     |          |                   |                               | poisoning using symbolic links...            |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37712        |
+                   +---------------------+          +                   +                               +----------------------------------------------+
|                   | CVE-2021-37713      |          |                   |                               | nodejs-tar: Arbitrary                        |
|                   |                     |          |                   |                               | File Creation/Overwrite on                   |
|                   |                     |          |                   |                               | Windows via insufficient                     |
|                   |                     |          |                   |                               | relative path sanitization                   |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37713        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| tmpl              | CVE-2021-3777       | MEDIUM   | 1.0.4             | 1.0.5                         | Regular Expression                           |
|                   |                     |          |                   |                               | Denial of Service in tmpl                    |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-3777         |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| trim-newlines     | CVE-2021-33623      | HIGH     | 1.0.0             | 4.0.1, 3.0.1                  | nodejs-trim-newlines:                        |
|                   |                     |          |                   |                               | ReDoS in .end() method                       |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-33623        |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 2.0.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| trim-off-newlines | CVE-2021-23425      | MEDIUM   | 1.0.1             |                               | nodejs-trim-off-newlines:                    |
|                   |                     |          |                   |                               | ReDoS via string processing                  |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23425        |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| ws                | CVE-2021-32640      |          | 5.2.2             | 5.2.3, 6.2.2, 7.4.6           | nodejs-ws: Specially crafted value           |
|                   |                     |          |                   |                               | of the `Sec-Websocket-Protocol`              |
|                   |                     |          |                   |                               | header can be used to...                     |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-32640        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| y18n              | CVE-2020-7774       | HIGH     | 3.2.1             | 5.0.5, 4.0.1, 3.2.2           | nodejs-y18n: prototype                       |
|                   |                     |          |                   |                               | pollution vulnerability                      |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7774         |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| yargs-parser      | CVE-2020-7608       | MEDIUM   | 7.0.0             | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype               |
|                   |                     |          |                   |                               | pollution vulnerability                      |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7608         |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 9.0.2             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
  • Vuls
yarn (pseudo)
=============
Total: 50 (Critical:14 High:23 Medium:12 Low:1 ?:0)
50/50 Fixed, 26 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 836 libs

+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                        NVD                        |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
| CVE-2019-10744      | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-10744   |
| CVE-2019-10746      | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-10746   |
| CVE-2019-10747      | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-10747   |
| CVE-2019-17426      | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-17426   |
| CVE-2019-19919      | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-19919   |
| CVE-2020-28499      | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-28499   |
| CVE-2020-7610       | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7610    |
| CVE-2021-23369      | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23369   |
| CVE-2021-23438      | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23438   |
| CVE-2021-23440      | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23440   |
| CVE-2021-3918       | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-3918    |
| CVE-2018-16487      |  9.8 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-16487   |
| CVE-2020-7598       |  9.8 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7598    |
| CVE-2020-8116       |  9.8 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8116    |
| CVE-2019-20149      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-20149   |
| CVE-2020-28469      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-28469   |
| CVE-2020-7774       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7774    |
| CVE-2020-7788       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7788    |
| CVE-2020-8203       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-8203    |
| CVE-2021-23337      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23337   |
| CVE-2021-23343      |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23343   |
| CVE-2021-32803      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-32803   |
| CVE-2021-32804      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-32804   |
| CVE-2021-33623      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-33623   |
| CVE-2021-37701      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-37701   |
| CVE-2021-37712      |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-37712   |
| CVE-2021-37713      |  8.9 |  AV:L  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-37713   |
| CVE-2021-3777       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-3777    |
| CVE-2021-3807       |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-3807    |
| GHSA-2cf5-4w76-r9qv |  8.9 |        |     |           |   fixed |                                                   |
| GHSA-6chw-6frg-f759 |  8.9 |        |     |           |   fixed |                                                   |
| GHSA-8j8c-7jfh-h6hx |  8.9 |        |     |           |   fixed |                                                   |
| GHSA-g9r4-xpmj-mj65 |  8.9 |        |     |           |   fixed |                                                   |
| GHSA-mh5c-679w-hh4r |  8.9 |        |     |           |   fixed |                                                   |
| GHSA-q2c6-c6pm-g3gh |  8.9 |        |     |           |   fixed |                                                   |
| GHSA-q42p-pg8m-cqh6 |  8.9 |        |     |           |   fixed |                                                   |
| CVE-2020-7608       |  7.5 |  AV:L  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7608    |
| CVE-2018-1109       |  6.9 |  AV:L  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-1109    |
| CVE-2019-1010266    |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-1010266 |
| CVE-2020-28500      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-28500   |
| CVE-2020-35149      |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-35149   |
| CVE-2020-7789       |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7789    |
| CVE-2021-23362      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23362   |
| CVE-2021-23425      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-23425   |
| CVE-2021-32640      |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-32640   |
| GHSA-2pr6-76vf-7546 |  6.9 |        |     |           |   fixed |                                                   |
| GHSA-4xcv-9jjx-gfj3 |  6.9 |        |     |           |   fixed |                                                   |
| GHSA-f52g-6jhx-586p |  6.9 |        |     |           |   fixed |                                                   |
| NSWG-ECO-519        |  6.9 |        |     |           |   fixed |                                                   |
| GHSA-g95f-p29q-9xw4 |  3.9 |        |     |           |   fixed |                                                   |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+

cargo

  • Trivy
Cargo.lock (cargo)
==================
Total: 13 (UNKNOWN: 13, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+
|    LIBRARY    | VULNERABILITY ID  | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                    TITLE                    |
+---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+
| anymap        | RUSTSEC-2021-0065 | UNKNOWN  | 0.12.1            |                                | anymap is unmaintained.                     |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0065 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| ash           | RUSTSEC-2021-0090 |          | 0.32.1            | >= 0.33.1                      | Reading on uninitialized memory             |
|               |                   |          |                   |                                | may cause UB ( `util::read_spv()` )         |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0090 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| chrono        | RUSTSEC-2020-0159 |          | 0.4.19            |                                | ## References                               |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2020-0159 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| cpuid-bool    | RUSTSEC-2021-0064 |          | 0.1.2             |                                | `cpuid-bool` has been                       |
|               |                   |          |                   |                                | renamed to `cpufeatures`                    |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0064 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| gfx-auxil     | RUSTSEC-2021-0091 |          | 0.9.0             |                                | Reading on uninitialized buffer may         |
|               |                   |          |                   |                                | cause UB ( `gfx_auxil::read_spirv()` )      |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0091 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| hyper         | RUSTSEC-2021-0078 |          | 0.14.7            | >= 0.14.10                     | Lenient `hyper` header                      |
|               |                   |          |                   |                                | parsing of `Content-Length`                 |
|               |                   |          |                   |                                | could allow request smuggling               |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0078 |
+               +-------------------+          +                   +                                +---------------------------------------------+
|               | RUSTSEC-2021-0079 |          |                   |                                | Integer overflow in `hyper`'s               |
|               |                   |          |                   |                                | parsing of the `Transfer-Encoding`          |
|               |                   |          |                   |                                | header leads to data...                     |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0079 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| nix           | RUSTSEC-2021-0119 |          | 0.20.0            | ^0.20.2, ^0.21.2, ^0.22.2, >=  | Out-of-bounds write in                      |
|               |                   |          |                   | 0.23.0                         | nix::unistd::getgrouplist                   |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0119 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| rusqlite      | RUSTSEC-2021-0128 |          | 0.25.1            | >= 0.26.2, 0.25.4              | Incorrect Lifetime Bounds                   |
|               |                   |          |                   |                                | on Closures in `rusqlite`                   |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0128 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| spirv_headers | RUSTSEC-2021-0096 |          | 1.5.0             |                                | spirv_headers is unmaintained,              |
|               |                   |          |                   |                                | use spirv instead                           |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0096 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| time          | RUSTSEC-2020-0071 |          | 0.1.44            | >= 0.2.23                      | ## References                               |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2020-0071 |
+---------------+-------------------+          +-------------------+--------------------------------+---------------------------------------------+
| tokio         | RUSTSEC-2021-0072 |          | 1.5.0             | >= 1.5.1, < 1.6.0, >= 1.6.3,   | Task dropped in wrong thread                |
|               |                   |          |                   | < 1.7.0, >= 1.7.2, < 1.8.0, >= | when aborting `LocalSet` task               |
|               |                   |          |                   | 1.8.1                          | -->rustsec.org/advisories/RUSTSEC-2021-0072 |
+               +-------------------+          +                   +--------------------------------+---------------------------------------------+
|               | RUSTSEC-2021-0124 |          |                   | >= 1.8.4, < 1.9.0, >= 1.13.1   | Data race when sending and receiving        |
|               |                   |          |                   |                                | after closing a `oneshot` channel           |
|               |                   |          |                   |                                | -->rustsec.org/advisories/RUSTSEC-2021-0124 |
+---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+
  • Vuls
cargo (pseudo)
==============
Total: 13 (Critical:0 High:0 Medium:0 Low:0 ?:13)
13/13 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 399 libs

+-------------------+------+--------+-----+-----------+---------+-----+
|      CVE-ID       | CVSS | ATTACK | POC |   ALERT   |  FIXED  | NVD |
+-------------------+------+--------+-----+-----------+---------+-----+
| RUSTSEC-2020-0071 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2020-0159 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0064 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0065 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0072 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0078 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0079 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0090 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0091 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0096 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0119 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0124 |  0.0 |        |     |           |   fixed |     |
| RUSTSEC-2021-0128 |  0.0 |        |     |           |   fixed |     |
+-------------------+------+--------+-----+-----------+---------+-----+

gomod

  • Trivy
go.sum (gomod)
==============
Total: 27 (UNKNOWN: 2, LOW: 0, MEDIUM: 7, HIGH: 14, CRITICAL: 4)

+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
|              LIBRARY               | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION         |            FIXED VERSION            |                  TITLE                  |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| code.gitea.io/gitea                | CVE-2021-28378   | MEDIUM   | 1.10.3                            | 1.13.4                              | Cross-site Scripting                    |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2021-28378   |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| github.com/apache/thrift           | CVE-2019-0205    | HIGH     | 0.12.0                            | 0.13.0                              | thrift: Endless loop when               |
|                                    |                  |          |                                   |                                     | feed with specific input data           |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2019-0205    |
+                                    +------------------+          +                                   +                                     +-----------------------------------------+
|                                    | CVE-2019-0210    |          |                                   |                                     | thrift: Out-of-bounds read              |
|                                    |                  |          |                                   |                                     | related to TJSONProtocol                |
|                                    |                  |          |                                   |                                     | or TSimpleJSONProtocol                  |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2019-0210    |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2020-13949   |          |                                   | v0.14.0                             | libthrift: potential DoS when           |
|                                    |                  |          |                                   |                                     | processing untrusted payloads           |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-13949   |
+------------------------------------+------------------+          +-----------------------------------+-------------------------------------+-----------------------------------------+
| github.com/dgrijalva/jwt-go        | CVE-2020-26160   |          | 3.2.0+incompatible                |                                     | jwt-go: access restriction              |
|                                    |                  |          |                                   |                                     | bypass vulnerability                    |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-26160   |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| github.com/go-gitea/gitea          | CVE-2018-18926   | CRITICAL | 1.2.3                             | v1.5.4                              | Session Fixation                        |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2018-18926   |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2019-11576   |          |                                   | v1.8.0                              | Credentials Management                  |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2019-11576   |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2020-28991   |          |                                   | v1.12.6                             | Insufficient Input Validation           |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-28991   |
+                                    +------------------+----------+                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2018-15192   | HIGH     |                                   | v1.5.0                              | Server-Side Request Forgery (SSRF)      |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2018-15192   |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2019-11228   |          |                                   | v1.8.0                              | Improper Input Validation               |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2019-11228   |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2019-11229   |          |                                   | v1.7.6, v1.8.1                      | Improper Input Validation               |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2019-11229   |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2020-13246   |          |                                   | v1.12.0                             | Improper Locking                        |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-13246   |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2020-14144   |          |                                   | v1.12.6                             | OS Command Injection                    |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-14144   |
+                                    +------------------+----------+                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2018-1000803 | MEDIUM   |                                   | v1.5.1                              | Information Exposure                    |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2018-1000803 |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2019-1000002 |          |                                   | v1.6.3                              | Improper Access Control                 |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2019-1000002 |
+                                    +------------------+          +                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2019-1010261 |          |                                   | v1.7.1                              | Cross-site Scripting                    |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2019-1010261 |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| github.com/gogo/protobuf           | CVE-2021-3121    | HIGH     | 1.2.1                             | 1.3.2                               | gogo/protobuf:                          |
|                                    |                  |          |                                   |                                     | plugin/unmarshal/unmarshal.go           |
|                                    |                  |          |                                   |                                     | lacks certain index validation          |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2021-3121    |
+------------------------------------+------------------+          +-----------------------------------+-------------------------------------+-----------------------------------------+
| github.com/gorilla/websocket       | CVE-2020-27813   |          | 1.4.0                             | 1.4.1                               | golang-github-gorilla-websocket:        |
|                                    |                  |          |                                   |                                     | integer overflow leads                  |
|                                    |                  |          |                                   |                                     | to denial of service                    |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-27813   |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| github.com/microcosm-cc/bluemonday | CVE-2021-42576   | CRITICAL | 0.0.0-20161012083705-f77f16ffc87a | 1.0.16                              | Pybluemonday 0.0.8 includes a fix       |
|                                    |                  |          |                                   |                                     | for CVE-2021-42576: The bluemonday      |
|                                    |                  |          |                                   |                                     | sanitizer before 1.0.16...              |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2021-42576   |
+                                    +------------------+----------+                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2021-29272   | MEDIUM   |                                   | 1.0.5                               | bluemonday: Cross-site scripting        |
|                                    |                  |          |                                   |                                     | via uppercase Cyrillic i                |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2021-29272   |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| github.com/satori/go.uuid          | GO-2020-0018     | UNKNOWN  | 1.2.0                             | 1.2.1-0.20181016170032-d91630c85102 |                                         |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| github.com/unknwon/cae             | CVE-2020-7668    | HIGH     | 1.0.0                             | 1.0.1                               | Improper Limitation of a                |
|                                    |                  |          |                                   |                                     | Pathname to a Restricted                |
|                                    |                  |          |                                   |                                     | Directory ('Path Traversal')            |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-7668    |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| go.mongodb.org/mongo-driver        | CVE-2021-20329   | MEDIUM   | 1.1.1                             | 1.5.1                               | mongo-go-driver: specific cstrings      |
|                                    |                  |          |                                   |                                     | input may not be properly validated     |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2021-20329   |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| golang.org/x/crypto                | CVE-2020-29652   | HIGH     | 0.0.0-20191119213627-4f8c1d86b1ba | v0.0.0-20201216223049-8b5274cf687f  | golang: crypto/ssh: crafted             |
|                                    |                  |          |                                   |                                     | authentication request can              |
|                                    |                  |          |                                   |                                     | lead to nil pointer dereference         |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-29652   |
+------------------------------------+------------------+          +-----------------------------------+-------------------------------------+-----------------------------------------+
| golang.org/x/text                  | CVE-2020-14040   |          | 0.3.2                             | 0.3.3                               | golang.org/x/text: possibility          |
|                                    |                  |          |                                   |                                     | to trigger an infinite loop in          |
|                                    |                  |          |                                   |                                     | encoding/unicode could lead to...       |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2020-14040   |
+                                    +------------------+----------+                                   +-------------------------------------+-----------------------------------------+
|                                    | CVE-2021-38561   | UNKNOWN  |                                   | 0.3.7                               | -->avd.aquasec.com/nvd/cve-2021-38561   |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
| gopkg.in/yaml.v2                   | CVE-2019-11254   | MEDIUM   | 2.2.4                             | 2.2.8                               | kubernetes: Denial of                   |
|                                    |                  |          |                                   |                                     | service in API server via               |
|                                    |                  |          |                                   |                                     | crafted YAML payloads by...             |
|                                    |                  |          |                                   |                                     | -->avd.aquasec.com/nvd/cve-2019-11254   |
+------------------------------------+------------------+----------+-----------------------------------+-------------------------------------+-----------------------------------------+
  • Vuls
gomod (pseudo)
==============
Total: 27 (Critical:5 High:13 Medium:7 Low:0 ?:2)
27/27 Fixed, 7 poc, 1 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 328 libs

+------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
|      CVE-ID      | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                        NVD                        |
+------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
| CVE-2018-18926   | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-18926   |
| CVE-2019-11576   | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11576   |
| CVE-2020-28991   | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-28991   |
| CVE-2021-42576   | 10.0 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-42576   |
| CVE-2019-11229   |  9.8 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11229   |
| CVE-2018-15192   |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-15192   |
| CVE-2019-0205    |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-0205    |
| CVE-2019-0210    |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-0210    |
| CVE-2019-11228   |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11228   |
| CVE-2020-13246   |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-13246   |
| CVE-2020-13949   |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-13949   |
| CVE-2020-14040   |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-14040   |
| CVE-2020-14144   |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-14144   |
| CVE-2020-26160   |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-26160   |
| CVE-2020-27813   |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-27813   |
| CVE-2020-29652   |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-29652   |
| CVE-2020-7668    |  8.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-7668    |
| CVE-2021-3121    |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-3121    |
| CVE-2018-1000803 |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-1000803 |
| CVE-2019-1000002 |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-1000002 |
| CVE-2019-1010261 |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-1010261 |
| CVE-2019-11254   |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-11254   |
| CVE-2021-20329   |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-20329   |
| CVE-2021-28378   |  6.9 |  AV:N  | POC |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-28378   |
| CVE-2021-29272   |  6.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-29272   |
| CVE-2021-38561   |  0.0 |        |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-38561   |
| GO-2020-0018     |  0.0 |        |     |           |   fixed |                                                   |
+------------------+------+--------+-----+-----------+---------+---------------------------------------------------+

gobinary

  • Trivy
gobinary (gobinary)
===================
Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|      LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| golang.org/x/text | CVE-2020-14040   | HIGH     | v0.3.2            | 0.3.3         | golang.org/x/text: possibility        |
|                   |                  |          |                   |               | to trigger an infinite loop in        |
|                   |                  |          |                   |               | encoding/unicode could lead to...     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14040 |
+                   +------------------+----------+                   +---------------+---------------------------------------+
|                   | CVE-2021-38561   | UNKNOWN  |                   | 0.3.7         | -->avd.aquasec.com/nvd/cve-2021-38561 |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
  • Vuls
gobinary (pseudo)
=================
Total: 2 (Critical:0 High:1 Medium:0 Low:0 ?:1)
2/2 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                       NVD                       |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2020-14040 |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-14040 |
| CVE-2021-38561 |  0.0 |        |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-38561 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+

jar

  • Trivy
Java (jar)
==========
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 2)

+-------------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
|               LIBRARY               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION     |                 TITLE                 |
+-------------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
| org.apache.logging.log4j:log4j-core | CVE-2021-44228   | CRITICAL | 2.14.1            | 2.15.0                | log4j-core: Remote code execution     |
|                                     |                  |          |                   |                       | in Log4j 2.x when logs contain        |
|                                     |                  |          |                   |                       | an attacker-controlled...             |
|                                     |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-44228 |
+                                     +------------------+          +                   +-----------------------+---------------------------------------+
|                                     | CVE-2021-45046   |          |                   | 2.16.0                | log4j-core: DoS in log4j 2.x          |
|                                     |                  |          |                   |                       | with thread context message           |
|                                     |                  |          |                   |                       | pattern and context...                |
|                                     |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-45046 |
+                                     +------------------+----------+                   +-----------------------+---------------------------------------+
|                                     | CVE-2021-45105   | HIGH     |                   | 2.17.0, 2.12.3        | log4j-core: DoS in log4j              |
|                                     |                  |          |                   |                       | 2.x with Thread Context               |
|                                     |                  |          |                   |                       | Map (MDC) input data...               |
|                                     |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-45105 |
+                                     +------------------+----------+                   +-----------------------+---------------------------------------+
|                                     | CVE-2021-44832   | MEDIUM   |                   | 2.17.1, 2.12.4, 2.3.2 | log4j-core: remote code               |
|                                     |                  |          |                   |                       | execution via JDBC Appender           |
|                                     |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-44832 |
+-------------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
  • Vuls
jar (pseudo)
============
Total: 4 (Critical:2 High:1 Medium:1 Low:0 ?:0)
4/4 Fixed, 1 poc, 0 exploits, cisa: 1, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                       NVD                       |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |      CISA |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-44228 |
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-45046 |
| CVE-2021-45105 |  7.5 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-45105 |
| CVE-2021-44832 |  6.9 |        |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-44832 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+

pom

  • Trivy
pom.xml (pom)
=============
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 2)

+-------------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
|               LIBRARY               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION     |                 TITLE                 |
+-------------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
| org.apache.logging.log4j:log4j-core | CVE-2021-44228   | CRITICAL | 2.14.1            | 2.15.0                | log4j-core: Remote code execution     |
|                                     |                  |          |                   |                       | in Log4j 2.x when logs contain        |
|                                     |                  |          |                   |                       | an attacker-controlled...             |
|                                     |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-44228 |
+                                     +------------------+          +                   +-----------------------+---------------------------------------+
|                                     | CVE-2021-45046   |          |                   | 2.16.0                | log4j-core: DoS in log4j 2.x          |
|                                     |                  |          |                   |                       | with thread context message           |
|                                     |                  |          |                   |                       | pattern and context...                |
|                                     |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-45046 |
+                                     +------------------+----------+                   +-----------------------+---------------------------------------+
|                                     | CVE-2021-44832   | MEDIUM   |                   | 2.17.1, 2.12.4, 2.3.2 | log4j-core: remote code               |
|                                     |                  |          |                   |                       | execution via JDBC Appender           |
|                                     |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-44832 |
+                                     +------------------+          +                   +-----------------------+---------------------------------------+
|                                     | CVE-2021-45105   |          |                   | 2.17.0, 2.12.3        | log4j-core: DoS in log4j              |
|                                     |                  |          |                   |                       | 2.x with Thread Context               |
|                                     |                  |          |                   |                       | Map (MDC) input data...               |
|                                     |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-45105 |
+-------------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
  • Vuls
pom (pseudo)
============
Total: 4 (Critical:2 High:1 Medium:1 Low:0 ?:0)
4/4 Fixed, 1 poc, 0 exploits, cisa: 1, uscert: 0, jpcert: 0 alerts
0 installed, 2 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                       NVD                       |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |      CISA |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-44228 |
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-45046 |
| CVE-2021-45105 |  7.5 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-45105 |
| CVE-2021-44832 |  6.9 |        |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-44832 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+

nuget-lock

  • Trivy
packages.lock.json (nuget)
==========================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

+--------------------------+---------------------+----------+-------------------+---------------+----------------------------------------------+
|         LIBRARY          |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION | FIXED VERSION |                    TITLE                     |
+--------------------------+---------------------+----------+-------------------+---------------+----------------------------------------------+
| Microsoft.AspNetCore.App | CVE-2018-8409       | HIGH     | 2.1.0             | 2.1.4         | .NET: Resource loop in                       |
|                          |                     |          |                   |               | ReadAsync when it is being                   |
|                          |                     |          |                   |               | cancelled while producer...                  |
|                          |                     |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-8409         |
+                          +---------------------+----------+                   +---------------+----------------------------------------------+
|                          | GHSA-cgpw-2gph-2r9g | MEDIUM   |                   | 2.1.2         | Moderate severity vulnerability that         |
|                          |                     |          |                   |               | affects Microsoft.AspNetCore.All,            |
|                          |                     |          |                   |               | Microsoft.AspNetCore.App, and                |
|                          |                     |          |                   |               | Microsoft.AspNetCore.Server.Kestrel.Core     |
|                          |                     |          |                   |               | -->github.com/advisories/GHSA-cgpw-2gph-2r9g |
+--------------------------+---------------------+----------+-------------------+---------------+----------------------------------------------+
  • Vuls
nuget-lock (pseudo)
===================
Total: 2 (Critical:0 High:1 Medium:1 Low:0 ?:0)
2/2 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 1 alerts
0 installed, 1 libs

+---------------------+------+--------+-----+-----------+---------+------------------------------------------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                      NVD                       |
+---------------------+------+--------+-----+-----------+---------+------------------------------------------------+
| CVE-2018-8409       |  8.9 |  AV:L  |     |      CERT |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-8409 |
| GHSA-cgpw-2gph-2r9g |  6.9 |        |     |           |   fixed |                                                |
+---------------------+------+--------+-----+-----------+---------+------------------------------------------------+

nuget-config

  • Trivy
packages.config (nuget)
=======================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

+--------------------------+---------------------+----------+-------------------+---------------+----------------------------------------------+
|         LIBRARY          |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION | FIXED VERSION |                    TITLE                     |
+--------------------------+---------------------+----------+-------------------+---------------+----------------------------------------------+
| Microsoft.AspNetCore.App | CVE-2018-8409       | HIGH     | 2.1.0             | 2.1.4         | .NET: Resource loop in                       |
|                          |                     |          |                   |               | ReadAsync when it is being                   |
|                          |                     |          |                   |               | cancelled while producer...                  |
|                          |                     |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-8409         |
+                          +---------------------+----------+                   +---------------+----------------------------------------------+
|                          | GHSA-cgpw-2gph-2r9g | MEDIUM   |                   | 2.1.2         | Moderate severity vulnerability that         |
|                          |                     |          |                   |               | affects Microsoft.AspNetCore.All,            |
|                          |                     |          |                   |               | Microsoft.AspNetCore.App, and                |
|                          |                     |          |                   |               | Microsoft.AspNetCore.Server.Kestrel.Core     |
|                          |                     |          |                   |               | -->github.com/advisories/GHSA-cgpw-2gph-2r9g |
+--------------------------+---------------------+----------+-------------------+---------------+----------------------------------------------+
  • Vuls
nuget-config (pseudo)
=====================
Total: 2 (Critical:0 High:1 Medium:1 Low:0 ?:0)
2/2 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 1 alerts
0 installed, 1 libs

+---------------------+------+--------+-----+-----------+---------+------------------------------------------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                      NVD                       |
+---------------------+------+--------+-----+-----------+---------+------------------------------------------------+
| CVE-2018-8409       |  8.9 |  AV:L  |     |      CERT |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-8409 |
| GHSA-cgpw-2gph-2r9g |  6.9 |        |     |           |   fixed |                                                |
+---------------------+------+--------+-----+-----------+---------+------------------------------------------------+

@MaineK00n MaineK00n self-assigned this Jan 12, 2022
@MaineK00n MaineK00n requested a review from kotakanbe January 12, 2022 23:50
@MaineK00n
Copy link
Collaborator

Diff with vuls master.

$ ./vuls.old -v
vuls-v0.19.1-build-20220113_091111_a3f7d1d

$ ./vuls.new -v
vuls-v0.19.1-build-20220113_085202_3f63bbe

$ make diff
./vuls.old scan -config=./integration/int-config.toml --results-dir='/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results' 'bundler' 'pip' 'pipenv' 'poetry' 'composer' 'npm' 'yarn' 'cargo' 'gomod' 'gobinary' 'jar' 'pom' 'nuget-lock' 'nuget-config'
...
Scan Summary
================
gomod       	pseudo	0 installed, 0 updatable	328 libs
nuget-config	pseudo	0 installed, 0 updatable	1 libs  
npm         	pseudo	0 installed, 0 updatable	273 libs
nuget-lock  	pseudo	0 installed, 0 updatable	1 libs  
composer    	pseudo	0 installed, 0 updatable	73 libs 
bundler     	pseudo	0 installed, 0 updatable	111 libs
pip         	pseudo	0 installed, 0 updatable	1 libs  
pipenv      	pseudo	0 installed, 0 updatable	19 libs 
pom         	pseudo	0 installed, 0 updatable
gobinary    	pseudo	0 installed, 0 updatable
poetry      	pseudo	0 installed, 0 updatable	62 libs 
cargo       	pseudo	0 installed, 0 updatable	399 libs
yarn        	pseudo	0 installed, 0 updatable	836 libs
jar         	pseudo	0 installed, 0 updatable	1 libs

./vuls.new scan -config=./integration/int-config.toml --results-dir='/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results' 'bundler' 'pip' 'pipenv' 'poetry' 'composer' 'npm' 'yarn' 'cargo' 'gomod' 'gobinary' 'jar' 'pom' 'nuget-lock' 'nuget-config'
...
Scan Summary
================
bundler     	pseudo	0 installed, 0 updatable	111 libs
nuget-config	pseudo	0 installed, 0 updatable	1 libs  
npm         	pseudo	0 installed, 0 updatable	273 libs
composer    	pseudo	0 installed, 0 updatable	73 libs 
pipenv      	pseudo	0 installed, 0 updatable	19 libs 
gomod       	pseudo	0 installed, 0 updatable	328 libs
nuget-lock  	pseudo	0 installed, 0 updatable	1 libs  
gobinary    	pseudo	0 installed, 0 updatable	1 libs  
pip         	pseudo	0 installed, 0 updatable	1 libs  
poetry      	pseudo	0 installed, 0 updatable	62 libs 
yarn        	pseudo	0 installed, 0 updatable	836 libs
cargo       	pseudo	0 installed, 0 updatable	399 libs
jar         	pseudo	0 installed, 0 updatable	1 libs  
pom         	pseudo	0 installed, 0 updatable	2 libs

diff -c ''/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results'/2022-01-13T09:33:46+09:00' ''/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results'/2022-01-13T09:33:47+09:00'
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/bundler.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/bundler.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/bundler.json	2022-01-13 09:33:51.850530938 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/bundler.json	2022-01-13 09:33:51.878531034 +0900
***************
*** 197,203 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.6.8",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 197,203 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.6.8",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 320,326 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.7.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 320,326 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.7.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 419,425 ****
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "5.0.0.1, 4.2.7.1, 3.2.22.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 419,425 ----
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "~\u003e 4.2.7.1, ~\u003e 4.2.8, \u003e= 5.0.0.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 498,504 ****
                  {
                      "key": "ruby",
                      "name": "activerecord",
!                     "fixedIn": "4.2.7.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 498,504 ----
                  {
                      "key": "ruby",
                      "name": "activerecord",
!                     "fixedIn": "\u003e= 4.2.7.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 767,773 ****
                  {
                      "key": "ruby",
                      "name": "yard",
!                     "fixedIn": "0.9.11",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 767,773 ----
                  {
                      "key": "ruby",
                      "name": "yard",
!                     "fixedIn": "\u003e= 0.9.11",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 834,840 ****
                  {
                      "key": "ruby",
                      "name": "net-ldap",
!                     "fixedIn": "0.16.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 834,840 ----
                  {
                      "key": "ruby",
                      "name": "net-ldap",
!                     "fixedIn": "\u003e= 0.16.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1028,1034 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.7.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1028,1034 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.7.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1099,1105 ****
                  {
                      "key": "ruby",
                      "name": "rubyzip",
!                     "fixedIn": "1.2.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1099,1105 ----
                  {
                      "key": "ruby",
                      "name": "rubyzip",
!                     "fixedIn": "\u003e= 1.2.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1222,1228 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.8.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1222,1228 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.8.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1285,1291 ****
                  {
                      "key": "ruby",
                      "name": "ffi",
!                     "fixedIn": "1.9.24",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1285,1291 ----
                  {
                      "key": "ruby",
                      "name": "ffi",
!                     "fixedIn": "\u003e= 1.9.24",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1360,1366 ****
                  {
                      "key": "ruby",
                      "name": "rubyzip",
!                     "fixedIn": "1.2.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1360,1366 ----
                  {
                      "key": "ruby",
                      "name": "rubyzip",
!                     "fixedIn": "\u003e= 1.2.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1483,1489 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.8.5",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1483,1489 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.8.5",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1550,1556 ****
                  {
                      "key": "ruby",
                      "name": "loofah",
!                     "fixedIn": "2.2.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1550,1556 ----
                  {
                      "key": "ruby",
                      "name": "loofah",
!                     "fixedIn": "\u003e= 2.2.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1637,1643 ****
                  {
                      "key": "ruby",
                      "name": "rack",
!                     "fixedIn": "1.6.11, 2.0.6",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1637,1643 ----
                  {
                      "key": "ruby",
                      "name": "rack",
!                     "fixedIn": "~\u003e 1.6.11, \u003e= 2.0.6",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1712,1718 ****
                  {
                      "key": "ruby",
                      "name": "activejob",
!                     "fixedIn": "5.2.1.1, 5.1.6.1, 5.0.7.1, 4.2.11",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1712,1718 ----
                  {
                      "key": "ruby",
                      "name": "activejob",
!                     "fixedIn": "~\u003e 4.2.11, ~\u003e 5.0.7.1, ~\u003e 5.1.6.1, ~\u003e 5.1.7, \u003e= 5.2.1.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1771,1777 ****
                  {
                      "key": "ruby",
                      "name": "rails-html-sanitizer",
!                     "fixedIn": "1.0.4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1771,1777 ----
                  {
                      "key": "ruby",
                      "name": "rails-html-sanitizer",
!                     "fixedIn": "\u003e= 1.0.4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1870,1876 ****
                  {
                      "key": "ruby",
                      "name": "sprockets",
!                     "fixedIn": "4.0.0.beta8, 3.7.2, 2.12.5",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 1870,1876 ----
                  {
                      "key": "ruby",
                      "name": "sprockets",
!                     "fixedIn": "\u003e= 2.12.5, \u003c 3.0.0, \u003e= 3.7.2, \u003c 4.0.0, \u003e= 4.0.0.beta8",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 1949,1955 ****
                  {
                      "key": "ruby",
                      "name": "loofah",
!                     "fixedIn": "2.2.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  },
                  {
--- 1949,1955 ----
                  {
                      "key": "ruby",
                      "name": "loofah",
!                     "fixedIn": "\u003e= 2.2.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  },
                  {
***************
*** 2010,2016 ****
                  {
                      "key": "ruby",
                      "name": "yard",
!                     "fixedIn": "0.9.20",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 2010,2016 ----
                  {
                      "key": "ruby",
                      "name": "yard",
!                     "fixedIn": "\u003e= 0.9.20",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 2077,2082 ****
--- 2077,2083 ----
                  {
                      "key": "ruby",
                      "name": "ruby-openid",
+                     "fixedIn": "\u003e= 2.9.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 2772,2778 ****
                  {
                      "key": "ruby",
                      "name": "loofah",
!                     "fixedIn": "2.3.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 2773,2779 ----
                  {
                      "key": "ruby",
                      "name": "loofah",
!                     "fixedIn": "\u003e= 2.3.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 2863,2869 ****
                  {
                      "key": "ruby",
                      "name": "rack",
!                     "fixedIn": "2.0.8, 1.6.12",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 2864,2870 ----
                  {
                      "key": "ruby",
                      "name": "rack",
!                     "fixedIn": "~\u003e 1.6.12, \u003e= 2.0.8",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 2958,2964 ****
                  {
                      "key": "ruby",
                      "name": "rubyzip",
!                     "fixedIn": "1.3.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 2959,2965 ----
                  {
                      "key": "ruby",
                      "name": "rubyzip",
!                     "fixedIn": "\u003e= 1.3.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 3077,3083 ****
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "4.2.11.1, 5.2.2.1, 5.0.7.2, 5.1.6.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 3078,3084 ----
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "~\u003e 4.2.11, \u003e= 4.2.11.1, ~\u003e 5.0.7, \u003e= 5.0.7.2, ~\u003e 5.1.6, \u003e= 5.1.6.2, ~\u003e 5.2.2, \u003e= 5.2.2.1, \u003e= 6.0.0.beta3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 3188,3194 ****
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "5.2.2.1, 4.2.11.1, 5.0.7.2, 5.1.6.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 3189,3195 ----
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "\u003e= 6.0.0.beta3, ~\u003e 5.2.2, \u003e= 5.2.2.1, ~\u003e 5.1.6, \u003e= 5.1.6.2, ~\u003e 5.0.7, \u003e= 5.0.7.2, ~\u003e 4.2.11, \u003e= 4.2.11.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 3283,3289 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.10.4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 3284,3290 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.10.4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 3446,3452 ****
                  {
                      "key": "ruby",
                      "name": "json",
!                     "fixedIn": "2.3.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 3447,3453 ----
                  {
                      "key": "ruby",
                      "name": "json",
!                     "fixedIn": "\u003e= 2.3.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 3844,3850 ****
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "5.2.4.4, 6.0.3.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 3845,3851 ----
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "~\u003e 5.2.4, \u003e= 5.2.4.4, \u003e= 6.0.3.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 3923,3929 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.11.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 3924,3930 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.11.0.rc4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 3994,4000 ****
                  {
                      "key": "ruby",
                      "name": "redcarpet",
!                     "fixedIn": "3.5.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 3995,4001 ----
                  {
                      "key": "ruby",
                      "name": "redcarpet",
!                     "fixedIn": "\u003e= 3.5.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 4081,4087 ****
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "5.2.4.2, 6.0.2.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 4082,4088 ----
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "~\u003e 5.2.4, \u003e= 5.2.4.2, \u003e= 6.0.2.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 4204,4210 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.10.8",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 4205,4211 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.10.8",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 4291,4297 ****
                  {
                      "key": "ruby",
                      "name": "rake",
!                     "fixedIn": "12.3.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 4292,4298 ----
                  {
                      "key": "ruby",
                      "name": "rake",
!                     "fixedIn": "\u003e= 12.3.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 4386,4392 ****
                  {
                      "key": "ruby",
                      "name": "rack",
!                     "fixedIn": "2.1.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 4387,4393 ----
                  {
                      "key": "ruby",
                      "name": "rack",
!                     "fixedIn": "~\u003e 2.1.3, \u003e= 2.2.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 4465,4471 ****
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "4.2.11.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 4466,4472 ----
                  {
                      "key": "ruby",
                      "name": "actionview",
!                     "fixedIn": "\u003e= 4.2.11.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 4888,4894 ****
                  {
                      "key": "ruby",
                      "name": "rack",
!                     "fixedIn": "2.2.3, 2.1.4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 4889,4895 ----
                  {
                      "key": "ruby",
                      "name": "rack",
!                     "fixedIn": "~\u003e 2.1.4, \u003e= 2.2.3",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 5050,5056 ****
                  {
                      "key": "ruby",
                      "name": "actionpack",
!                     "fixedIn": "5.2.4.6, 5.2.6, 6.1.3.2, 6.0.3.7",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 5051,5057 ----
                  {
                      "key": "ruby",
                      "name": "actionpack",
!                     "fixedIn": "~\u003e 5.2.4.6, ~\u003e 5.2.6, ~\u003e 6.0.3, \u003e= 6.0.3.7, \u003e= 6.1.3.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 5133,5139 ****
                  {
                      "key": "ruby",
                      "name": "actionpack",
!                     "fixedIn": "5.2.4.6, 5.2.6, 6.1.3.2, 6.0.3.7",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 5134,5140 ----
                  {
                      "key": "ruby",
                      "name": "actionpack",
!                     "fixedIn": "~\u003e 5.2.4.6, ~\u003e 5.2.6, ~\u003e 6.0.3, \u003e= 6.0.3.7, \u003e= 6.1.3.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 5228,5234 ****
                  {
                      "key": "ruby",
                      "name": "rdoc",
!                     "fixedIn": "6.3.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 5229,5235 ----
                  {
                      "key": "ruby",
                      "name": "rdoc",
!                     "fixedIn": "\u003e= 6.3.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 5299,5305 ****
                  {
                      "key": "ruby",
                      "name": "addressable",
!                     "fixedIn": "2.8.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 5300,5306 ----
                  {
                      "key": "ruby",
                      "name": "addressable",
!                     "fixedIn": "\u003e= 2.8.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 5358,5364 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.12.5",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 5359,5365 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.12.5",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
***************
*** 5409,5415 ****
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "1.11.4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
--- 5410,5416 ----
                  {
                      "key": "ruby",
                      "name": "nokogiri",
!                     "fixedIn": "\u003e= 1.11.4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Gemfile.lock"
                  }
              ]
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/composer.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/composer.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/composer.json	2022-01-13 09:33:51.846530925 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/composer.json	2022-01-13 09:33:51.874531019 +0900
***************
*** 157,163 ****
                  {
                      "key": "php",
                      "name": "symfony/http-foundation",
!                     "fixedIn": "4.2.7, 4.1.12, 3.4.26, 2.8.50, 2.7.51",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
--- 157,163 ----
                  {
                      "key": "php",
                      "name": "symfony/http-foundation",
!                     "fixedIn": "3.2.0, 3.3.0, 3.4.0, 4.1.0, 4.2.7, 2.7.51, 2.8.50, 3.1.0, 3.4.26, 4.1.12",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
***************
*** 236,242 ****
                  {
                      "key": "php",
                      "name": "symfony/http-kernel",
!                     "fixedIn": "2.3.0, 2.5.0, 2.6.0, 4.2.12, 3.4.35, 2.4.0, 2.8.0, 2.8.52, 3.2.0, 4.3.8, 2.7.0, 3.1.0, 3.3.0, 3.4.0, 4.1.0, 4.2.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
--- 236,242 ----
                  {
                      "key": "php",
                      "name": "symfony/http-kernel",
!                     "fixedIn": "2.6.0, 2.8.52, 3.1.0, 2.4.0, 4.2.0, 4.2.12, 4.3.8, 2.3.0, 2.5.0, 2.8.0, 3.3.0, 2.7.0, 3.2.0, 3.4.0, 3.4.35, 4.1.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
***************
*** 339,345 ****
                  {
                      "key": "php",
                      "name": "symfony/http-foundation",
!                     "fixedIn": "4.3.8, 4.2.12, 3.4.35, 2.8.52",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
--- 339,345 ----
                  {
                      "key": "php",
                      "name": "symfony/http-foundation",
!                     "fixedIn": "2.3.0, 4.2.0, 4.2.12, 4.1.0, 2.5.0, 2.7.0, 3.1.0, 3.4.35, 3.2.0, 3.3.0, 4.3.8, 2.2.0, 2.4.0, 2.6.0, 2.8.52, 2.1.0, 2.8.0, 3.4.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
***************
*** 729,735 ****
                  {
                      "key": "php",
                      "name": "league/flysystem",
!                     "fixedIn": "2.1.1, 1.1.4",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
--- 729,735 ----
                  {
                      "key": "php",
                      "name": "league/flysystem",
!                     "fixedIn": "1.1.4, 2.1.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
***************
*** 812,818 ****
                  {
                      "key": "php",
                      "name": "laravel/framework",
!                     "fixedIn": "8.75.0, 7.30.6, 6.20.42",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
--- 812,818 ----
                  {
                      "key": "php",
                      "name": "laravel/framework",
!                     "fixedIn": "6.20.42, 7.30.6, 8.75.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/composer.lock"
                  }
              ]
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/gobinary.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/gobinary.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/gobinary.json	2022-01-13 09:33:51.834530885 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/gobinary.json	2022-01-13 09:33:51.862530979 +0900
***************
*** 35,47 ****
      "reportedBy": "lize",
      "errors": [],
      "warnings": [],
!     "scannedCves": {},
      "runningKernel": {
          "release": "",
          "version": "",
          "rebootRequired": false
      },
      "packages": {},
      "config": {
          "scan": {
              "logDir": "/var/log/vuls",
--- 35,178 ----
      "reportedBy": "lize",
      "errors": [],
      "warnings": [],
!     "scannedCves": {
!         "CVE-2020-14040": {
!             "cveID": "CVE-2020-14040",
!             "confidences": [
!                 {
!                     "score": 100,
!                     "detectionMethod": "TrivyMatch"
!                 }
!             ],
!             "cveContents": {
!                 "trivy": [
!                     {
!                         "type": "trivy",
!                         "cveID": "CVE-2020-14040",
!                         "title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash",
!                         "summary": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.",
!                         "cvss2Score": 0,
!                         "cvss2Vector": "",
!                         "cvss2Severity": "",
!                         "cvss3Score": 0,
!                         "cvss3Vector": "",
!                         "cvss3Severity": "HIGH",
!                         "sourceLink": "",
!                         "references": [
!                             {
!                                 "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/advisories/GHSA-5rcv-m4m3-hfh7",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/golang/go/issues/39491",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://linux.oracle.com/cve/CVE-2020-14040.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://linux.oracle.com/errata/ELSA-2020-4694.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
!                                 "source": "trivy"
!                             }
!                         ],
!                         "published": "0001-01-01T00:00:00Z",
!                         "lastModified": "0001-01-01T00:00:00Z"
!                     }
!                 ]
!             },
!             "alertDict": {
!                 "cisa": null,
!                 "jpcert": null,
!                 "uscert": null
!             },
!             "libraryFixedIns": [
!                 {
!                     "name": "golang.org/x/text",
!                     "fixedIn": "0.3.3",
!                     "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/gobinary"
!                 }
!             ]
!         },
!         "CVE-2021-38561": {
!             "cveID": "CVE-2021-38561",
!             "confidences": [
!                 {
!                     "score": 100,
!                     "detectionMethod": "TrivyMatch"
!                 }
!             ],
!             "cveContents": {
!                 "trivy": [
!                     {
!                         "type": "trivy",
!                         "cveID": "CVE-2021-38561",
!                         "title": "",
!                         "summary": "",
!                         "cvss2Score": 0,
!                         "cvss2Vector": "",
!                         "cvss2Severity": "",
!                         "cvss3Score": 0,
!                         "cvss3Vector": "",
!                         "cvss3Severity": "UNKNOWN",
!                         "sourceLink": "",
!                         "published": "0001-01-01T00:00:00Z",
!                         "lastModified": "0001-01-01T00:00:00Z"
!                     }
!                 ]
!             },
!             "alertDict": {
!                 "cisa": null,
!                 "jpcert": null,
!                 "uscert": null
!             },
!             "libraryFixedIns": [
!                 {
!                     "name": "golang.org/x/text",
!                     "fixedIn": "0.3.7",
!                     "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/gobinary"
!                 }
!             ]
!         }
!     },
      "runningKernel": {
          "release": "",
          "version": "",
          "rebootRequired": false
      },
      "packages": {},
+     "libraries": [
+         {
+             "Libs": [
+                 {
+                     "Name": "golang.org/x/text",
+                     "Version": "v0.3.2",
+                     "FilePath": ""
+                 }
+             ],
+             "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/gobinary"
+         }
+     ],
      "config": {
          "scan": {
              "logDir": "/var/log/vuls",
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/jar.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/jar.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/jar.json	2022-01-13 09:33:51.838530898 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/jar.json	2022-01-13 09:33:51.866530993 +0900
***************
*** 681,687 ****
                  {
                      "Name": "org.apache.logging.log4j:log4j-core",
                      "Version": "2.14.1",
!                     "FilePath": ""
                  }
              ],
              "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/test.jar"
--- 681,687 ----
                  {
                      "Name": "org.apache.logging.log4j:log4j-core",
                      "Version": "2.14.1",
!                     "FilePath": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/test.jar"
                  }
              ],
              "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/test.jar"
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/npm.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/npm.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/npm.json	2022-01-13 09:33:51.854530953 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/npm.json	2022-01-13 09:33:51.882531047 +0900
***************
*** 173,179 ****
                  {
                      "key": "node",
                      "name": "cryptiles",
!                     "fixedIn": "4.1.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/package-lock.json"
                  }
              ]
--- 173,179 ----
                  {
                      "key": "node",
                      "name": "cryptiles",
!                     "fixedIn": "\u003e=4.1.2",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/package-lock.json"
                  }
              ]
***************
*** 240,246 ****
                  {
                      "key": "node",
                      "name": "lodash",
!                     "fixedIn": "4.17.11",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/package-lock.json"
                  }
              ]
--- 240,246 ----
                  {
                      "key": "node",
                      "name": "lodash",
!                     "fixedIn": "\u003e=4.17.11",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/package-lock.json"
                  }
              ]
***************
*** 453,459 ****
                  {
                      "key": "node",
                      "name": "lodash",
!                     "fixedIn": "4.17.5",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/package-lock.json"
                  }
              ]
--- 453,459 ----
                  {
                      "key": "node",
                      "name": "lodash",
!                     "fixedIn": "\u003e=4.17.5",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/package-lock.json"
                  }
              ]
***************
*** 536,542 ****
                  {
                      "key": "node",
                      "name": "hoek",
!                     "fixedIn": "5.0.3, 4.2.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/package-lock.json"
                  }
              ]
--- 536,542 ----
                  {
                      "key": "node",
                      "name": "hoek",
!                     "fixedIn": "\u003e=5.0.3 \u003e=4.2.1",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/package-lock.json"
                  }
              ]
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/pipenv.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/pipenv.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/pipenv.json	2022-01-13 09:33:51.862530979 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/pipenv.json	2022-01-13 09:33:51.890531074 +0900
***************
*** 526,532 ****
                  {
                      "key": "python",
                      "name": "flask",
!                     "fixedIn": "1.0.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Pipfile.lock"
                  }
              ]
--- 526,532 ----
                  {
                      "key": "python",
                      "name": "flask",
!                     "fixedIn": "1.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/Pipfile.lock"
                  }
              ]
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/poetry.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/poetry.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/poetry.json	2022-01-13 09:33:51.838530898 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/poetry.json	2022-01-13 09:33:51.866530993 +0900
***************
*** 268,274 ****
                  {
                      "key": "python",
                      "name": "keyring",
-                     "fixedIn": "0.10",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/poetry.lock"
                  }
              ]
--- 268,273 ----
***************
*** 489,495 ****
                  {
                      "key": "python",
                      "name": "py",
-                     "fixedIn": "1.10.0",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/poetry.lock"
                  }
              ]
--- 488,493 ----
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/pom.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/pom.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/pom.json	2022-01-13 09:33:51.842530912 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/pom.json	2022-01-13 09:33:51.870531006 +0900
***************
*** 35,47 ****
      "reportedBy": "lize",
      "errors": [],
      "warnings": [],
!     "scannedCves": {},
      "runningKernel": {
          "release": "",
          "version": "",
          "rebootRequired": false
      },
      "packages": {},
      "config": {
          "scan": {
              "logDir": "/var/log/vuls",
--- 35,693 ----
      "reportedBy": "lize",
      "errors": [],
      "warnings": [],
!     "scannedCves": {
!         "CVE-2021-44228": {
!             "cveID": "CVE-2021-44228",
!             "confidences": [
!                 {
!                     "score": 100,
!                     "detectionMethod": "TrivyMatch"
!                 }
!             ],
!             "cveContents": {
!                 "trivy": [
!                     {
!                         "type": "trivy",
!                         "cveID": "CVE-2021-44228",
!                         "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value",
!                         "summary": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
!                         "cvss2Score": 0,
!                         "cvss2Vector": "",
!                         "cvss2Severity": "",
!                         "cvss3Score": 0,
!                         "cvss3Vector": "",
!                         "cvss3Severity": "CRITICAL",
!                         "sourceLink": "",
!                         "references": [
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/10/1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/10/2",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/10/3",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/13/1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/13/2",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/14/4",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/15/3",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/advisories/GHSA-7rjr-3q55-vv33",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/apache/logging-log4j2/commit/c77b3cb39312b83b053d23a2158b99ac7de44dd3",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/apache/logging-log4j2/pull/608",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/tangxiaofeng7/apache-log4j-poc",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://issues.apache.org/jira/browse/LOG4J2-3198",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://issues.apache.org/jira/browse/LOG4J2-3201",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://issues.apache.org/jira/browse/LOG4J2-3214",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://issues.apache.org/jira/browse/LOG4J2-3221",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://logging.apache.org/log4j/2.x/manual/migration.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://logging.apache.org/log4j/2.x/security.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://security.netapp.com/advisory/ntap-20211210-0007/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://twitter.com/kurtseifried/status/1469345530182455296",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://ubuntu.com/security/notices/USN-5192-1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://ubuntu.com/security/notices/USN-5192-2",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://ubuntu.com/security/notices/USN-5197-1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.debian.org/security/2021/dsa-5020",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.kb.cert.org/vuls/id/930724",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.lunasec.io/docs/blog/log4j-zero-day/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
!                                 "source": "trivy"
!                             }
!                         ],
!                         "published": "0001-01-01T00:00:00Z",
!                         "lastModified": "0001-01-01T00:00:00Z"
!                     }
!                 ]
!             },
!             "alertDict": {
!                 "cisa": null,
!                 "jpcert": null,
!                 "uscert": null
!             },
!             "libraryFixedIns": [
!                 {
!                     "name": "org.apache.logging.log4j:log4j-core",
!                     "fixedIn": "2.15.0",
!                     "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/pom.xml"
!                 }
!             ]
!         },
!         "CVE-2021-44832": {
!             "cveID": "CVE-2021-44832",
!             "confidences": [
!                 {
!                     "score": 100,
!                     "detectionMethod": "TrivyMatch"
!                 }
!             ],
!             "cveContents": {
!                 "trivy": [
!                     {
!                         "type": "trivy",
!                         "cveID": "CVE-2021-44832",
!                         "title": "log4j-core: remote code execution via JDBC Appender",
!                         "summary": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.",
!                         "cvss2Score": 0,
!                         "cvss2Vector": "",
!                         "cvss2Severity": "",
!                         "cvss3Score": 0,
!                         "cvss3Vector": "",
!                         "cvss3Severity": "MEDIUM",
!                         "sourceLink": "",
!                         "references": [
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/28/1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/advisories/GHSA-8489-44mv-ggj8",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://issues.apache.org/jira/browse/LOG4J2-3293",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://security.netapp.com/advisory/ntap-20220104-0001/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://ubuntu.com/security/notices/USN-5222-1",
!                                 "source": "trivy"
!                             }
!                         ],
!                         "published": "0001-01-01T00:00:00Z",
!                         "lastModified": "0001-01-01T00:00:00Z"
!                     }
!                 ]
!             },
!             "alertDict": {
!                 "cisa": null,
!                 "jpcert": null,
!                 "uscert": null
!             },
!             "libraryFixedIns": [
!                 {
!                     "name": "org.apache.logging.log4j:log4j-core",
!                     "fixedIn": "2.17.1, 2.12.4, 2.3.2",
!                     "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/pom.xml"
!                 }
!             ]
!         },
!         "CVE-2021-45046": {
!             "cveID": "CVE-2021-45046",
!             "confidences": [
!                 {
!                     "score": 100,
!                     "detectionMethod": "TrivyMatch"
!                 }
!             ],
!             "cveContents": {
!                 "trivy": [
!                     {
!                         "type": "trivy",
!                         "cveID": "CVE-2021-45046",
!                         "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)",
!                         "summary": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.",
!                         "cvss2Score": 0,
!                         "cvss2Vector": "",
!                         "cvss2Severity": "",
!                         "cvss3Score": 0,
!                         "cvss3Vector": "",
!                         "cvss3Severity": "CRITICAL",
!                         "sourceLink": "",
!                         "references": [
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/14/4",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/15/3",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/18/1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://access.redhat.com/security/cve/CVE-2021-44228",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/advisories/GHSA-7rjr-3q55-vv33",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://issues.apache.org/jira/browse/LOG4J2-3221",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://logging.apache.org/log4j/2.x/security.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://ubuntu.com/security/notices/USN-5197-1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.cve.org/CVERecord?id=CVE-2021-45046",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.debian.org/security/2021/dsa-5022",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.kb.cert.org/vuls/id/930724",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.openwall.com/lists/oss-security/2021/12/14/4",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
!                                 "source": "trivy"
!                             }
!                         ],
!                         "published": "0001-01-01T00:00:00Z",
!                         "lastModified": "0001-01-01T00:00:00Z"
!                     }
!                 ]
!             },
!             "alertDict": {
!                 "cisa": null,
!                 "jpcert": null,
!                 "uscert": null
!             },
!             "libraryFixedIns": [
!                 {
!                     "name": "org.apache.logging.log4j:log4j-core",
!                     "fixedIn": "2.16.0",
!                     "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/pom.xml"
!                 }
!             ]
!         },
!         "CVE-2021-45105": {
!             "cveID": "CVE-2021-45105",
!             "confidences": [
!                 {
!                     "score": 100,
!                     "detectionMethod": "TrivyMatch"
!                 }
!             ],
!             "cveContents": {
!                 "trivy": [
!                     {
!                         "type": "trivy",
!                         "cveID": "CVE-2021-45105",
!                         "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern",
!                         "summary": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.",
!                         "cvss2Score": 0,
!                         "cvss2Vector": "",
!                         "cvss2Severity": "",
!                         "cvss3Score": 0,
!                         "cvss3Vector": "",
!                         "cvss3Severity": "MEDIUM",
!                         "sourceLink": "",
!                         "references": [
!                             {
!                                 "link": "http://www.openwall.com/lists/oss-security/2021/12/19/1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://github.com/advisories/GHSA-p6xc-xr62-6r2g",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://issues.apache.org/jira/browse/LOG4J2-3230",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://logging.apache.org/log4j/2.x/security.html",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://security.netapp.com/advisory/ntap-20211218-0001/",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://ubuntu.com/security/notices/USN-5203-1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://ubuntu.com/security/notices/USN-5222-1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.cve.org/CVERecord?id=CVE-2021-45105",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.debian.org/security/2021/dsa-5024",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.kb.cert.org/vuls/id/930724",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.openwall.com/lists/oss-security/2021/12/19/1",
!                                 "source": "trivy"
!                             },
!                             {
!                                 "link": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/",
!                                 "source": "trivy"
!                             }
!                         ],
!                         "published": "0001-01-01T00:00:00Z",
!                         "lastModified": "0001-01-01T00:00:00Z"
!                     }
!                 ]
!             },
!             "alertDict": {
!                 "cisa": null,
!                 "jpcert": null,
!                 "uscert": null
!             },
!             "libraryFixedIns": [
!                 {
!                     "name": "org.apache.logging.log4j:log4j-core",
!                     "fixedIn": "2.17.0, 2.12.3",
!                     "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/pom.xml"
!                 }
!             ]
!         }
!     },
      "runningKernel": {
          "release": "",
          "version": "",
          "rebootRequired": false
      },
      "packages": {},
+     "libraries": [
+         {
+             "Libs": [
+                 {
+                     "Name": "com.example:example",
+                     "Version": "1",
+                     "FilePath": ""
+                 },
+                 {
+                     "Name": "org.apache.logging.log4j:log4j-core",
+                     "Version": "2.14.1",
+                     "FilePath": ""
+                 }
+             ],
+             "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/pom.xml"
+         }
+     ],
      "config": {
          "scan": {
              "logDir": "/var/log/vuls",
diff -c /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/yarn.json /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/yarn.json
*** /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/yarn.json	2022-01-13 09:33:51.842530912 +0900
--- /home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/yarn.json	2022-01-13 09:33:51.870531006 +0900
***************
*** 161,167 ****
                  {
                      "key": "node",
                      "name": "lodash",
!                     "fixedIn": "4.17.11",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/yarn.lock"
                  }
              ]
--- 161,167 ----
                  {
                      "key": "node",
                      "name": "lodash",
!                     "fixedIn": "\u003e=4.17.11",
                      "path": "/home/mainek00n/github/github.com/MaineK00n/vuls/integration/data/lockfile/yarn.lock"
                  }
              ]
echo "old: ''/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results'/2022-01-13T09:33:46+09:00' , new: ''/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results'/2022-01-13T09:33:47+09:00'"
old: ''/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results'/2022-01-13T09:33:46+09:00' , new: ''/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results'/2022-01-13T09:33:47+09:00'
for jsonfile in ''/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results'/2022-01-13T09:33:46+09:00'/*.json ;  do echo $jsonfile; cat $jsonfile | jq ".scannedCves | length" ; done
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/bundler.json
56
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/cargo.json
13
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/composer.json
13
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/gobinary.json
0
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/gomod.json
27
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/jar.json
4
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/npm.json
28
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/nuget-config.json
2
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/nuget-lock.json
2
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/pip.json
1
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/pipenv.json
16
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/poetry.json
8
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/pom.json
0
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:46+09:00/yarn.json
50
for jsonfile in ''/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results'/2022-01-13T09:33:47+09:00'/*.json ;  do echo $jsonfile; cat $jsonfile | jq ".scannedCves | length" ; done
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/bundler.json
56
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/cargo.json
13
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/composer.json
13
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/gobinary.json
2
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/gomod.json
27
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/jar.json
4
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/npm.json
28
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/nuget-config.json
2
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/nuget-lock.json
2
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/pip.json
1
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/pipenv.json
16
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/poetry.json
8
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/pom.json
4
/home/mainek00n/github/github.com/MaineK00n/vuls/integration/results/2022-01-13T09:33:47+09:00/yarn.json
50

kotakanbe
kotakanbe approved these changes Jan 17, 2022
View reviewed changes
Copy link
Member

@kotakanbe kotakanbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kotakanbe kotakanbe merged commit 43c05d0 into master Jan 17, 2022
@kotakanbe kotakanbe deleted the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.22.0 branch January 17, 2022 23:27
This was referenced Jan 23, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kotakanbe kotakanbe kotakanbe approved these changes

Assignees

@MaineK00n MaineK00n

Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MaineK00n @kotakanbe