From c8aeed70e089bac21250c1c3dea766e7eb19c667 Mon Sep 17 00:00:00 2001 From: TylerJang27 <42743566+TylerJang27@users.noreply.github.com> Date: Thu, 29 Aug 2024 08:55:51 +0000 Subject: [PATCH 1/2] Auto add snapshots --- .../buildifier_v7.3.1_basic_check.check.shot | 135 +++++++++++ ...config.test_data.add_tables.BUILD.fmt.shot | 36 +++ ...3.1_no_config.test_data.basic.bzl.fmt.shot | 11 + ...config.test_data.add_tables.BUILD.fmt.shot | 36 +++ .../pyright_v1.1.378_basic.check.shot | 226 ++++++++++++++++++ 5 files changed, 444 insertions(+) create mode 100644 linters/buildifier/test_data/buildifier_v7.3.1_basic_check.check.shot create mode 100644 linters/buildifier/test_data/buildifier_v7.3.1_no_config.test_data.add_tables.BUILD.fmt.shot create mode 100644 linters/buildifier/test_data/buildifier_v7.3.1_no_config.test_data.basic.bzl.fmt.shot create mode 100644 linters/buildifier/test_data/buildifier_v7.3.1_with_config.test_data.add_tables.BUILD.fmt.shot create mode 100644 linters/pyright/test_data/pyright_v1.1.378_basic.check.shot diff --git a/linters/buildifier/test_data/buildifier_v7.3.1_basic_check.check.shot b/linters/buildifier/test_data/buildifier_v7.3.1_basic_check.check.shot new file mode 100644 index 000000000..51223c11c --- /dev/null +++ b/linters/buildifier/test_data/buildifier_v7.3.1_basic_check.check.shot @@ -0,0 +1,135 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP +// trunk-upgrade-validation:RELEASE + +exports[`Testing linter buildifier test basic_check 1`] = ` +{ + "issues": [ + { + "code": "module-docstring", + "column": "1", + "file": "test_data/basic.bzl", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/bazelbuild/buildtools/blob/main/WARNINGS.md#module-docstring", + "level": "LEVEL_HIGH", + "line": "1", + "linter": "buildifier", + "message": "The file has no module docstring. +A module docstring is a string literal (not a comment) which should be the first statement of a file (it may follow comment lines).", + "targetType": "starlark", + }, + { + "code": "load", + "column": "26", + "file": "test_data/basic.bzl", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/bazelbuild/buildtools/blob/main/WARNINGS.md#load", + "level": "LEVEL_HIGH", + "line": "1", + "linter": "buildifier", + "message": "Loaded symbol "a" is unused. Please remove it. +To disable the warning, add '@unused' in a comment. +If you want to re-export a symbol, use the following pattern: + + load(..., _a = "a", ...) + a = _a", + "targetType": "starlark", + }, + { + "code": "load", + "column": "26", + "file": "test_data/basic.bzl", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/bazelbuild/buildtools/blob/main/WARNINGS.md#load", + "level": "LEVEL_HIGH", + "line": "2", + "linter": "buildifier", + "message": "Loaded symbol "b" is unused. Please remove it. +To disable the warning, add '@unused' in a comment. +If you want to re-export a symbol, use the following pattern: + + load(..., _b = "b", ...) + b = _b", + "targetType": "starlark", + }, + ], + "lintActions": [ + { + "command": "fix", + "fileGroupName": "bazel-build", + "linter": "buildifier", + "paths": [ + "test_data/add_tables.BUILD", + ], + "verb": "TRUNK_VERB_FMT", + }, + { + "command": "fix", + "fileGroupName": "starlark", + "linter": "buildifier", + "paths": [ + "test_data/basic.bzl", + ], + "verb": "TRUNK_VERB_FMT", + }, + { + "command": "warn", + "fileGroupName": "bazel-build", + "linter": "buildifier", + "paths": [ + "test_data/add_tables.BUILD", + ], + "verb": "TRUNK_VERB_CHECK", + }, + { + "command": "warn", + "fileGroupName": "starlark", + "linter": "buildifier", + "paths": [ + "test_data/basic.bzl", + ], + "verb": "TRUNK_VERB_CHECK", + }, + { + "command": "warn", + "fileGroupName": "bazel-build", + "linter": "buildifier", + "paths": [ + "test_data/add_tables.BUILD", + ], + "upstream": true, + "verb": "TRUNK_VERB_CHECK", + }, + { + "command": "warn", + "fileGroupName": "starlark", + "linter": "buildifier", + "paths": [ + "test_data/basic.bzl", + ], + "upstream": true, + "verb": "TRUNK_VERB_CHECK", + }, + ], + "taskFailures": [], + "unformattedFiles": [ + { + "column": "1", + "file": "test_data/add_tables.BUILD", + "issueClass": "ISSUE_CLASS_UNFORMATTED", + "level": "LEVEL_HIGH", + "line": "1", + "linter": "buildifier", + "message": "Incorrect formatting, autoformat by running 'trunk fmt'", + }, + { + "column": "1", + "file": "test_data/basic.bzl", + "issueClass": "ISSUE_CLASS_UNFORMATTED", + "level": "LEVEL_HIGH", + "line": "1", + "linter": "buildifier", + "message": "Incorrect formatting, autoformat by running 'trunk fmt'", + }, + ], +} +`; diff --git a/linters/buildifier/test_data/buildifier_v7.3.1_no_config.test_data.add_tables.BUILD.fmt.shot b/linters/buildifier/test_data/buildifier_v7.3.1_no_config.test_data.add_tables.BUILD.fmt.shot new file mode 100644 index 000000000..54e82961f --- /dev/null +++ b/linters/buildifier/test_data/buildifier_v7.3.1_no_config.test_data.add_tables.BUILD.fmt.shot @@ -0,0 +1,36 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP +// trunk-upgrade-validation:RELEASE + +exports[`Testing formatter buildifier test no_config 1`] = ` +"foo_macro( + fizz = [ + ":lib2", + ":lib1", + ], +) + +filegroup( + name = "files", + srcs = glob(["**"]), +) + +sh_library( + name = "lib1", + srcs = ["src1.sh"], +) + +sh_library( + name = "lib2", + srcs = ["src1.sh"], +) + +sh_binary( + name = "foo", + srcs = ["foo.sh"], + deps = [ + ":lib1", + ":lib2", + ], +) +" +`; diff --git a/linters/buildifier/test_data/buildifier_v7.3.1_no_config.test_data.basic.bzl.fmt.shot b/linters/buildifier/test_data/buildifier_v7.3.1_no_config.test_data.basic.bzl.fmt.shot new file mode 100644 index 000000000..0f9da3bb5 --- /dev/null +++ b/linters/buildifier/test_data/buildifier_v7.3.1_no_config.test_data.basic.bzl.fmt.shot @@ -0,0 +1,11 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP +// trunk-upgrade-validation:RELEASE + +exports[`Testing formatter buildifier test no_config 1`] = ` +"# Misformatted file +def eponymous_name(): + name = native.package_name() + + return name[name.rfind("/") + 1:] +" +`; diff --git a/linters/buildifier/test_data/buildifier_v7.3.1_with_config.test_data.add_tables.BUILD.fmt.shot b/linters/buildifier/test_data/buildifier_v7.3.1_with_config.test_data.add_tables.BUILD.fmt.shot new file mode 100644 index 000000000..e4ce11ada --- /dev/null +++ b/linters/buildifier/test_data/buildifier_v7.3.1_with_config.test_data.add_tables.BUILD.fmt.shot @@ -0,0 +1,36 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP +// trunk-upgrade-validation:RELEASE + +exports[`Testing formatter buildifier test with_config 1`] = ` +"foo_macro( + fizz = [ + ":lib1", + ":lib2", + ], +) + +filegroup( + name = "files", + srcs = glob(["**"]), +) + +sh_library( + name = "lib1", + srcs = ["src1.sh"], +) + +sh_library( + name = "lib2", + srcs = ["src1.sh"], +) + +sh_binary( + name = "foo", + srcs = ["foo.sh"], + deps = [ + ":lib1", + ":lib2", + ], +) +" +`; diff --git a/linters/pyright/test_data/pyright_v1.1.378_basic.check.shot b/linters/pyright/test_data/pyright_v1.1.378_basic.check.shot new file mode 100644 index 000000000..1d230608a --- /dev/null +++ b/linters/pyright/test_data/pyright_v1.1.378_basic.check.shot @@ -0,0 +1,226 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP +// trunk-upgrade-validation:RELEASE + +exports[`Testing linter pyright test basic 1`] = ` +{ + "issues": [ + { + "code": "reportAttributeAccessIssue", + "column": "57", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#reportAttributeAccessIssue", + "level": "LEVEL_HIGH", + "line": "1", + "linter": "pyright", + "message": ""Enum" is unknown import symbol", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "4", + "offset": "56", + }, + ], + "targetType": "python", + }, + { + "column": "13", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#", + "level": "LEVEL_LOW", + "line": "15", + "linter": "pyright", + "message": "Type of "a.x" is "int | str"", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "3", + "offset": "384", + }, + ], + "targetType": "python", + }, + { + "code": "reportAttributeAccessIssue", + "column": "3", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#reportAttributeAccessIssue", + "level": "LEVEL_HIGH", + "line": "18", + "linter": "pyright", + "message": "Cannot assign to attribute "x" for class "A" +  Expression of type "float" cannot be assigned to attribute "x" of class "A" +    Type "float" is not assignable to type "int | str" +      "float" is not assignable to "int" +      "float" is not assignable to "str"", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "1", + "offset": "462", + }, + ], + "targetType": "python", + }, + { + "code": "reportUndefinedVariable", + "column": "8", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#reportUndefinedVariable", + "level": "LEVEL_HIGH", + "line": "24", + "linter": "pyright", + "message": ""ClassVar" is not defined", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "8", + "offset": "602", + }, + ], + "targetType": "python", + }, + { + "code": "reportAttributeAccessIssue", + "column": "9", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#reportAttributeAccessIssue", + "level": "LEVEL_HIGH", + "line": "31", + "linter": "pyright", + "message": "Cannot access attribute "z" for class "type[A]" +  Attribute "z" is unknown", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "1", + "offset": "742", + }, + ], + "targetType": "python", + }, + { + "code": "reportReturnType", + "column": "29", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#reportReturnType", + "level": "LEVEL_HIGH", + "line": "39", + "linter": "pyright", + "message": "Function with declared return type "bool" must return value on all code paths +  "None" is not assignable to "bool"", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "4", + "offset": "864", + }, + ], + "targetType": "python", + }, + { + "code": "reportReturnType", + "column": "12", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#reportReturnType", + "level": "LEVEL_HIGH", + "line": "5", + "linter": "pyright", + "message": "Type "int" is not assignable to return type "str" +  "int" is not assignable to "str"", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "1", + "offset": "105", + }, + ], + "targetType": "python", + }, + { + "column": "25", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#", + "level": "LEVEL_LOW", + "line": "51", + "linter": "pyright", + "message": "Type of "val" is "int"", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "3", + "offset": "1128", + }, + ], + "targetType": "python", + }, + { + "column": "39", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#", + "level": "LEVEL_LOW", + "line": "54", + "linter": "pyright", + "message": "Type of "val" is "int"", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "3", + "offset": "1244", + }, + ], + "targetType": "python", + }, + { + "code": "reportRedeclaration", + "column": "7", + "file": "test_data/basic.in.py", + "issueClass": "ISSUE_CLASS_EXISTING", + "issueUrl": "https://github.com/microsoft/pyright/blob/main/docs/configuration.md#reportRedeclaration", + "level": "LEVEL_HIGH", + "line": "7", + "linter": "pyright", + "message": "Class declaration "A" is obscured by a declaration of the same name", + "ranges": [ + { + "filePath": "test_data/basic.in.py", + "length": "1", + "offset": "183", + }, + ], + "targetType": "python", + }, + ], + "lintActions": [ + { + "command": "lint", + "fileGroupName": "python", + "linter": "pyright", + "paths": [ + "test_data/basic.in.py", + ], + "verb": "TRUNK_VERB_CHECK", + }, + { + "command": "lint", + "fileGroupName": "python", + "linter": "pyright", + "paths": [ + "test_data/basic.in.py", + ], + "upstream": true, + "verb": "TRUNK_VERB_CHECK", + }, + ], + "taskFailures": [], + "unformattedFiles": [], +} +`; From 89e5cdc705129255bda315ebb337cfacc6dfcd23 Mon Sep 17 00:00:00 2001 From: Tyler Jang Date: Fri, 30 Aug 2024 12:20:27 -0700 Subject: [PATCH 2/2] update and improve osv expected issues --- .trunk/trunk.yaml | 3 +- linters/osv-scanner/expected_issues.json | 969 +++++++++++++---------- 2 files changed, 539 insertions(+), 433 deletions(-) diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index a71cd7081..547256f05 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -17,7 +17,7 @@ plugins: - id: configs uri: https://github.com/trunk-io/configs - ref: v1.0.7 + ref: v1.0.8 lint: files: @@ -46,7 +46,6 @@ lint: disabled: - pylint # pylint diagnostics are too strict - semgrep - - trivy # investigating issues with shared cachedir ignore: - linters: [ALL] diff --git a/linters/osv-scanner/expected_issues.json b/linters/osv-scanner/expected_issues.json index f62a00908..367c09831 100644 --- a/linters/osv-scanner/expected_issues.json +++ b/linters/osv-scanner/expected_issues.json @@ -54,17 +54,6 @@ "targetType": "lockfile", "isSecurity": true }, - { - "file": "test_data/Gemfile.lock", - "line": "16", - "message": "Active Support Possibly Discloses Locally Encrypted Files. Current version of 'activesupport' is vulnerable: 5.2.8.1. Patch available: upgrade to 6.1.7.5 or higher.", - "code": "GHSA-cr5q-6q9f-rq6q", - "level": "LEVEL_LOW", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-cr5q-6q9f-rq6q", - "targetType": "lockfile", - "isSecurity": true - }, { "file": "test_data/Gemfile.lock", "line": "16", @@ -87,6 +76,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/Gemfile.lock", + "line": "16", + "message": "Active Support Possibly Discloses Locally Encrypted Files. Current version of 'activesupport' is vulnerable: 5.2.8.1. Patch available: upgrade to 6.1.7.5 or higher.", + "code": "GHSA-cr5q-6q9f-rq6q", + "level": "LEVEL_LOW", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-cr5q-6q9f-rq6q", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/Gemfile.lock", "line": "34", @@ -131,6 +131,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/Gemfile.lock", + "line": "97", + "message": "'Nokogiri' updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459. Current version of 'nokogiri' is vulnerable: 1.14.1. Patch available: upgrade to 1.16.5 or higher.", + "code": "GHSA-r95h-9x8f-r3f7", + "level": "LEVEL_LOW", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-r95h-9x8f-r3f7", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/Gemfile.lock", "line": "97", @@ -221,41 +232,21 @@ }, { "file": "test_data/go.mod", - "message": "Improper handling of JavaScript whitespace in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24540", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24540", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/go.mod", - "message": "Excessive resource consumption in mime/multipart. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41725", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41725", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/go.mod", - "message": "Large RSA keys can cause high CPU usage in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-29409", + "message": "Comments in display names are incorrectly handled in net/mail. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24784", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-29409", + "issueUrl": "https://osv.dev/CVE-2024-24784", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Insufficient sanitization of Host header in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-29406", + "message": "Panic due to crafted inputs in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-39293", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-29406", + "issueUrl": "https://osv.dev/CVE-2021-39293", "targetType": "lockfile", "isSecurity": true }, @@ -281,221 +272,211 @@ }, { "file": "test_data/go.mod", - "message": "Improper handling of special tags within script contexts in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-39319", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-39319", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/go.mod", - "message": "Denial of service via chunk extensions in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-39326", + "message": "Improper handling of JavaScript whitespace in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24540", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-39326", + "issueUrl": "https://osv.dev/CVE-2023-24540", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45283", + "message": "Improper sanitization of CSS values in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24539", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45283", + "issueUrl": "https://osv.dev/CVE-2023-24539", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect detection of reserved device names on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45284", + "message": "Backticks not treated as string delimiters in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24538", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45284", + "issueUrl": "https://osv.dev/CVE-2023-24538", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45287", + "message": "Stack exhaustion on crafted paths in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30632", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45287", + "issueUrl": "https://osv.dev/CVE-2022-30632", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45289", + "message": "Stack exhaustion when reading certain archives in compress/gzip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30631", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45289", + "issueUrl": "https://osv.dev/CVE-2022-30631", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Memory exhaustion in multipart form parsing in net/textproto and net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-45290", + "message": "Stack exhaustion in Glob on certain paths in io/fs. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30630", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-45290", + "issueUrl": "https://osv.dev/CVE-2022-30630", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Verify panics on certificates with an unknown public key algorithm in crypto/x509. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2024-24783", + "message": "Session tickets lack random ticket_age_add in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30629", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2024-24783", + "issueUrl": "https://osv.dev/CVE-2022-30629", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Comments in display names are incorrectly handled in net/mail. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2024-24784", + "message": "Empty Cmd.Path can trigger unintended binary in os/exec on Windows. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30580", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2024-24784", + "issueUrl": "https://osv.dev/CVE-2022-30580", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Errors returned from JSON marshaling may break template escaping in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2024-24785", + "message": "Path traversal via Clean on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-29804", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2024-24785", + "issueUrl": "https://osv.dev/CVE-2022-29804", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "HTTP/2 rapid reset can cause excessive work in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-4374-p667-p6c8", + "message": "Incorrect sanitization of forwarded query parameters in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-2880", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-4374-p667-p6c8", + "issueUrl": "https://osv.dev/CVE-2022-2880", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "HTTP/2 CONTINUATION flood in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-4v7x-pqxf-cx7m", + "message": "Unbounded memory consumption when reading headers in archive/tar. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-2879", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-4v7x-pqxf-cx7m", + "issueUrl": "https://osv.dev/CVE-2022-2879", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Denial of service in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-69cg-p879-7622", + "message": "Panic due to large inputs affecting P-256 curves in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-28327", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-69cg-p879-7622", + "issueUrl": "https://osv.dev/CVE-2022-28327", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-h86h-8ppg-mxmh", + "message": "Stack exhaustion from deeply nested XML documents in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-28131", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-h86h-8ppg-mxmh", + "issueUrl": "https://osv.dev/CVE-2022-28131", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect privilege reporting in syscall and golang.org/x/sys/unix. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-p782-xgp4-8hr8", + "message": "Stack exhaustion when compiling deeply nested expressions in regexp. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-24921", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-p782-xgp4-8hr8", + "issueUrl": "https://osv.dev/CVE-2022-24921", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Unbounded memory growth in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-vc3p-29h2-gpcp", + "message": "Stack overflow from a large amount of PEM data in encoding/pem. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-24675", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-vc3p-29h2-gpcp", + "issueUrl": "https://osv.dev/CVE-2022-24675", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-vvpx-j8f3-3w6h", + "message": "Incorrect computation for some invalid field elements in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-23806", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-vvpx-j8f3-3w6h", + "issueUrl": "https://osv.dev/CVE-2022-23806", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Excessive memory growth in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "GHSA-xrjj-mj9h-534m", + "message": "Uncontrolled memory consumption in math/big. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-23772", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-xrjj-mj9h-534m", + "issueUrl": "https://osv.dev/CVE-2022-23772", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect calculation on P256 curves in crypto/internal/nistec. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24532", + "message": "Stack exhaustion due to deeply nested types in go/parser. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-1962", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24532", + "issueUrl": "https://osv.dev/CVE-2022-1962", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic on large handshake records in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41724", + "message": "Improper sanitization of Transfer-Encoding headers in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-1705", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41724", + "issueUrl": "https://osv.dev/CVE-2022-1705", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper sanitization of CSS values in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24539", + "message": "Misdirected I/O in syscall. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-44717", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24539", + "issueUrl": "https://osv.dev/CVE-2021-44717", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Backticks not treated as string delimiters in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-24538", + "message": "Indefinite hang with large buffers on Windows in crypto/rand. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30634", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-24538", + "issueUrl": "https://osv.dev/CVE-2022-30634", "targetType": "lockfile", "isSecurity": true }, @@ -531,101 +512,121 @@ }, { "file": "test_data/go.mod", - "message": "Cross-site scripting in net/http/cgi and net/http/fcgi. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2020-24553", + "message": "Incorrect calculation on P256 curves in crypto/internal/nistec. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-24532", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2020-24553", + "issueUrl": "https://osv.dev/CVE-2023-24532", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Infinite loop when decoding inputs in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-27918", + "message": "Excessive resource consumption in mime/multipart. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41725", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-27918", + "issueUrl": "https://osv.dev/CVE-2022-41725", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect operations on the P-224 curve in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-3114", + "message": "Excessive memory growth in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-xrjj-mj9h-534m", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-3114", + "issueUrl": "https://osv.dev/GHSA-xrjj-mj9h-534m", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper sanitization when resolving values from DNS in net. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-33195", + "message": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-vvpx-j8f3-3w6h", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-33195", + "issueUrl": "https://osv.dev/GHSA-vvpx-j8f3-3w6h", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic when reading certain archives in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-33196", + "message": "Unbounded memory growth in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-vc3p-29h2-gpcp", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-33196", + "issueUrl": "https://osv.dev/GHSA-vc3p-29h2-gpcp", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Attacker can drop certain headers in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-33197", + "message": "Incorrect privilege reporting in syscall and golang.org/x/sys/unix. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-p782-xgp4-8hr8", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-33197", + "issueUrl": "https://osv.dev/GHSA-p782-xgp4-8hr8", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic on inputs with large exponents in math/big. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-33198", + "message": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-h86h-8ppg-mxmh", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-33198", + "issueUrl": "https://osv.dev/GHSA-h86h-8ppg-mxmh", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic on certain certificates in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-34558", + "message": "Denial of service in net/http and golang.org/x/net/http2. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-69cg-p879-7622", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-34558", + "issueUrl": "https://osv.dev/GHSA-69cg-p879-7622", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic in ReverseProxy in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-36221", + "message": "HTTP/2 CONTINUATION flood in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-4v7x-pqxf-cx7m", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-36221", + "issueUrl": "https://osv.dev/GHSA-4v7x-pqxf-cx7m", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic due to crafted inputs in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-39293", + "message": "HTTP/2 rapid reset can cause excessive work in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "GHSA-4374-p667-p6c8", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-39293", + "issueUrl": "https://osv.dev/GHSA-4374-p667-p6c8", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Denial of service due to improper 100-continue handling in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24791", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2024-24791", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24790", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2024-24790", "targetType": "lockfile", "isSecurity": true }, @@ -641,201 +642,201 @@ }, { "file": "test_data/go.mod", - "message": "Panic when opening certain archives in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-41772", + "message": "Panic on large handshake records in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41724", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-41772", + "issueUrl": "https://osv.dev/CVE-2022-41724", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Misdirected I/O in syscall. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2021-44717", + "message": "Path traversal on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41722", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2021-44717", + "issueUrl": "https://osv.dev/CVE-2022-41722", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper sanitization of Transfer-Encoding headers in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-1705", + "message": "Mishandling of corrupt central directory record in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24789", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-1705", + "issueUrl": "https://osv.dev/CVE-2024-24789", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion due to deeply nested types in go/parser. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-1962", + "message": "Restricted file access on Windows in os and net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41720", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-1962", + "issueUrl": "https://osv.dev/CVE-2022-41720", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Uncontrolled memory consumption in math/big. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-23772", + "message": "Errors returned from JSON marshaling may break template escaping in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24785", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-23772", + "issueUrl": "https://osv.dev/CVE-2024-24785", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect computation for some invalid field elements in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-23806", + "message": "Large RSA keys can cause high CPU usage in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-29409", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-23806", + "issueUrl": "https://osv.dev/CVE-2023-29409", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack overflow from a large amount of PEM data in encoding/pem. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-24675", + "message": "Verify panics on certificates with an unknown public key algorithm in crypto/x509. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2024-24783", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-24675", + "issueUrl": "https://osv.dev/CVE-2024-24783", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion when compiling deeply nested expressions in regexp. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-24921", + "message": "Memory exhaustion in multipart form parsing in net/textproto and net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45290", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-24921", + "issueUrl": "https://osv.dev/CVE-2023-45290", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion from deeply nested XML documents in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-28131", + "message": "Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45289", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-28131", + "issueUrl": "https://osv.dev/CVE-2023-45289", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic due to large inputs affecting P-256 curves in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-28327", + "message": "Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45287", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-28327", + "issueUrl": "https://osv.dev/CVE-2023-45287", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Unbounded memory consumption when reading headers in archive/tar. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-2879", + "message": "Incorrect detection of reserved device names on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45284", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-2879", + "issueUrl": "https://osv.dev/CVE-2023-45284", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Incorrect sanitization of forwarded query parameters in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-2880", + "message": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-45283", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-2880", + "issueUrl": "https://osv.dev/CVE-2023-45283", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Path traversal via Clean on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-29804", + "message": "Denial of service via chunk extensions in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-39326", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-29804", + "issueUrl": "https://osv.dev/CVE-2023-39326", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Empty Cmd.Path can trigger unintended binary in os/exec on Windows. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30580", + "message": "Unsanitized NUL in environment variables on Windows in syscall and os/exec. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41716", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30580", + "issueUrl": "https://osv.dev/CVE-2022-41716", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Session tickets lack random ticket_age_add in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30629", + "message": "Memory exhaustion when compiling regular expressions in regexp/syntax. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-41715", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30629", + "issueUrl": "https://osv.dev/CVE-2022-41715", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion in Glob on certain paths in io/fs. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30630", + "message": "Panic when opening certain archives in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-41772", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30630", + "issueUrl": "https://osv.dev/CVE-2021-41772", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion when reading certain archives in compress/gzip. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30631", + "message": "Insufficient sanitization of Host header in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-29406", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30631", + "issueUrl": "https://osv.dev/CVE-2023-29406", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion on crafted paths in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30632", + "message": "Panic when decoding Float and Rat types in math/big. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-32189", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30632", + "issueUrl": "https://osv.dev/CVE-2022-32189", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Stack exhaustion when unmarshaling certain documents in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30633", + "message": "Exposure of client IP addresses in net/http. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-32148", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30633", + "issueUrl": "https://osv.dev/CVE-2022-32148", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Indefinite hang with large buffers on Windows in crypto/rand. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-30634", + "message": "Improper handling of special tags within script contexts in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-39319", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-30634", + "issueUrl": "https://osv.dev/CVE-2023-39319", "targetType": "lockfile", "isSecurity": true }, @@ -851,91 +852,131 @@ }, { "file": "test_data/go.mod", - "message": "Exposure of client IP addresses in net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-32148", + "message": "Improper handling of HTML-like comments in script contexts in html/template. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2023-39318", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-32148", + "issueUrl": "https://osv.dev/CVE-2023-39318", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Panic when decoding Float and Rat types in math/big. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-32189", + "message": "Cross-site scripting in net/http/cgi and net/http/fcgi. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2020-24553", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-32189", + "issueUrl": "https://osv.dev/CVE-2020-24553", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Memory exhaustion when compiling regular expressions in regexp/syntax. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41715", + "message": "Infinite loop when decoding inputs in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-27918", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41715", + "issueUrl": "https://osv.dev/CVE-2021-27918", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Unsanitized NUL in environment variables on Windows in syscall and os/exec. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41716", + "message": "Incorrect operations on the P-224 curve in crypto/elliptic. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-3114", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41716", + "issueUrl": "https://osv.dev/CVE-2021-3114", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Restricted file access on Windows in os and net/http. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41720", + "message": "Improper sanitization when resolving values from DNS in net. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-33195", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41720", + "issueUrl": "https://osv.dev/CVE-2021-33195", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Path traversal on Windows in path/filepath. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2022-41722", + "message": "Panic when reading certain archives in archive/zip. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-33196", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2022-41722", + "issueUrl": "https://osv.dev/CVE-2021-33196", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", - "message": "Improper handling of HTML-like comments in script contexts in html/template. Current version of 'stdlib' is vulnerable: 1.13.", - "code": "CVE-2023-39318", + "message": "Attacker can drop certain headers in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-33197", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/CVE-2023-39318", + "issueUrl": "https://osv.dev/CVE-2021-33197", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Panic on inputs with large exponents in math/big. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-33198", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2021-33198", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Panic on certain certificates in crypto/tls. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-34558", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2021-34558", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Panic in ReverseProxy in net/http/httputil. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2021-36221", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2021-36221", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "message": "Stack exhaustion when unmarshaling certain documents in encoding/xml. Current version of 'stdlib' is vulnerable: 1.13.", + "code": "CVE-2022-30633", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2022-30633", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Gitea erroneous repo clones. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-8j3v-68w3-3848", - "level": "LEVEL_MEDIUM", + "message": "Gitea vulnerable to Argument Injection in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-w8xw-7crf-h23x", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-8j3v-68w3-3848", + "issueUrl": "https://osv.dev/GHSA-w8xw-7crf-h23x", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Stored Cross-site Scripting in gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", + "message": "Stored Cross-site Scripting in gitea in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", "code": "GHSA-ph3w-2843-72mx", - "level": "LEVEL_MEDIUM", + "level": "LEVEL_HIGH", "linter": "osv-scanner", "issueUrl": "https://osv.dev/GHSA-ph3w-2843-72mx", "targetType": "lockfile", @@ -944,113 +985,157 @@ { "file": "test_data/go.mod", "line": "7", - "message": "Gogs and Gitea SSRF Vulnerability. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-fg3x-rwq9-74cw", + "message": "Shell command injection in gitea in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-p5f9-c9j9-g8qx", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-fg3x-rwq9-74cw", + "issueUrl": "https://osv.dev/GHSA-p5f9-c9j9-g8qx", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Gitea allowed assignment of private issues. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-fhv8-m4j4-cww2", - "level": "LEVEL_MEDIUM", + "message": "Capture-replay in Gitea in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-jrpg-35hw-m4p9", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-fhv8-m4j4-cww2", + "issueUrl": "https://osv.dev/GHSA-jrpg-35hw-m4p9", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Arbitrary file deletion in gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-g7p7-x6w7-w6qg", + "message": "Gitea Missing Authorization vulnerability in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-jr9c-h74f-2v28", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-g7p7-x6w7-w6qg", + "issueUrl": "https://osv.dev/GHSA-jr9c-h74f-2v28", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Arbitrary Code Execution in Gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-3h6c-c475-jm7v", + "message": "Path Traversal in Gitea in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-h3q4-vmw4-cpr5", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-3h6c-c475-jm7v", + "issueUrl": "https://osv.dev/GHSA-h3q4-vmw4-cpr5", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "'code.gitea.io/gitea' Open Redirect vulnerability. Current version is vulnerable: 1.9.0-dev.", - "code": "GHSA-cf6v-9j57-v6r6", - "level": "LEVEL_LOW", + "message": "Cross-site Scripting in Gitea in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-g95p-88p4-76cm", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-cf6v-9j57-v6r6", + "issueUrl": "https://osv.dev/GHSA-g95p-88p4-76cm", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Cross-site Scripting in Gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-g95p-88p4-76cm", - "level": "LEVEL_MEDIUM", + "message": "Arbitrary file deletion in gitea in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-g7p7-x6w7-w6qg", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-g95p-88p4-76cm", + "issueUrl": "https://osv.dev/GHSA-g7p7-x6w7-w6qg", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Path Traversal in Gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-h3q4-vmw4-cpr5", - "level": "LEVEL_MEDIUM", + "message": "Denial of Service in Gitea in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-g2qx-6ghw-67hm", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-h3q4-vmw4-cpr5", + "issueUrl": "https://osv.dev/GHSA-g2qx-6ghw-67hm", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Gitea Missing Authorization vulnerability. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-jr9c-h74f-2v28", + "message": "Gitea allowed assignment of private issues in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-fhv8-m4j4-cww2", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-jr9c-h74f-2v28", + "issueUrl": "https://osv.dev/GHSA-fhv8-m4j4-cww2", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Shell command injection in gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", - "code": "GHSA-p5f9-c9j9-g8qx", + "message": "Gogs and Gitea SSRF Vulnerability in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-fg3x-rwq9-74cw", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-p5f9-c9j9-g8qx", + "issueUrl": "https://osv.dev/GHSA-fg3x-rwq9-74cw", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "line": "7", + "message": "'code.gitea.io/gitea' Open Redirect vulnerability. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-cf6v-9j57-v6r6", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-cf6v-9j57-v6r6", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "line": "7", + "message": "Gitea erroneous repo clones in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-8j3v-68w3-3848", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-8j3v-68w3-3848", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "7", - "message": "Gitea Open Redirect. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", + "message": "Gitea Open Redirect in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", "code": "GHSA-4rqq-rxvc-v2rc", - "level": "LEVEL_MEDIUM", + "level": "LEVEL_HIGH", "linter": "osv-scanner", "issueUrl": "https://osv.dev/GHSA-4rqq-rxvc-v2rc", "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/go.mod", + "line": "7", + "message": "Gitea Cross-site Scripting Vulnerability in 'code.gitea.io/gitea'. Current version is vulnerable: 1.9.0-dev.", + "code": "GHSA-4h4p-553m-46qh", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-4h4p-553m-46qh", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "line": "7", + "message": "Arbitrary Code Execution in Gitea. Current version of 'code.gitea.io/gitea' is vulnerable: 1.9.0-dev.", + "code": "GHSA-3h6c-c475-jm7v", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-3h6c-c475-jm7v", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/go.mod", "line": "16", @@ -1087,18 +1172,18 @@ { "file": "test_data/go.mod", "line": "58", - "message": "Open redirect in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-36h2-95gj-w488", - "level": "LEVEL_MEDIUM", + "message": "Gitea Improper Input Validation in 'github.com/go-gitea/gitea'. Current version is vulnerable: 1.2.3.", + "code": "GHSA-q47x-6mqq-4w92", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-36h2-95gj-w488", + "issueUrl": "https://osv.dev/GHSA-q47x-6mqq-4w92", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "58", - "message": "Cross Site Request Forgery in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "message": "Cross Site Request Forgery in Gitea in 'github.com/go-gitea/gitea'. Current version is vulnerable: 1.2.3.", "code": "GHSA-4wp3-8q92-mh8w", "level": "LEVEL_HIGH", "linter": "osv-scanner", @@ -1109,9 +1194,20 @@ { "file": "test_data/go.mod", "line": "58", - "message": "Gitea displaying raw OpenID error in UI. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "message": "Open redirect in Gitea in 'github.com/go-gitea/gitea'. Current version is vulnerable: 1.2.3.", + "code": "GHSA-36h2-95gj-w488", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-36h2-95gj-w488", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/go.mod", + "line": "58", + "message": "Gitea displaying raw OpenID error in UI in 'github.com/go-gitea/gitea'. Current version is vulnerable: 1.2.3.", "code": "GHSA-8h8p-x289-vvqr", - "level": "LEVEL_MEDIUM", + "level": "LEVEL_HIGH", "linter": "osv-scanner", "issueUrl": "https://osv.dev/GHSA-8h8p-x289-vvqr", "targetType": "lockfile", @@ -1120,9 +1216,9 @@ { "file": "test_data/go.mod", "line": "58", - "message": "Gitea Exposes Private Email Addresses. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "message": "Gitea Exposes Private Email Addresses in 'github.com/go-gitea/gitea'. Current version is vulnerable: 1.2.3.", "code": "GHSA-f5fj-7265-jxhj", - "level": "LEVEL_MEDIUM", + "level": "LEVEL_HIGH", "linter": "osv-scanner", "issueUrl": "https://osv.dev/GHSA-f5fj-7265-jxhj", "targetType": "lockfile", @@ -1142,97 +1238,86 @@ { "file": "test_data/go.mod", "line": "58", - "message": "Capture-replay in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-jrpg-35hw-m4p9", + "message": "Gitea vulnerable to Argument Injection. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "code": "GHSA-w8xw-7crf-h23x", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-jrpg-35hw-m4p9", + "issueUrl": "https://osv.dev/GHSA-w8xw-7crf-h23x", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "58", - "message": "Gitea Improper Input Validation. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-q47x-6mqq-4w92", + "message": "Improper Access Control in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "code": "GHSA-r7h7-chh4-5rvm", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-q47x-6mqq-4w92", + "issueUrl": "https://osv.dev/GHSA-r7h7-chh4-5rvm", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "58", - "message": "Cross-site Scripting in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "message": "Cross-site Scripting in Gitea in 'github.com/go-gitea/gitea'. Current version is vulnerable: 1.2.3.", "code": "GHSA-r3gq-wxqf-q4gh", - "level": "LEVEL_MEDIUM", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-r3gq-wxqf-q4gh", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/go.mod", - "line": "58", - "message": "Improper Access Control in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-r7h7-chh4-5rvm", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-r7h7-chh4-5rvm", + "issueUrl": "https://osv.dev/GHSA-r3gq-wxqf-q4gh", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "58", - "message": "Gitea vulnerable to Argument Injection. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-w8xw-7crf-h23x", + "message": "Gitea Remote Code Execution in 'github.com/go-gitea/gitea'. Current version is vulnerable: 1.2.3.", + "code": "GHSA-hpmr-prr2-cqc4", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-w8xw-7crf-h23x", + "issueUrl": "https://osv.dev/GHSA-hpmr-prr2-cqc4", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "58", - "message": "Gitea Remote Code Execution. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", - "code": "GHSA-hpmr-prr2-cqc4", + "message": "Capture-replay in Gitea. Current version of 'github.com/go-gitea/gitea' is vulnerable: 1.2.3.", + "code": "GHSA-jrpg-35hw-m4p9", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-hpmr-prr2-cqc4", + "issueUrl": "https://osv.dev/GHSA-jrpg-35hw-m4p9", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "84", - "message": "Gophish vulnerable to Cross-site Scripting via crafted landing page. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", - "code": "GHSA-55m9-hm92-xm8j", - "level": "LEVEL_MEDIUM", + "message": "Gophish before 0.12.0 vulnerable to Open Redirect in 'github.com/gophish/gophish'. Current version is vulnerable: 0.1.2.", + "code": "GHSA-hvw3-p9px-gpc9", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-55m9-hm92-xm8j", + "issueUrl": "https://osv.dev/GHSA-hvw3-p9px-gpc9", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "84", - "message": "Gophish vulnerable to Denial of Service via crafted payload involving autofocus. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", - "code": "GHSA-8gg8-wr4j-v2wr", + "message": "Gophish XSS Vulnerability in 'github.com/gophish/gophish'. Current version is vulnerable: 0.1.2.", + "code": "GHSA-9h9f-9q8g-6764", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-8gg8-wr4j-v2wr", + "issueUrl": "https://osv.dev/GHSA-9h9f-9q8g-6764", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "84", - "message": "Gophish vulnerable to Server-Side Request Forgery. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", + "message": "Gophish vulnerable to Server-Side Request Forgery in 'github.com/gophish/gophish'. Current version is vulnerable: 0.1.2.", "code": "GHSA-9c9w-9pq7-f35h", - "level": "LEVEL_MEDIUM", + "level": "LEVEL_HIGH", "linter": "osv-scanner", "issueUrl": "https://osv.dev/GHSA-9c9w-9pq7-f35h", "targetType": "lockfile", @@ -1241,44 +1326,44 @@ { "file": "test_data/go.mod", "line": "84", - "message": "Gophish XSS Vulnerability. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", - "code": "GHSA-9h9f-9q8g-6764", - "level": "LEVEL_MEDIUM", + "message": "Gophish vulnerable to Denial of Service via crafted payload involving autofocus. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", + "code": "GHSA-8gg8-wr4j-v2wr", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-9h9f-9q8g-6764", + "issueUrl": "https://osv.dev/GHSA-8gg8-wr4j-v2wr", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "84", - "message": "Gophish before 0.12.0 vulnerable to Open Redirect. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", - "code": "GHSA-hvw3-p9px-gpc9", + "message": "Gophish vulnerable to Cross-site Scripting via crafted landing page. Current version of 'github.com/gophish/gophish' is vulnerable: 0.1.2.", + "code": "GHSA-55m9-hm92-xm8j", "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-hvw3-p9px-gpc9", + "issueUrl": "https://osv.dev/GHSA-55m9-hm92-xm8j", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "91", - "message": "pgx SQL Injection via Protocol Message Size Overflow. Current version of 'github.com/jackc/pgx' is vulnerable: 3.6.0+incompatible.", - "code": "GHSA-7jwh-3vrq-q3m8", + "message": "pgx SQL Injection via Line Comment Creation. Current version of 'github.com/jackc/pgx' is vulnerable: 3.6.0+incompatible.", + "code": "GHSA-m7wr-2xf7-cm9p", "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-7jwh-3vrq-q3m8", + "issueUrl": "https://osv.dev/GHSA-m7wr-2xf7-cm9p", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "91", - "message": "pgx SQL Injection via Line Comment Creation. Current version of 'github.com/jackc/pgx' is vulnerable: 3.6.0+incompatible.", - "code": "GHSA-m7wr-2xf7-cm9p", + "message": "pgx SQL Injection via Protocol Message Size Overflow. Current version of 'github.com/jackc/pgx' is vulnerable: 3.6.0+incompatible.", + "code": "GHSA-7jwh-3vrq-q3m8", "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-m7wr-2xf7-cm9p", + "issueUrl": "https://osv.dev/GHSA-7jwh-3vrq-q3m8", "targetType": "lockfile", "isSecurity": true }, @@ -1318,22 +1403,22 @@ { "file": "test_data/go.mod", "line": "161", - "message": "Path traversal in 'github.com/unknwon/cae'. Current version is vulnerable: 1.0.0.", - "code": "GHSA-vpx7-vm66-qx8r", + "message": "Path Traversal in 'github.com/unknwon/cae'. Current version is vulnerable: 1.0.0.", + "code": "GHSA-88jf-7rch-32qc", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-vpx7-vm66-qx8r", + "issueUrl": "https://osv.dev/GHSA-88jf-7rch-32qc", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "161", - "message": "Path Traversal in 'github.com/unknwon/cae'. Current version is vulnerable: 1.0.0.", - "code": "GHSA-88jf-7rch-32qc", + "message": "Path traversal in 'github.com/unknwon/cae'. Current version is vulnerable: 1.0.0.", + "code": "GHSA-vpx7-vm66-qx8r", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-88jf-7rch-32qc", + "issueUrl": "https://osv.dev/GHSA-vpx7-vm66-qx8r", "targetType": "lockfile", "isSecurity": true }, @@ -1436,6 +1521,17 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/go.mod", + "line": "172", + "message": "Limited directory traversal vulnerability on Windows in 'golang.org/x/crypto'. Current version is vulnerable: 0.0.0-20190308221718-c2843e01d9a2.", + "code": "CVE-2022-30636", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/CVE-2022-30636", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/go.mod", "line": "173", @@ -1450,11 +1546,11 @@ { "file": "test_data/go.mod", "line": "173", - "message": "Denial of service via crafted TIFF image in golang.org/x/image/tiff. Current version is vulnerable: 0.0.0-20190802002840-cff245a6509b.", - "code": "GHSA-qgc7-mgm3-q253", + "message": "Panic when parsing invalid palette-color images in 'golang.org/x/image'. Current version is vulnerable: 0.0.0-20190802002840-cff245a6509b.", + "code": "GHSA-9phm-fm57-rhg8", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-qgc7-mgm3-q253", + "issueUrl": "https://osv.dev/GHSA-9phm-fm57-rhg8", "targetType": "lockfile", "isSecurity": true }, @@ -1469,25 +1565,36 @@ "targetType": "lockfile", "isSecurity": true }, + { + "file": "test_data/go.mod", + "line": "173", + "message": "Denial of service via crafted TIFF image in golang.org/x/image/tiff. Current version is vulnerable: 0.0.0-20190802002840-cff245a6509b.", + "code": "GHSA-qgc7-mgm3-q253", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-qgc7-mgm3-q253", + "targetType": "lockfile", + "isSecurity": true + }, { "file": "test_data/go.mod", "line": "174", - "message": "Denial of service in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-69cg-p879-7622", + "message": "Excessive memory growth in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-xrjj-mj9h-534m", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-69cg-p879-7622", + "issueUrl": "https://osv.dev/GHSA-xrjj-mj9h-534m", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Denial of service via crafted HTTP/2 stream in net/http and 'golang.org/x/net'. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-vvpx-j8f3-3w6h", + "message": "Unbounded memory growth in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-vc3p-29h2-gpcp", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-vvpx-j8f3-3w6h", + "issueUrl": "https://osv.dev/GHSA-vc3p-29h2-gpcp", "targetType": "lockfile", "isSecurity": true }, @@ -1495,87 +1602,87 @@ "file": "test_data/go.mod", "line": "174", "message": "HTTP/2 Stream Cancellation Attack. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-2m7v-gc89-fjqf", + "code": "GHSA-qppj-fm5r-hxr3", "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-2m7v-gc89-fjqf", + "issueUrl": "https://osv.dev/GHSA-qppj-fm5r-hxr3", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Improper rendering of text nodes in golang.org/x/net/html. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-2wrh-6pvc-2jm9", + "message": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-h86h-8ppg-mxmh", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-2wrh-6pvc-2jm9", + "issueUrl": "https://osv.dev/GHSA-h86h-8ppg-mxmh", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "HTTP/2 rapid reset can cause excessive work in net/http. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-4374-p667-p6c8", + "message": "Infinite loop when parsing inputs in golang.org/x/net/html. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-83g2-8m93-v3w7", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-4374-p667-p6c8", + "issueUrl": "https://osv.dev/GHSA-83g2-8m93-v3w7", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "HTTP/2 CONTINUATION flood in net/http. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-4v7x-pqxf-cx7m", + "message": "Denial of service in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-69cg-p879-7622", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-4v7x-pqxf-cx7m", + "issueUrl": "https://osv.dev/GHSA-69cg-p879-7622", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Excessive memory growth in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-xrjj-mj9h-534m", + "message": "HTTP/2 CONTINUATION flood in net/http. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-4v7x-pqxf-cx7m", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-xrjj-mj9h-534m", + "issueUrl": "https://osv.dev/GHSA-4v7x-pqxf-cx7m", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Infinite loop when parsing inputs in golang.org/x/net/html. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-83g2-8m93-v3w7", + "message": "HTTP/2 rapid reset can cause excessive work in net/http. Current version of 'golang.org/x/net' is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-4374-p667-p6c8", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-83g2-8m93-v3w7", + "issueUrl": "https://osv.dev/GHSA-4374-p667-p6c8", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-h86h-8ppg-mxmh", + "message": "Improper rendering of text nodes in golang.org/x/net/html. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-2wrh-6pvc-2jm9", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-h86h-8ppg-mxmh", + "issueUrl": "https://osv.dev/GHSA-2wrh-6pvc-2jm9", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "174", - "message": "Unbounded memory growth in net/http and golang.org/x/net/http2. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", - "code": "GHSA-vc3p-29h2-gpcp", + "message": "Denial of service via crafted HTTP/2 stream in net/http and 'golang.org/x/net'. Current version is vulnerable: 0.0.0-20200324143707-d3edc9973b7e.", + "code": "GHSA-vvpx-j8f3-3w6h", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-vc3p-29h2-gpcp", + "issueUrl": "https://osv.dev/GHSA-vvpx-j8f3-3w6h", "targetType": "lockfile", "isSecurity": true }, @@ -1593,22 +1700,22 @@ { "file": "test_data/go.mod", "line": "179", - "message": "Denial of service from HTTP/2 Rapid Reset in 'google.golang.org/grpc'. Current version is vulnerable: 1.23.0.", - "code": "GHSA-m425-mq94-257g", - "level": "LEVEL_HIGH", + "message": "HTTP/2 Stream Cancellation Attack. Current version of 'google.golang.org/grpc' is vulnerable: 1.23.0.", + "code": "GHSA-qppj-fm5r-hxr3", + "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-m425-mq94-257g", + "issueUrl": "https://osv.dev/GHSA-qppj-fm5r-hxr3", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/go.mod", "line": "179", - "message": "HTTP/2 Stream Cancellation Attack. Current version of 'google.golang.org/grpc' is vulnerable: 1.23.0.", - "code": "GHSA-2m7v-gc89-fjqf", - "level": "LEVEL_MEDIUM", + "message": "Denial of service from HTTP/2 Rapid Reset in 'google.golang.org/grpc'. Current version is vulnerable: 1.23.0.", + "code": "GHSA-m425-mq94-257g", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-2m7v-gc89-fjqf", + "issueUrl": "https://osv.dev/GHSA-m425-mq94-257g", "targetType": "lockfile", "isSecurity": true }, @@ -1648,99 +1755,99 @@ { "file": "test_data/requirements.txt", "line": "1", - "message": "'Pillow' buffer overflow vulnerability. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.3.0 or higher.", - "code": "GHSA-44wm-f244-xhp3", - "level": "LEVEL_MEDIUM", + "message": "Arbitrary Code Execution in 'Pillow'. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.2.0 or higher.", + "code": "GHSA-3f63-hfp8-52jq", + "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-44wm-f244-xhp3", + "issueUrl": "https://osv.dev/GHSA-3f63-hfp8-52jq", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "'Pillow' before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 9.2.0 or higher.", - "code": "GHSA-m2vv-5vj5-2hm7", + "message": "'Pillow' versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). 'Pillow' v10.0.1 upgrades the bundled libwebp binary to v1.3.2. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.1 or higher.", + "code": "PYSEC-2023-175", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-m2vv-5vj5-2hm7", + "issueUrl": "https://osv.dev/PYSEC-2023-175", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "Invalid-free in _dealloc. Current version of 'pillow' is vulnerable: 9.1.1.", - "code": "OSV-2022-1074", - "level": "LEVEL_HIGH", + "message": "'Pillow' buffer overflow vulnerability. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.3.0 or higher.", + "code": "GHSA-44wm-f244-xhp3", + "level": "LEVEL_MEDIUM", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/OSV-2022-1074", + "issueUrl": "https://osv.dev/GHSA-44wm-f244-xhp3", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "Segv on unknown address in jpeg_read_scanlines. Current version of 'pillow' is vulnerable: 9.1.1.", - "code": "OSV-2022-715", + "message": "Bundled libwebp in 'Pillow' vulnerable. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.1 or higher.", + "code": "GHSA-56pw-mpj4-fxww", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/OSV-2022-715", + "issueUrl": "https://osv.dev/GHSA-56pw-mpj4-fxww", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "libwebp: OOB write in BuildHuffmanTable. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.1 or higher.", - "code": "GHSA-j7hp-h8jx-5ppr", + "message": "An issue was discovered in 'Pillow' before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.0 or higher.", + "code": "GHSA-8ghj-p4vj-mr35", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-j7hp-h8jx-5ppr", + "issueUrl": "https://osv.dev/GHSA-8ghj-p4vj-mr35", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "An issue was discovered in 'Pillow' before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.0 or higher.", - "code": "GHSA-8ghj-p4vj-mr35", + "message": "libwebp: OOB write in BuildHuffmanTable. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.1 or higher.", + "code": "GHSA-j7hp-h8jx-5ppr", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-8ghj-p4vj-mr35", + "issueUrl": "https://osv.dev/GHSA-j7hp-h8jx-5ppr", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "Bundled libwebp in 'Pillow' vulnerable. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.1 or higher.", - "code": "GHSA-56pw-mpj4-fxww", + "message": "'Pillow' before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 9.2.0 or higher.", + "code": "GHSA-m2vv-5vj5-2hm7", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-56pw-mpj4-fxww", + "issueUrl": "https://osv.dev/GHSA-m2vv-5vj5-2hm7", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "'Pillow' versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). 'Pillow' v10.0.1 upgrades the bundled libwebp binary to v1.3.2. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.0.1 or higher.", - "code": "PYSEC-2023-175", + "message": "Invalid-free in _dealloc. Current version of 'pillow' is vulnerable: 9.1.1.", + "code": "OSV-2022-1074", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/PYSEC-2023-175", + "issueUrl": "https://osv.dev/OSV-2022-1074", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "1", - "message": "Arbitrary Code Execution in 'Pillow'. Current version of 'pillow' is vulnerable: 9.1.1. Patch available: upgrade to 10.2.0 or higher.", - "code": "GHSA-3f63-hfp8-52jq", + "message": "Segv on unknown address in jpeg_read_scanlines. Current version of 'pillow' is vulnerable: 9.1.1.", + "code": "OSV-2022-715", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-3f63-hfp8-52jq", + "issueUrl": "https://osv.dev/OSV-2022-715", "targetType": "lockfile", "isSecurity": true }, @@ -1758,11 +1865,11 @@ { "file": "test_data/requirements.txt", "line": "2", - "message": "'Langchain' 0.0.171 is vulnerable to Arbitrary code execution in load_prompt. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", - "code": "GHSA-6643-h7h5-x9wh", + "message": "'Langchain' 0.0.171 is vulnerable to Arbitrary Code Execution. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.225 or higher.", + "code": "GHSA-x32c-59v5-h7fg", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-6643-h7h5-x9wh", + "issueUrl": "https://osv.dev/GHSA-x32c-59v5-h7fg", "targetType": "lockfile", "isSecurity": true }, @@ -1780,44 +1887,66 @@ { "file": "test_data/requirements.txt", "line": "2", - "message": "'langchain' vulnerable to arbitrary code execution. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.312 or higher.", - "code": "GHSA-7gfq-f96f-g85j", + "message": "'Langchain' 0.0.171 is vulnerable to Arbitrary code execution in load_prompt. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", + "code": "GHSA-6643-h7h5-x9wh", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-7gfq-f96f-g85j", + "issueUrl": "https://osv.dev/GHSA-6643-h7h5-x9wh", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "SQL injection vulnerability in 'langchain' v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", - "code": "GHSA-7q94-qpjr-xpgm", + "message": "'LangChain' before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.317 or higher.", + "code": "GHSA-655w-fm8m-m478", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-7q94-qpjr-xpgm", + "issueUrl": "https://osv.dev/GHSA-655w-fm8m-m478", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "An issue in Harrison Chase 'langchain' v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.195 or higher.", - "code": "GHSA-92j5-3459-qgp4", + "message": "An issue in 'langchain' v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", + "code": "GHSA-57fc-8q82-gfp3", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-92j5-3459-qgp4", + "issueUrl": "https://osv.dev/GHSA-57fc-8q82-gfp3", "targetType": "lockfile", "isSecurity": true }, { "file": "test_data/requirements.txt", "line": "2", - "message": "'Langchain' 0.0.171 is vulnerable to Arbitrary Code Execution. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.225 or higher.", - "code": "GHSA-x32c-59v5-h7fg", + "message": "An issue in 'langchain' v.0.0.199 allows an attacker to execute arbitrary code via the PALChain in the python exec method. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", + "code": "GHSA-2qmj-7962-cjq8", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-x32c-59v5-h7fg", + "issueUrl": "https://osv.dev/GHSA-2qmj-7962-cjq8", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/requirements.txt", + "line": "2", + "message": "SQL injection vulnerability in 'langchain' v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", + "code": "GHSA-7q94-qpjr-xpgm", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-7q94-qpjr-xpgm", + "targetType": "lockfile", + "isSecurity": true + }, + { + "file": "test_data/requirements.txt", + "line": "2", + "message": "An issue in Harrison Chase 'langchain' v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.195 or higher.", + "code": "GHSA-92j5-3459-qgp4", + "level": "LEVEL_HIGH", + "linter": "osv-scanner", + "issueUrl": "https://osv.dev/GHSA-92j5-3459-qgp4", "targetType": "lockfile", "isSecurity": true }, @@ -1890,33 +2019,11 @@ { "file": "test_data/requirements.txt", "line": "2", - "message": "An issue in 'langchain' v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", - "code": "GHSA-57fc-8q82-gfp3", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-57fc-8q82-gfp3", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/requirements.txt", - "line": "2", - "message": "An issue in 'langchain' v.0.0.199 allows an attacker to execute arbitrary code via the PALChain in the python exec method. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.247 or higher.", - "code": "GHSA-2qmj-7962-cjq8", - "level": "LEVEL_HIGH", - "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-2qmj-7962-cjq8", - "targetType": "lockfile", - "isSecurity": true - }, - { - "file": "test_data/requirements.txt", - "line": "2", - "message": "'LangChain' before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. Current version of 'langchain' is vulnerable: 0.0.171. Patch available: upgrade to 0.0.317 or higher.", - "code": "GHSA-655w-fm8m-m478", + "message": "'langchain' vulnerable to arbitrary code execution. Current version is vulnerable: 0.0.171. Patch available: upgrade to 0.0.312 or higher.", + "code": "GHSA-7gfq-f96f-g85j", "level": "LEVEL_HIGH", "linter": "osv-scanner", - "issueUrl": "https://osv.dev/GHSA-655w-fm8m-m478", + "issueUrl": "https://osv.dev/GHSA-7gfq-f96f-g85j", "targetType": "lockfile", "isSecurity": true }