Adding detection events for ingress-nginx-controller (#5074)

* Adding Advisory GHSA-5wj4-wffq-3378 for ingress-nginx-controller * Adding Advisory GHSA-fp9f-44c2-cw27 for ingress-nginx-controller --------- Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
wolfi-dev · May 29, 2024 · 90b16c9 · 90b16c9
1 parent 521e210
commit 90b16c9
Showing 1 changed file with 150 additions and 126 deletions.
diff --git a/ingress-nginx-controller.advisories.yaml b/ingress-nginx-controller.advisories.yaml
@@ -4,58 +4,67 @@ package:
   name: ingress-nginx-controller
 
 advisories:
-  - id: CGA-cjgp-vhqf-27hm
+  - id: CGA-23qr-ph6w-q5g6
     aliases:
-      - CVE-2018-1002104
-      - GHSA-p3x5-5xpx-9phm
+      - CVE-2021-25748
+      - GHSA-863x-868h-968x
     events:
-      - timestamp: 2024-04-26T10:33:23Z
+      - timestamp: 2024-04-26T10:33:18Z
         type: detection
         data:
           type: scan/v1
           data:
             subpackageName: ingress-nginx-controller
-            componentID: 6a5c8f9a54bdac1b
+            componentID: 93bd7d6224914e4e
             componentName: k8s.io/ingress-nginx
             componentVersion: v0.0.0-20240423134412-51847ac1b537
             componentType: go-module
-            componentLocation: /usr/bin/nginx-ingress-controller
+            componentLocation: /usr/bin/waitshutdown
             scanner: grype
-      - timestamp: 2024-05-16T16:22:57Z
+      - timestamp: 2024-05-06T00:32:04Z
         type: false-positive-determination
         data:
           type: vulnerable-code-version-not-used
-          note: This vulnerability affects versions < 1.5, but the installed commit corresponds to version 1.10.1.
+          note: 'This vulnerability was matched to the module "k8s.io/ingress-nginx" at the following location(s): /usr/bin/nginx-dbg, /usr/bin/nginx-ingress-controller, /usr/bin/waitshutdown. In all cases, the fixed version of the module (git commit c32f9a43279425920c41ba2e54dfcb1a54c0daf7) is an ancestor of the installed version commit (51847ac1b537c547cdb7bfb06d14e6d3d8476a73).'
 
-  - id: CGA-5rf5-j2cr-3544
+  - id: CGA-43r2-2869-xw2g
     aliases:
-      - CVE-2020-8553
-      - GHSA-hhpm-74pm-hf35
+      - CVE-2024-24784
+      - GHSA-fgq5-q76c-gx78
     events:
-      - timestamp: 2024-04-26T10:33:20Z
+      - timestamp: 2024-03-12T07:07:23Z
+        type: fixed
+        data:
+          fixed-version: 1.10.0-r3
+
+  - id: CGA-45c5-3vg6-35x6
+    aliases:
+      - CVE-2023-5043
+      - GHSA-5wj4-wffq-3378
+    events:
+      - timestamp: 2023-10-30T12:25:44Z
+        type: fixed
+        data:
+          fixed-version: 1.9.0-r0
+      - timestamp: 2024-05-29T07:31:16Z
         type: detection
         data:
           type: scan/v1
           data:
             subpackageName: ingress-nginx-controller
-            componentID: 6a5c8f9a54bdac1b
+            componentID: 456ff01fd8a33835
             componentName: k8s.io/ingress-nginx
             componentVersion: v0.0.0-20240423134412-51847ac1b537
             componentType: go-module
-            componentLocation: /usr/bin/nginx-ingress-controller
+            componentLocation: /usr/bin/waitshutdown
             scanner: grype
-      - timestamp: 2024-05-16T16:21:20Z
-        type: false-positive-determination
-        data:
-          type: vulnerable-code-version-not-used
-          note: This vulnerability affects versions < 0.28.0, but the installed commit corresponds to version 1.10.1.
 
-  - id: CGA-q93f-r479-x2rj
+  - id: CGA-5rf5-j2cr-3544
     aliases:
-      - CVE-2021-25745
-      - GHSA-pvmg-xgmx-9mxh
+      - CVE-2020-8553
+      - GHSA-hhpm-74pm-hf35
     events:
-      - timestamp: 2024-04-26T10:33:25Z
+      - timestamp: 2024-04-26T10:33:20Z
         type: detection
         data:
           type: scan/v1
@@ -67,34 +76,21 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/nginx-ingress-controller
             scanner: grype
-      - timestamp: 2024-05-06T00:32:04Z
+      - timestamp: 2024-05-16T16:21:20Z
         type: false-positive-determination
         data:
           type: vulnerable-code-version-not-used
-          note: 'This vulnerability was matched to the module "k8s.io/ingress-nginx" at the following location(s): /usr/bin/nginx-dbg, /usr/bin/nginx-ingress-controller, /usr/bin/waitshutdown. In all cases, the fixed version of the module (git commit 6d9a39eda7b180f27b34726d7a7a96d73808ce75) is an ancestor of the installed version commit (51847ac1b537c547cdb7bfb06d14e6d3d8476a73).'
+          note: This vulnerability affects versions < 0.28.0, but the installed commit corresponds to version 1.10.1.
 
-  - id: CGA-23qr-ph6w-q5g6
+  - id: CGA-7qcv-pmxr-hc3p
     aliases:
-      - CVE-2021-25748
-      - GHSA-863x-868h-968x
+      - CVE-2023-44487
+      - GHSA-qppj-fm5r-hxr3
     events:
-      - timestamp: 2024-04-26T10:33:18Z
-        type: detection
-        data:
-          type: scan/v1
-          data:
-            subpackageName: ingress-nginx-controller
-            componentID: 93bd7d6224914e4e
-            componentName: k8s.io/ingress-nginx
-            componentVersion: v0.0.0-20240423134412-51847ac1b537
-            componentType: go-module
-            componentLocation: /usr/bin/waitshutdown
-            scanner: grype
-      - timestamp: 2024-05-06T00:32:04Z
-        type: false-positive-determination
+      - timestamp: 2023-10-13T04:13:45Z
+        type: fixed
         data:
-          type: vulnerable-code-version-not-used
-          note: 'This vulnerability was matched to the module "k8s.io/ingress-nginx" at the following location(s): /usr/bin/nginx-dbg, /usr/bin/nginx-ingress-controller, /usr/bin/waitshutdown. In all cases, the fixed version of the module (git commit c32f9a43279425920c41ba2e54dfcb1a54c0daf7) is an ancestor of the installed version commit (51847ac1b537c547cdb7bfb06d14e6d3d8476a73).'
+          fixed-version: 1.9.3-r1
 
   - id: CGA-87wp-gwcp-vxmh
     aliases:
@@ -107,6 +103,27 @@ advisories:
           type: vulnerable-code-not-included-in-package
           note: CVE relates to NGINX module ngx_http_mp4_module which is not included in the package
 
+  - id: CGA-89jc-5hxx-25w5
+    aliases:
+      - CVE-2023-45283
+      - GHSA-vvjp-q62m-2vph
+    events:
+      - timestamp: 2023-11-07T19:29:30Z
+        type: false-positive-determination
+        data:
+          type: vulnerable-code-not-included-in-package
+          note: Only affects Windows
+
+  - id: CGA-99q2-4xh8-42h8
+    aliases:
+      - CVE-2023-45288
+      - GHSA-4v7x-pqxf-cx7m
+    events:
+      - timestamp: 2024-04-13T07:12:22Z
+        type: fixed
+        data:
+          fixed-version: 1.10.0-r6
+
   - id: CGA-9hq4-h7qf-9cfj
     aliases:
       - CVE-2022-41742
@@ -129,54 +146,35 @@ advisories:
           type: vulnerable-code-version-not-used
           note: This vulnerability was reported to be fixed in 1.8.0, which was the first version shipped by Wolfi. https://www.openwall.com/lists/oss-security/2023/10/25/5
 
-  - id: CGA-7qcv-pmxr-hc3p
-    aliases:
-      - CVE-2023-44487
-      - GHSA-qppj-fm5r-hxr3
-    events:
-      - timestamp: 2023-10-13T04:13:45Z
-        type: fixed
-        data:
-          fixed-version: 1.9.3-r1
-
-  - id: CGA-89jc-5hxx-25w5
+  - id: CGA-cjgp-vhqf-27hm
     aliases:
-      - CVE-2023-45283
-      - GHSA-vvjp-q62m-2vph
+      - CVE-2018-1002104
+      - GHSA-p3x5-5xpx-9phm
     events:
-      - timestamp: 2023-11-07T19:29:30Z
-        type: false-positive-determination
+      - timestamp: 2024-04-26T10:33:23Z
+        type: detection
         data:
-          type: vulnerable-code-not-included-in-package
-          note: Only affects Windows
-
-  - id: CGA-qm44-rf2x-f7fr
-    aliases:
-      - CVE-2023-45284
-      - GHSA-rq3x-83w4-p28c
-    events:
-      - timestamp: 2023-11-07T19:29:32Z
+          type: scan/v1
+          data:
+            subpackageName: ingress-nginx-controller
+            componentID: 6a5c8f9a54bdac1b
+            componentName: k8s.io/ingress-nginx
+            componentVersion: v0.0.0-20240423134412-51847ac1b537
+            componentType: go-module
+            componentLocation: /usr/bin/nginx-ingress-controller
+            scanner: grype
+      - timestamp: 2024-05-16T16:22:57Z
         type: false-positive-determination
         data:
-          type: vulnerable-code-not-included-in-package
-          note: Only affects Windows
-
-  - id: CGA-99q2-4xh8-42h8
-    aliases:
-      - CVE-2023-45288
-      - GHSA-4v7x-pqxf-cx7m
-    events:
-      - timestamp: 2024-04-13T07:12:22Z
-        type: fixed
-        data:
-          fixed-version: 1.10.0-r6
+          type: vulnerable-code-version-not-used
+          note: This vulnerability affects versions < 1.5, but the installed commit corresponds to version 1.10.1.
 
-  - id: CGA-h9px-4f68-v34r
+  - id: CGA-fgc9-grpf-754w
     aliases:
-      - CVE-2023-45289
-      - GHSA-32ch-6x54-q4h9
+      - CVE-2024-24785
+      - GHSA-j6m3-gc37-6r6q
     events:
-      - timestamp: 2024-03-12T07:07:27Z
+      - timestamp: 2024-03-12T07:07:26Z
         type: fixed
         data:
           fixed-version: 1.10.0-r3
@@ -191,15 +189,15 @@ advisories:
         data:
           fixed-version: 1.10.0-r3
 
-  - id: CGA-45c5-3vg6-35x6
+  - id: CGA-h9px-4f68-v34r
     aliases:
-      - CVE-2023-5043
-      - GHSA-5wj4-wffq-3378
+      - CVE-2023-45289
+      - GHSA-32ch-6x54-q4h9
     events:
-      - timestamp: 2023-10-30T12:25:44Z
+      - timestamp: 2024-03-12T07:07:27Z
         type: fixed
         data:
-          fixed-version: 1.9.0-r0
+          fixed-version: 1.10.0-r3
 
   - id: CGA-pcmp-frhj-hxv6
     aliases:
@@ -210,65 +208,91 @@ advisories:
         type: fixed
         data:
           fixed-version: 1.9.0-r0
-
-  - id: CGA-q742-f852-979g
-    aliases:
-      - CVE-2024-21626
-      - GHSA-xr7r-f8xq-vfvv
-    events:
-      - timestamp: 2024-02-07T09:32:38Z
-        type: fixed
+      - timestamp: 2024-05-29T07:31:22Z
+        type: detection
         data:
-          fixed-version: 1.9.6-r1
+          type: scan/v1
+          data:
+            subpackageName: ingress-nginx-controller
+            componentID: c7304dbbbc3a3068
+            componentName: k8s.io/ingress-nginx
+            componentVersion: v0.0.0-20240423134412-51847ac1b537
+            componentType: go-module
+            componentLocation: /usr/bin/nginx-dbg
+            scanner: grype
 
-  - id: CGA-v6r9-c329-jw85
+  - id: CGA-q3pv-gp9g-gpj3
     aliases:
-      - CVE-2024-24783
-      - GHSA-3q2c-pvp5-3cqp
+      - CVE-2024-24786
+      - GHSA-8r3f-844c-mc37
     events:
-      - timestamp: 2024-03-12T07:07:25Z
-        type: fixed
+      - timestamp: 2024-03-14T07:15:56Z
+        type: detection
         data:
-          fixed-version: 1.10.0-r3
-
-  - id: CGA-43r2-2869-xw2g
-    aliases:
-      - CVE-2024-24784
-      - GHSA-fgq5-q76c-gx78
-    events:
-      - timestamp: 2024-03-12T07:07:23Z
+          type: scan/v1
+          data:
+            subpackageName: ingress-nginx-controller
+            componentID: d6aa7f10032c7de2
+            componentName: google.golang.org/protobuf
+            componentVersion: v1.32.0
+            componentType: go-module
+            componentLocation: /usr/bin/nginx-ingress-controller
+            scanner: grype
+      - timestamp: 2024-03-14T15:22:46Z
         type: fixed
         data:
-          fixed-version: 1.10.0-r3
+          fixed-version: 1.10.0-r4
 
-  - id: CGA-fgc9-grpf-754w
+  - id: CGA-q742-f852-979g
     aliases:
-      - CVE-2024-24785
-      - GHSA-j6m3-gc37-6r6q
+      - CVE-2024-21626
+      - GHSA-xr7r-f8xq-vfvv
     events:
-      - timestamp: 2024-03-12T07:07:26Z
+      - timestamp: 2024-02-07T09:32:38Z
         type: fixed
         data:
-          fixed-version: 1.10.0-r3
+          fixed-version: 1.9.6-r1
 
-  - id: CGA-q3pv-gp9g-gpj3
+  - id: CGA-q93f-r479-x2rj
     aliases:
-      - CVE-2024-24786
-      - GHSA-8r3f-844c-mc37
+      - CVE-2021-25745
+      - GHSA-pvmg-xgmx-9mxh
     events:
-      - timestamp: 2024-03-14T07:15:56Z
+      - timestamp: 2024-04-26T10:33:25Z
         type: detection
         data:
           type: scan/v1
           data:
             subpackageName: ingress-nginx-controller
-            componentID: d6aa7f10032c7de2
-            componentName: google.golang.org/protobuf
-            componentVersion: v1.32.0
+            componentID: 6a5c8f9a54bdac1b
+            componentName: k8s.io/ingress-nginx
+            componentVersion: v0.0.0-20240423134412-51847ac1b537
             componentType: go-module
             componentLocation: /usr/bin/nginx-ingress-controller
             scanner: grype
-      - timestamp: 2024-03-14T15:22:46Z
+      - timestamp: 2024-05-06T00:32:04Z
+        type: false-positive-determination
+        data:
+          type: vulnerable-code-version-not-used
+          note: 'This vulnerability was matched to the module "k8s.io/ingress-nginx" at the following location(s): /usr/bin/nginx-dbg, /usr/bin/nginx-ingress-controller, /usr/bin/waitshutdown. In all cases, the fixed version of the module (git commit 6d9a39eda7b180f27b34726d7a7a96d73808ce75) is an ancestor of the installed version commit (51847ac1b537c547cdb7bfb06d14e6d3d8476a73).'
+
+  - id: CGA-qm44-rf2x-f7fr
+    aliases:
+      - CVE-2023-45284
+      - GHSA-rq3x-83w4-p28c
+    events:
+      - timestamp: 2023-11-07T19:29:32Z
+        type: false-positive-determination
+        data:
+          type: vulnerable-code-not-included-in-package
+          note: Only affects Windows
+
+  - id: CGA-v6r9-c329-jw85
+    aliases:
+      - CVE-2024-24783
+      - GHSA-3q2c-pvp5-3cqp
+    events:
+      - timestamp: 2024-03-12T07:07:25Z
         type: fixed
         data:
-          fixed-version: 1.10.0-r4
+          fixed-version: 1.10.0-r3