diff --git a/linters/osv-scanner/expected_issues.json b/linters/osv-scanner/expected_issues.json index 90f75897c..f62a00908 100644 --- a/linters/osv-scanner/expected_issues.json +++ b/linters/osv-scanner/expected_issues.json @@ -57,33 +57,33 @@ { "file": "test_data/Gemfile.lock", "line": "16", - "message": "Possible XSS Security Vulnerability in SafeBuffer#bytesplice. Current version of 'activesupport' is vulnerable: 5.2.8.1. Patch available: upgrade to 7.0.4.3 or higher.", - "code": "GHSA-pj73-v5mw-pm9j", - "level": "LEVEL_MEDIUM", + "message": "Active Support Possibly Discloses Locally Encrypted Files. Current version of 'activesupport' is vulnerable: 5.2.8.1. Patch available: upgrade to 6.1.7.5 or higher.", + "code": "GHSA-cr5q-6q9f-rq6q", + "level": "LEVEL_LOW", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-pj73-v5mw-pm9j", + "issueUrl": "https://osv.dev/GHSA-cr5q-6q9f-rq6q", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/Gemfile.lock", "line": "16", - "message": "ReDoS based DoS vulnerability in Active Support's underscore. Current version of 'activesupport' is vulnerable: 5.2.8.1. Patch available: upgrade to 6.1.7.1 or higher.", - "code": "GHSA-j6gc-792m-qgm2", - "level": "LEVEL_LOW", + "message": "Possible XSS Security Vulnerability in SafeBuffer#bytesplice. Current version of 'activesupport' is vulnerable: 5.2.8.1. Patch available: upgrade to 7.0.4.3 or higher.", + "code": "GHSA-pj73-v5mw-pm9j", + "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-j6gc-792m-qgm2", + "issueUrl": "https://osv.dev/GHSA-pj73-v5mw-pm9j", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/Gemfile.lock", "line": "16", - "message": "Active Support Possibly Discloses Locally Encrypted Files. Current version of 'activesupport' is vulnerable: 5.2.8.1. Patch available: upgrade to 6.1.7.5 or higher.", - "code": "GHSA-cr5q-6q9f-rq6q", + "message": "ReDoS based DoS vulnerability in Active Support's underscore. Current version of 'activesupport' is vulnerable: 5.2.8.1. Patch available: upgrade to 6.1.7.1 or higher.", + "code": "GHSA-j6gc-792m-qgm2", "level": "LEVEL_LOW", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-cr5q-6q9f-rq6q", + "issueUrl": "https://osv.dev/GHSA-j6gc-792m-qgm2", "targetType": "lockfile", "isSecurity": true }, @@ -120,6 +120,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/Gemfile.lock", + "line": "97", + "message": "Use-after-free in libxml2 via Nokogiri::XML::Reader. Current version of 'nokogiri' is vulnerable: 1.14.1. Patch available: upgrade to 1.15.6 or higher.", + "code": "GHSA-vcc3-rw6f-jv97", + "level": "LEVEL_MEDIUM", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-vcc3-rw6f-jv97", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/Gemfile.lock", "line": "97", @@ -202,7 +213,7 @@ "line": "102", "message": "'Rack' vulnerable to ReDoS in content type parsing (2nd degree polynomial). Current version of 'rack' is vulnerable: 2.2.6.2. Patch available: upgrade to 3.0.9.1 or higher.", "code": "GHSA-22f2-v57c-j9cx", - "level": "LEVEL_LOW", + "level": "LEVEL_MEDIUM", "linter": "osv-scanner", "issueUrl": "https://osv.dev/GHSA-22f2-v57c-j9cx", "targetType": "lockfile", @@ -210,51 +221,21 @@ }, { "file": "test_data/go.mod", - "message": "Panic on inputs with large exponents in math/big. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-33198", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-33198", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/go.mod", - "message": "Panic due to crafted inputs in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-39293", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-39293", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/go.mod", - "message": "Incorrect computation for some invalid field elements in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-23806", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-23806", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/go.mod", - "message": "Stack exhaustion when compiling deeply nested expressions in regexp. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-24921", + "message": "Improper handling of JavaScript whitespace in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24540", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-24921", + "issueUrl": "https://osv.dev/CVE-2023-24540", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper handling of HTML-like comments in script contexts in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-39318", + "message": "Excessive resource consumption in mime/multipart. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41725", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-39318", + "issueUrl": "https://osv.dev/CVE-2022-41725", "targetType": "lockfile", "isSecurity": true }, @@ -290,131 +271,131 @@ }, { "file": "test_data/go.mod", - "message": "Excessive memory growth in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-xrjj-mj9h-534m", + "message": "Improper handling of empty HTML attributes in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-29400", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-xrjj-mj9h-534m", + "issueUrl": "https://osv.dev/CVE-2023-29400", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-vvpx-j8f3-3w6h", + "message": "Improper handling of special tags within script contexts in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-39319", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-vvpx-j8f3-3w6h", + "issueUrl": "https://osv.dev/CVE-2023-39319", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Unbounded memory growth in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-vc3p-29h2-gpcp", + "message": "Denial of service via chunk extensions in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-39326", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-vc3p-29h2-gpcp", + "issueUrl": "https://osv.dev/CVE-2023-39326", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper handling of empty HTML attributes in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-29400", + "message": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45283", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-29400", + "issueUrl": "https://osv.dev/CVE-2023-45283", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper handling of JavaScript whitespace in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24540", + "message": "Incorrect detection of reserved device names on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45284", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24540", + "issueUrl": "https://osv.dev/CVE-2023-45284", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper sanitization of CSS values in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24539", + "message": "Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45287", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24539", + "issueUrl": "https://osv.dev/CVE-2023-45287", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Backticks not treated as string delimiters in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24538", + "message": "Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45289", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24538", + "issueUrl": "https://osv.dev/CVE-2023-45289", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Infinite loop in parsing in go/scanner. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24537", + "message": "Memory exhaustion in multipart form parsing in net/textproto and net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45290", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24537", + "issueUrl": "https://osv.dev/CVE-2023-45290", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Excessive resource consumption in net/http, net/textproto and mime/multipart. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24536", + "message": "Verify panics on certificates with an unknown public key algorithm in crypto/x509. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24783", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24536", + "issueUrl": "https://osv.dev/CVE-2024-24783", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Excessive memory allocation in net/http and net/textproto. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24534", + "message": "Comments in display names are incorrectly handled in net/mail. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24784", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24534", + "issueUrl": "https://osv.dev/CVE-2024-24784", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect calculation on P256 curves in crypto/internal/nistec. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24532", + "message": "Errors returned from JSON marshaling may break template escaping in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24785", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24532", + "issueUrl": "https://osv.dev/CVE-2024-24785", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect privilege reporting in syscall and golang.org/x/sys/unix. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-p782-xgp4-8hr8", + "message": "HTTP/2 rapid reset can cause excessive work in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-4374-p667-p6c8", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-p782-xgp4-8hr8", + "issueUrl": "https://osv.dev/GHSA-4374-p667-p6c8", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-h86h-8ppg-mxmh", + "message": "HTTP/2 CONTINUATION flood in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-4v7x-pqxf-cx7m", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-h86h-8ppg-mxmh", + "issueUrl": "https://osv.dev/GHSA-4v7x-pqxf-cx7m", "targetType": "lockfile", "isSecurity": true }, @@ -430,71 +411,61 @@ }, { "file": "test_data/go.mod", - "message": "HTTP/2 rapid reset can cause excessive work in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-4374-p667-p6c8", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-4374-p667-p6c8", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/go.mod", - "message": "Errors returned from JSON marshaling may break template escaping in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2024-24785", + "message": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-h86h-8ppg-mxmh", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2024-24785", + "issueUrl": "https://osv.dev/GHSA-h86h-8ppg-mxmh", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Comments in display names are incorrectly handled in net/mail. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2024-24784", + "message": "Incorrect privilege reporting in syscall and golang.org/x/sys/unix. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-p782-xgp4-8hr8", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2024-24784", + "issueUrl": "https://osv.dev/GHSA-p782-xgp4-8hr8", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Verify panics on certificates with an unknown public key algorithm in crypto/x509. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2024-24783", + "message": "Unbounded memory growth in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-vc3p-29h2-gpcp", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2024-24783", + "issueUrl": "https://osv.dev/GHSA-vc3p-29h2-gpcp", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Memory exhaustion in multipart form parsing in net/textproto and net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45290", + "message": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-vvpx-j8f3-3w6h", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45290", + "issueUrl": "https://osv.dev/GHSA-vvpx-j8f3-3w6h", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45289", + "message": "Excessive memory growth in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-xrjj-mj9h-534m", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45289", + "issueUrl": "https://osv.dev/GHSA-xrjj-mj9h-534m", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Excessive resource consumption in mime/multipart. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41725", + "message": "Incorrect calculation on P256 curves in crypto/internal/nistec. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24532", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41725", + "issueUrl": "https://osv.dev/CVE-2023-24532", "targetType": "lockfile", "isSecurity": true }, @@ -510,221 +481,221 @@ }, { "file": "test_data/go.mod", - "message": "Path traversal on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41722", + "message": "Improper sanitization of CSS values in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24539", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41722", + "issueUrl": "https://osv.dev/CVE-2023-24539", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Restricted file access on Windows in os and net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41720", + "message": "Backticks not treated as string delimiters in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24538", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41720", + "issueUrl": "https://osv.dev/CVE-2023-24538", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Unsanitized NUL in environment variables on Windows in syscall and os/exec. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41716", + "message": "Infinite loop in parsing in go/scanner. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24537", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41716", + "issueUrl": "https://osv.dev/CVE-2023-24537", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Memory exhaustion when compiling regular expressions in regexp/syntax. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41715", + "message": "Excessive resource consumption in net/http, net/textproto and mime/multipart. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24536", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41715", + "issueUrl": "https://osv.dev/CVE-2023-24536", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic when decoding Float and Rat types in math/big. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-32189", + "message": "Excessive memory allocation in net/http and net/textproto. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24534", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-32189", + "issueUrl": "https://osv.dev/CVE-2023-24534", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Exposure of client IP addresses in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-32148", + "message": "Cross-site scripting in net/http/cgi and net/http/fcgi. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2020-24553", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-32148", + "issueUrl": "https://osv.dev/CVE-2020-24553", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion when decoding certain messages in encoding/gob. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30635", + "message": "Infinite loop when decoding inputs in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-27918", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30635", + "issueUrl": "https://osv.dev/CVE-2021-27918", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Indefinite hang with large buffers on Windows in crypto/rand. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30634", + "message": "Incorrect operations on the P-224 curve in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-3114", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30634", + "issueUrl": "https://osv.dev/CVE-2021-3114", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion when unmarshaling certain documents in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30633", + "message": "Improper sanitization when resolving values from DNS in net. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-33195", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30633", + "issueUrl": "https://osv.dev/CVE-2021-33195", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion on crafted paths in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30632", + "message": "Panic when reading certain archives in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-33196", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30632", + "issueUrl": "https://osv.dev/CVE-2021-33196", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion when reading certain archives in compress/gzip. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30631", + "message": "Attacker can drop certain headers in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-33197", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30631", + "issueUrl": "https://osv.dev/CVE-2021-33197", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion in Glob on certain paths in io/fs. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30630", + "message": "Panic on inputs with large exponents in math/big. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-33198", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30630", + "issueUrl": "https://osv.dev/CVE-2021-33198", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Session tickets lack random ticket_age_add in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30629", + "message": "Panic on certain certificates in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-34558", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30629", + "issueUrl": "https://osv.dev/CVE-2021-34558", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Empty Cmd.Path can trigger unintended binary in os/exec on Windows. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30580", + "message": "Panic in ReverseProxy in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-36221", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30580", + "issueUrl": "https://osv.dev/CVE-2021-36221", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45287", + "message": "Panic due to crafted inputs in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-39293", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45287", + "issueUrl": "https://osv.dev/CVE-2021-39293", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect detection of reserved device names on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45284", + "message": "Panic on invalid symbol tables in debug/macho. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-41771", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45284", + "issueUrl": "https://osv.dev/CVE-2021-41771", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Path traversal via Clean on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-29804", + "message": "Panic when opening certain archives in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-41772", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-29804", + "issueUrl": "https://osv.dev/CVE-2021-41772", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect sanitization of forwarded query parameters in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-2880", + "message": "Misdirected I/O in syscall. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-44717", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-2880", + "issueUrl": "https://osv.dev/CVE-2021-44717", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Unbounded memory consumption when reading headers in archive/tar. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-2879", + "message": "Improper sanitization of Transfer-Encoding headers in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-1705", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-2879", + "issueUrl": "https://osv.dev/CVE-2022-1705", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic due to large inputs affecting P-256 curves in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-28327", + "message": "Stack exhaustion due to deeply nested types in go/parser. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-1962", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-28327", + "issueUrl": "https://osv.dev/CVE-2022-1962", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion from deeply nested XML documents in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-28131", + "message": "Uncontrolled memory consumption in math/big. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-23772", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-28131", + "issueUrl": "https://osv.dev/CVE-2022-23772", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45283", + "message": "Incorrect computation for some invalid field elements in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-23806", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45283", + "issueUrl": "https://osv.dev/CVE-2022-23806", "targetType": "lockfile", "isSecurity": true }, @@ -740,172 +711,211 @@ }, { "file": "test_data/go.mod", - "message": "Panic on certain certificates in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-34558", + "message": "Stack exhaustion when compiling deeply nested expressions in regexp. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-24921", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-34558", + "issueUrl": "https://osv.dev/CVE-2022-24921", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Uncontrolled memory consumption in math/big. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-23772", + "message": "Stack exhaustion from deeply nested XML documents in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-28131", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-23772", + "issueUrl": "https://osv.dev/CVE-2022-28131", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion due to deeply nested types in go/parser. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-1962", + "message": "Panic due to large inputs affecting P-256 curves in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-28327", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-1962", + "issueUrl": "https://osv.dev/CVE-2022-28327", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Denial of service via chunk extensions in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-39326", + "message": "Unbounded memory consumption when reading headers in archive/tar. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-2879", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-39326", + "issueUrl": "https://osv.dev/CVE-2022-2879", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper sanitization of Transfer-Encoding headers in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-1705", + "message": "Incorrect sanitization of forwarded query parameters in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-2880", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-1705", + "issueUrl": "https://osv.dev/CVE-2022-2880", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Misdirected I/O in syscall. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-44717", + "message": "Path traversal via Clean on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-29804", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-44717", + "issueUrl": "https://osv.dev/CVE-2022-29804", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Cross-site scripting in net/http/cgi and net/http/fcgi. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2020-24553", + "message": "Empty Cmd.Path can trigger unintended binary in os/exec on Windows. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30580", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2020-24553", + "issueUrl": "https://osv.dev/CVE-2022-30580", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Infinite loop when decoding inputs in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-27918", + "message": "Session tickets lack random ticket_age_add in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30629", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-27918", + "issueUrl": "https://osv.dev/CVE-2022-30629", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect operations on the P-224 curve in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-3114", + "message": "Stack exhaustion in Glob on certain paths in io/fs. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30630", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-3114", + "issueUrl": "https://osv.dev/CVE-2022-30630", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper sanitization when resolving values from DNS in net. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-33195", + "message": "Stack exhaustion when reading certain archives in compress/gzip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30631", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-33195", + "issueUrl": "https://osv.dev/CVE-2022-30631", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic when reading certain archives in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-33196", + "message": "Stack exhaustion on crafted paths in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30632", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-33196", + "issueUrl": "https://osv.dev/CVE-2022-30632", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Attacker can drop certain headers in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-33197", + "message": "Stack exhaustion when unmarshaling certain documents in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30633", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-33197", + "issueUrl": "https://osv.dev/CVE-2022-30633", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic when opening certain archives in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-41772", + "message": "Indefinite hang with large buffers on Windows in crypto/rand. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30634", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-41772", + "issueUrl": "https://osv.dev/CVE-2022-30634", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic on invalid symbol tables in debug/macho. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-41771", + "message": "Stack exhaustion when decoding certain messages in encoding/gob. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30635", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-41771", + "issueUrl": "https://osv.dev/CVE-2022-30635", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic in ReverseProxy in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-36221", + "message": "Exposure of client IP addresses in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-32148", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-36221", + "issueUrl": "https://osv.dev/CVE-2022-32148", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper handling of special tags within script contexts in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-39319", + "message": "Panic when decoding Float and Rat types in math/big. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-32189", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-39319", + "issueUrl": "https://osv.dev/CVE-2022-32189", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "line": "7", - "message": "Stored Cross-site Scripting in gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-ph3w-2843-72mx", - "level": "LEVEL_MEDIUM", + "message": "Memory exhaustion when compiling regular expressions in regexp/syntax. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41715", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-ph3w-2843-72mx", + "issueUrl": "https://osv.dev/CVE-2022-41715", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Unsanitized NUL in environment variables on Windows in syscall and os/exec. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41716", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2022-41716", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Restricted file access on Windows in os and net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41720", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2022-41720", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Path traversal on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41722", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2022-41722", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Improper handling of HTML-like comments in script contexts in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-39318", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2023-39318", "targetType": "lockfile", "isSecurity": true }, @@ -923,11 +933,11 @@ { "file": "test_data/go.mod", "line": "7", - "message": "'code.gitea.io/gitea' Open Redirect vulnerability. Current version is vulnerable: 1.9.0-dev.", - "code": "GHSA-cf6v-9j57-v6r6", - "level": "LEVEL_LOW", + "message": "Stored Cross-site Scripting in gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", + "code": "GHSA-ph3w-2843-72mx", + "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-cf6v-9j57-v6r6", + "issueUrl": "https://osv.dev/GHSA-ph3w-2843-72mx", "targetType": "lockfile", "isSecurity": true }, @@ -942,6 +952,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/go.mod", + "line": "7", + "message": "Gitea allowed assignment of private issues. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", + "code": "GHSA-fhv8-m4j4-cww2", + "level": "LEVEL_MEDIUM", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-fhv8-m4j4-cww2", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/go.mod", "line": "7", @@ -953,6 +974,28 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/go.mod", + "line": "7", + "message": "Arbitrary Code Execution in Gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", + "code": "GHSA-3h6c-c475-jm7v", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-3h6c-c475-jm7v", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "line": "7", + "message": "'code.gitea.io/gitea' Open Redirect vulnerability. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-cf6v-9j57-v6r6", + "level": "LEVEL_LOW", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-cf6v-9j57-v6r6", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/go.mod", "line": "7", @@ -997,6 +1040,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/go.mod", + "line": "7", + "message": "Gitea Open Redirect. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", + "code": "GHSA-4rqq-rxvc-v2rc", + "level": "LEVEL_MEDIUM", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-4rqq-rxvc-v2rc", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/go.mod", "line": "16", @@ -1033,22 +1087,22 @@ { "file": "test_data/go.mod", "line": "58", - "message": "Cross Site Request Forgery in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-4wp3-8q92-mh8w", - "level": "LEVEL_HIGH", + "message": "Open redirect in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "code": "GHSA-36h2-95gj-w488", + "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-4wp3-8q92-mh8w", + "issueUrl": "https://osv.dev/GHSA-36h2-95gj-w488", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "58", - "message": "Open redirect in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-36h2-95gj-w488", - "level": "LEVEL_MEDIUM", + "message": "Cross Site Request Forgery in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "code": "GHSA-4wp3-8q92-mh8w", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-36h2-95gj-w488", + "issueUrl": "https://osv.dev/GHSA-4wp3-8q92-mh8w", "targetType": "lockfile", "isSecurity": true }, @@ -1085,17 +1139,6 @@ "targetType": "lockfile", "isSecurity": true }, - { - "file": "test_data/go.mod", - "line": "58", - "message": "Gitea Remote Code Execution. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-hpmr-prr2-cqc4", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-hpmr-prr2-cqc4", - "targetType": "lockfile", - "isSecurity": true - }, { "file": "test_data/go.mod", "line": "58", @@ -1129,6 +1172,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/go.mod", + "line": "58", + "message": "Improper Access Control in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "code": "GHSA-r7h7-chh4-5rvm", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-r7h7-chh4-5rvm", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/go.mod", "line": "58", @@ -1136,7 +1190,18 @@ "code": "GHSA-w8xw-7crf-h23x", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-w8xw-7crf-h23x", + "issueUrl": "https://osv.dev/GHSA-w8xw-7crf-h23x", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "line": "58", + "message": "Gitea Remote Code Execution. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "code": "GHSA-hpmr-prr2-cqc4", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-hpmr-prr2-cqc4", "targetType": "lockfile", "isSecurity": true }, @@ -1154,88 +1219,88 @@ { "file": "test_data/go.mod", "line": "84", - "message": "Gophish before 0.12.0 vulnerable to Open Redirect. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", - "code": "GHSA-hvw3-p9px-gpc9", - "level": "LEVEL_MEDIUM", + "message": "Gophish vulnerable to Denial of Service via crafted payload involving autofocus. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", + "code": "GHSA-8gg8-wr4j-v2wr", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-hvw3-p9px-gpc9", + "issueUrl": "https://osv.dev/GHSA-8gg8-wr4j-v2wr", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "84", - "message": "Gophish XSS Vulnerability. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", - "code": "GHSA-9h9f-9q8g-6764", + "message": "Gophish vulnerable to Server-Side Request Forgery. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", + "code": "GHSA-9c9w-9pq7-f35h", "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-9h9f-9q8g-6764", + "issueUrl": "https://osv.dev/GHSA-9c9w-9pq7-f35h", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "84", - "message": "Gophish vulnerable to Server-Side Request Forgery. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", - "code": "GHSA-9c9w-9pq7-f35h", + "message": "Gophish XSS Vulnerability. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", + "code": "GHSA-9h9f-9q8g-6764", "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-9c9w-9pq7-f35h", + "issueUrl": "https://osv.dev/GHSA-9h9f-9q8g-6764", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "84", - "message": "Gophish vulnerable to Denial of Service via crafted payload involving autofocus. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", - "code": "GHSA-8gg8-wr4j-v2wr", - "level": "LEVEL_HIGH", + "message": "Gophish before 0.12.0 vulnerable to Open Redirect. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", + "code": "GHSA-hvw3-p9px-gpc9", + "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-8gg8-wr4j-v2wr", + "issueUrl": "https://osv.dev/GHSA-hvw3-p9px-gpc9", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "91", - "message": "pgx SQL Injection via Line Comment Creation. Current version of 'github.com/jackc/pgx' is vulnerable: 3.6.0+incompatible.", - "code": "GHSA-m7wr-2xf7-cm9p", + "message": "pgx SQL Injection via Protocol Message Size Overflow. Current version of 'github.com/jackc/pgx' is vulnerable: 3.6.0+incompatible.", + "code": "GHSA-7jwh-3vrq-q3m8", "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-m7wr-2xf7-cm9p", + "issueUrl": "https://osv.dev/GHSA-7jwh-3vrq-q3m8", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "91", - "message": "pgx SQL Injection via Protocol Message Size Overflow. Current version of 'github.com/jackc/pgx' is vulnerable: 3.6.0+incompatible.", - "code": "GHSA-mrww-27vc-gghv", + "message": "pgx SQL Injection via Line Comment Creation. Current version of 'github.com/jackc/pgx' is vulnerable: 3.6.0+incompatible.", + "code": "GHSA-m7wr-2xf7-cm9p", "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-mrww-27vc-gghv", + "issueUrl": "https://osv.dev/GHSA-m7wr-2xf7-cm9p", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "116", - "message": "Cross-site scripting due to incorrect sanitization in 'github.com/microcosm-cc/bluemonday'. Current version is vulnerable: 0.0.0-20161012083705-f77f16ffc87a.", - "code": "GHSA-3x58-xr87-2fcj", + "message": "Cross-site scripting via leaked style elements in 'github.com/microcosm-cc/bluemonday'. Current version is vulnerable: 0.0.0-20161012083705-f77f16ffc87a.", + "code": "GHSA-x95h-979x-cf3j", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-3x58-xr87-2fcj", + "issueUrl": "https://osv.dev/GHSA-x95h-979x-cf3j", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "116", - "message": "Cross-site scripting via leaked style elements in 'github.com/microcosm-cc/bluemonday'. Current version is vulnerable: 0.0.0-20161012083705-f77f16ffc87a.", - "code": "GHSA-x95h-979x-cf3j", + "message": "Cross-site scripting due to incorrect sanitization in 'github.com/microcosm-cc/bluemonday'. Current version is vulnerable: 0.0.0-20161012083705-f77f16ffc87a.", + "code": "GHSA-3x58-xr87-2fcj", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-x95h-979x-cf3j", + "issueUrl": "https://osv.dev/GHSA-3x58-xr87-2fcj", "targetType": "lockfile", "isSecurity": true }, @@ -1374,22 +1439,22 @@ { "file": "test_data/go.mod", "line": "173", - "message": "Denial of service via crafted TIFF image in golang.org/x/image/tiff. Current version is vulnerable: 0.0.0-20190802002840-cff245a6509b.", - "code": "GHSA-qgc7-mgm3-q253", + "message": "Excessive resource consumption in golang.org/x/image/tiff. Current version is vulnerable: 0.0.0-20190802002840-cff245a6509b.", + "code": "GHSA-x92r-3vfx-4cv3", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-qgc7-mgm3-q253", + "issueUrl": "https://osv.dev/GHSA-x92r-3vfx-4cv3", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "173", - "message": "Excessive resource consumption in golang.org/x/image/tiff. Current version is vulnerable: 0.0.0-20190802002840-cff245a6509b.", - "code": "GHSA-x92r-3vfx-4cv3", + "message": "Denial of service via crafted TIFF image in golang.org/x/image/tiff. Current version is vulnerable: 0.0.0-20190802002840-cff245a6509b.", + "code": "GHSA-qgc7-mgm3-q253", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-x92r-3vfx-4cv3", + "issueUrl": "https://osv.dev/GHSA-qgc7-mgm3-q253", "targetType": "lockfile", "isSecurity": true }, @@ -1407,11 +1472,11 @@ { "file": "test_data/go.mod", "line": "174", - "message": "Excessive memory growth in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-xrjj-mj9h-534m", + "message": "Denial of service in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-69cg-p879-7622", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-xrjj-mj9h-534m", + "issueUrl": "https://osv.dev/GHSA-69cg-p879-7622", "targetType": "lockfile", "isSecurity": true }, @@ -1429,77 +1494,88 @@ { "file": "test_data/go.mod", "line": "174", - "message": "Unbounded memory growth in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-vc3p-29h2-gpcp", + "message": "HTTP/2 Stream Cancellation Attack. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-2m7v-gc89-fjqf", + "level": "LEVEL_MEDIUM", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-2m7v-gc89-fjqf", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "line": "174", + "message": "Improper rendering of text nodes in golang.org/x/net/html. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-2wrh-6pvc-2jm9", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-vc3p-29h2-gpcp", + "issueUrl": "https://osv.dev/GHSA-2wrh-6pvc-2jm9", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-h86h-8ppg-mxmh", + "message": "HTTP/2 rapid reset can cause excessive work in net/http. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-4374-p667-p6c8", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-h86h-8ppg-mxmh", + "issueUrl": "https://osv.dev/GHSA-4374-p667-p6c8", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Infinite loop when parsing inputs in golang.org/x/net/html. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-83g2-8m93-v3w7", + "message": "HTTP/2 CONTINUATION flood in net/http. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-4v7x-pqxf-cx7m", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-83g2-8m93-v3w7", + "issueUrl": "https://osv.dev/GHSA-4v7x-pqxf-cx7m", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Denial of service in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-69cg-p879-7622", + "message": "Excessive memory growth in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-xrjj-mj9h-534m", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-69cg-p879-7622", + "issueUrl": "https://osv.dev/GHSA-xrjj-mj9h-534m", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "HTTP/2 rapid reset can cause excessive work in net/http. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-4374-p667-p6c8", + "message": "Infinite loop when parsing inputs in golang.org/x/net/html. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-83g2-8m93-v3w7", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-4374-p667-p6c8", + "issueUrl": "https://osv.dev/GHSA-83g2-8m93-v3w7", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Improper rendering of text nodes in golang.org/x/net/html. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-2wrh-6pvc-2jm9", + "message": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-h86h-8ppg-mxmh", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-2wrh-6pvc-2jm9", + "issueUrl": "https://osv.dev/GHSA-h86h-8ppg-mxmh", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "HTTP/2 Stream Cancellation Attack. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-2m7v-gc89-fjqf", - "level": "LEVEL_MEDIUM", + "message": "Unbounded memory growth in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-vc3p-29h2-gpcp", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-2m7v-gc89-fjqf", + "issueUrl": "https://osv.dev/GHSA-vc3p-29h2-gpcp", "targetType": "lockfile", "isSecurity": true }, @@ -1536,6 +1612,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/go.mod", + "line": "186", + "message": "Decompression bomb vulnerability in github.com/go-jose/go-jose. Current version of 'gopkg.in/square/go-jose.v2' is vulnerable: 2.3.1.", + "code": "GHSA-c5q2-7r4c-mv6g", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-c5q2-7r4c-mv6g", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/go.mod", "line": "189", @@ -1561,33 +1648,44 @@ { "file": "test_data/requirements.txt", "line": "1", - "message": "Invalid-free in _dealloc. Current version of 'pillow' is vulnerable: 9.1.1.", - "code": "OSV-2022-1074", + "message": "'Pillow' buffer overflow vulnerability. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.3.0 or higher.", + "code": "GHSA-44wm-f244-xhp3", + "level": "LEVEL_MEDIUM", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-44wm-f244-xhp3", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/requirements.txt", + "line": "1", + "message": "'Pillow' before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 9.2.0 or higher.", + "code": "GHSA-m2vv-5vj5-2hm7", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/OSV-2022-1074", + "issueUrl": "https://osv.dev/GHSA-m2vv-5vj5-2hm7", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "Segv on unknown address in jpeg_read_scanlines. Current version of 'pillow' is vulnerable: 9.1.1.", - "code": "OSV-2022-715", + "message": "Invalid-free in _dealloc. Current version of 'pillow' is vulnerable: 9.1.1.", + "code": "OSV-2022-1074", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/OSV-2022-715", + "issueUrl": "https://osv.dev/OSV-2022-1074", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "An issue was discovered in 'Pillow' before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.0 or higher.", - "code": "GHSA-8ghj-p4vj-mr35", + "message": "Segv on unknown address in jpeg_read_scanlines. Current version of 'pillow' is vulnerable: 9.1.1.", + "code": "OSV-2022-715", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-8ghj-p4vj-mr35", + "issueUrl": "https://osv.dev/OSV-2022-715", "targetType": "lockfile", "isSecurity": true }, @@ -1605,11 +1703,11 @@ { "file": "test_data/requirements.txt", "line": "1", - "message": "'Pillow' versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). 'Pillow' v10.0.1 upgrades the bundled libwebp binary to v1.3.2. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.1 or higher.", - "code": "PYSEC-2023-175", + "message": "An issue was discovered in 'Pillow' before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.0 or higher.", + "code": "GHSA-8ghj-p4vj-mr35", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/PYSEC-2023-175", + "issueUrl": "https://osv.dev/GHSA-8ghj-p4vj-mr35", "targetType": "lockfile", "isSecurity": true }, @@ -1624,6 +1722,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/requirements.txt", + "line": "1", + "message": "'Pillow' versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). 'Pillow' v10.0.1 upgrades the bundled libwebp binary to v1.3.2. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.1 or higher.", + "code": "PYSEC-2023-175", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/PYSEC-2023-175", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/requirements.txt", "line": "1", @@ -1637,144 +1746,144 @@ }, { "file": "test_data/requirements.txt", - "line": "1", - "message": "'Pillow' before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 9.2.0 or higher.", - "code": "GHSA-m2vv-5vj5-2hm7", - "level": "LEVEL_HIGH", + "line": "2", + "message": "'langchain' vulnerable to path traversal. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.353 or higher.", + "code": "GHSA-rgp8-pm28-3759", + "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-m2vv-5vj5-2hm7", + "issueUrl": "https://osv.dev/GHSA-rgp8-pm28-3759", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "'Langchain' 0.0.171 is vulnerable to Arbitrary Code Execution. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.225 or higher.", - "code": "GHSA-x32c-59v5-h7fg", + "message": "'Langchain' 0.0.171 is vulnerable to Arbitrary code execution in load_prompt. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", + "code": "GHSA-6643-h7h5-x9wh", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-x32c-59v5-h7fg", + "issueUrl": "https://osv.dev/GHSA-6643-h7h5-x9wh", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "An issue in 'langchain' langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.233 or higher.", - "code": "GHSA-prgp-w7vf-ch62", + "message": "'Langchain' Server-Side Request Forgery vulnerability. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.329 or higher.", + "code": "GHSA-6h8p-4hx9-w66c", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-prgp-w7vf-ch62", + "issueUrl": "https://osv.dev/GHSA-6h8p-4hx9-w66c", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "'langchain' Server-Side Request Forgery vulnerability. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.1.0 or higher.", - "code": "GHSA-h9j7-5xvc-qhg5", - "level": "LEVEL_LOW", + "message": "'langchain' vulnerable to arbitrary code execution. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.312 or higher.", + "code": "GHSA-7gfq-f96f-g85j", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-h9j7-5xvc-qhg5", + "issueUrl": "https://osv.dev/GHSA-7gfq-f96f-g85j", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "An issue in Harrison Chase 'langchain' v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.236 or higher.", - "code": "GHSA-gwqq-6vq7-5j86", + "message": "SQL injection vulnerability in 'langchain' v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", + "code": "GHSA-7q94-qpjr-xpgm", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-gwqq-6vq7-5j86", + "issueUrl": "https://osv.dev/GHSA-7q94-qpjr-xpgm", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "An issue in 'LangChain' v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", - "code": "GHSA-fj32-q626-pjjc", + "message": "An issue in Harrison Chase 'langchain' v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.195 or higher.", + "code": "GHSA-92j5-3459-qgp4", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-fj32-q626-pjjc", + "issueUrl": "https://osv.dev/GHSA-92j5-3459-qgp4", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "An issue in LanChain-ai 'Langchain' v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.308 or higher.", - "code": "GHSA-f73w-4m7g-ch9x", + "message": "'Langchain' 0.0.171 is vulnerable to Arbitrary Code Execution. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.225 or higher.", + "code": "GHSA-x32c-59v5-h7fg", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-f73w-4m7g-ch9x", + "issueUrl": "https://osv.dev/GHSA-x32c-59v5-h7fg", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "An issue in Harrison Chase 'langchain' v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.195 or higher.", - "code": "GHSA-92j5-3459-qgp4", + "message": "An issue in LanChain-ai 'Langchain' v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.308 or higher.", + "code": "GHSA-f73w-4m7g-ch9x", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-92j5-3459-qgp4", + "issueUrl": "https://osv.dev/GHSA-f73w-4m7g-ch9x", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "SQL injection vulnerability in 'langchain' v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", - "code": "GHSA-7q94-qpjr-xpgm", + "message": "An issue in 'LangChain' v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", + "code": "GHSA-fj32-q626-pjjc", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-7q94-qpjr-xpgm", + "issueUrl": "https://osv.dev/GHSA-fj32-q626-pjjc", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "'langchain' vulnerable to arbitrary code execution. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.312 or higher.", - "code": "GHSA-7gfq-f96f-g85j", + "message": "An issue in Harrison Chase 'langchain' v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.236 or higher.", + "code": "GHSA-gwqq-6vq7-5j86", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-7gfq-f96f-g85j", + "issueUrl": "https://osv.dev/GHSA-gwqq-6vq7-5j86", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "'Langchain' Server-Side Request Forgery vulnerability. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.329 or higher.", - "code": "GHSA-6h8p-4hx9-w66c", + "message": "'LangChain' through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.1.11 or higher.", + "code": "GHSA-h59x-p739-982c", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-6h8p-4hx9-w66c", + "issueUrl": "https://osv.dev/GHSA-h59x-p739-982c", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "'Langchain' 0.0.171 is vulnerable to Arbitrary code execution in load_prompt. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", - "code": "GHSA-6643-h7h5-x9wh", - "level": "LEVEL_HIGH", + "message": "'langchain' Server-Side Request Forgery vulnerability. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.1.0 or higher.", + "code": "GHSA-h9j7-5xvc-qhg5", + "level": "LEVEL_LOW", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-6643-h7h5-x9wh", + "issueUrl": "https://osv.dev/GHSA-h9j7-5xvc-qhg5", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "'LangChain' before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.317 or higher.", - "code": "GHSA-655w-fm8m-m478", + "message": "An issue in 'langchain' langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.233 or higher.", + "code": "GHSA-prgp-w7vf-ch62", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-655w-fm8m-m478", + "issueUrl": "https://osv.dev/GHSA-prgp-w7vf-ch62", "targetType": "lockfile", "isSecurity": true }, @@ -1803,11 +1912,11 @@ { "file": "test_data/requirements.txt", "line": "2", - "message": "'LangChain' through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.1.11 or higher.", - "code": "CVE-2024-28088", + "message": "'LangChain' before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.317 or higher.", + "code": "GHSA-655w-fm8m-m478", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2024-28088", + "issueUrl": "https://osv.dev/GHSA-655w-fm8m-m478", "targetType": "lockfile", "isSecurity": true } diff --git a/linters/osv-scanner/osv_scanner.test.ts b/linters/osv-scanner/osv_scanner.test.ts index b05ed3992..3c3906c14 100644 --- a/linters/osv-scanner/osv_scanner.test.ts +++ b/linters/osv-scanner/osv_scanner.test.ts @@ -12,5 +12,5 @@ const expectedFileIssues = JSON.parse( fuzzyLinterCheckTest({ linterName: "osv-scanner", args: "-a -y", - fileIssueAssertionCallback: createFuzzyMatcher(() => expectedFileIssues as FileIssue[], 80), + fileIssueAssertionCallback: createFuzzyMatcher(() => expectedFileIssues as FileIssue[], 100), });