github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/integration/testdata/pom.json.golden (about) 1 { 2 "SchemaVersion": 2, 3 "CreatedAt": "2021-08-25T12:20:30.000000005Z", 4 "ArtifactName": "testdata/fixtures/repo/pom", 5 "ArtifactType": "repository", 6 "Metadata": { 7 "ImageConfig": { 8 "architecture": "", 9 "created": "0001-01-01T00:00:00Z", 10 "os": "", 11 "rootfs": { 12 "type": "", 13 "diff_ids": null 14 }, 15 "config": {} 16 } 17 }, 18 "Results": [ 19 { 20 "Target": "pom.xml", 21 "Class": "lang-pkgs", 22 "Type": "pom", 23 "Vulnerabilities": [ 24 { 25 "VulnerabilityID": "CVE-2020-9548", 26 "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1", 27 "PkgName": "com.fasterxml.jackson.core:jackson-databind", 28 "InstalledVersion": "2.9.1", 29 "FixedVersion": "2.9.10.4", 30 "Status": "fixed", 31 "Layer": {}, 32 "SeveritySource": "ghsa", 33 "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-9548", 34 "DataSource": { 35 "ID": "ghsa", 36 "Name": "GitHub Security Advisory Maven", 37 "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" 38 }, 39 "Title": "jackson-databind: Serialization gadgets in anteros-core", 40 "Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", 41 "Severity": "CRITICAL", 42 "CweIDs": [ 43 "CWE-502" 44 ], 45 "CVSS": { 46 "nvd": { 47 "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", 48 "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 49 "V2Score": 6.8, 50 "V3Score": 9.8 51 }, 52 "redhat": { 53 "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 54 "V3Score": 8.1 55 } 56 }, 57 "References": [ 58 "https://access.redhat.com/security/cve/CVE-2020-9548", 59 "https://github.com/FasterXML/jackson-databind/issues/2634", 60 "https://github.com/advisories/GHSA-p43x-xfjf-5jhr", 61 "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E", 62 "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E", 63 "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E", 64 "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E", 65 "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E", 66 "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E", 67 "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E", 68 "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", 69 "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html", 70 "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", 71 "https://nvd.nist.gov/vuln/detail/CVE-2020-9548", 72 "https://security.netapp.com/advisory/ntap-20200904-0006/", 73 "https://www.oracle.com/security-alerts/cpujan2021.html", 74 "https://www.oracle.com/security-alerts/cpujul2020.html", 75 "https://www.oracle.com/security-alerts/cpuoct2020.html", 76 "https://www.oracle.com/security-alerts/cpuoct2021.html" 77 ], 78 "PublishedDate": "2020-03-02T04:15:00Z", 79 "LastModifiedDate": "2021-12-02T21:23:00Z" 80 }, 81 { 82 "VulnerabilityID": "CVE-2021-20190", 83 "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1", 84 "PkgName": "com.fasterxml.jackson.core:jackson-databind", 85 "InstalledVersion": "2.9.1", 86 "FixedVersion": "2.9.10.7", 87 "Status": "fixed", 88 "Layer": {}, 89 "SeveritySource": "nvd", 90 "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20190", 91 "DataSource": { 92 "ID": "glad", 93 "Name": "GitLab Advisory Database Community", 94 "URL": "https://gitlab.com/gitlab-org/advisories-community" 95 }, 96 "Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing", 97 "Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", 98 "Severity": "HIGH", 99 "CweIDs": [ 100 "CWE-502" 101 ], 102 "CVSS": { 103 "nvd": { 104 "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C", 105 "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 106 "V2Score": 8.3, 107 "V3Score": 8.1 108 }, 109 "redhat": { 110 "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 111 "V3Score": 8.1 112 } 113 }, 114 "References": [ 115 "https://access.redhat.com/security/cve/CVE-2021-20190", 116 "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", 117 "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", 118 "https://github.com/FasterXML/jackson-databind/issues/2854", 119 "https://github.com/advisories/GHSA-5949-rw7g-wx7w", 120 "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E", 121 "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html", 122 "https://nvd.nist.gov/vuln/detail/CVE-2021-20190", 123 "https://security.netapp.com/advisory/ntap-20210219-0008/" 124 ], 125 "PublishedDate": "2021-01-19T17:15:00Z", 126 "LastModifiedDate": "2021-07-20T23:15:00Z" 127 } 128 ] 129 } 130 ] 131 }