github.com/ishita82/trivy-gitaction@v0.0.0-20240206054925-e937cc05f8e3/image-sarif.test (about) 1 { 2 "version": "2.1.0", 3 "$schema": "https://json.schemastore.org/sarif-2.1.0.json", 4 "runs": [ 5 { 6 "tool": { 7 "driver": { 8 "fullName": "Trivy Vulnerability Scanner", 9 "informationUri": "https://github.com/aquasecurity/trivy", 10 "name": "Trivy", 11 "rules": [ 12 { 13 "id": "CVE-2021-36159", 14 "name": "OsPackageVulnerability", 15 "shortDescription": { 16 "text": "CVE-2021-36159" 17 }, 18 "fullDescription": { 19 "text": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the \u0026#39;\\0\u0026#39; terminator one byte too late." 20 }, 21 "defaultConfiguration": { 22 "level": "error" 23 }, 24 "helpUri": "https://avd.aquasec.com/nvd/cve-2021-36159", 25 "help": { 26 "text": "Vulnerability CVE-2021-36159\nSeverity: CRITICAL\nPackage: apk-tools\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", 27 "markdown": "**Vulnerability CVE-2021-36159**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|apk-tools|2.10.7-r0|[CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)|\n\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late." 28 }, 29 "properties": { 30 "precision": "very-high", 31 "security-severity": "9.1", 32 "tags": [ 33 "vulnerability", 34 "security", 35 "CRITICAL" 36 ] 37 } 38 } 39 ], 40 "version": "0.43.1" 41 } 42 }, 43 "results": [ 44 { 45 "ruleId": "CVE-2021-36159", 46 "ruleIndex": 0, 47 "level": "error", 48 "message": { 49 "text": "Package: apk-tools\nInstalled Version: 2.10.6-r0\nVulnerability CVE-2021-36159\nSeverity: CRITICAL\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)" 50 }, 51 "locations": [ 52 { 53 "physicalLocation": { 54 "artifactLocation": { 55 "uri": "library/alpine", 56 "uriBaseId": "ROOTPATH" 57 }, 58 "region": { 59 "startLine": 1, 60 "startColumn": 1, 61 "endLine": 1, 62 "endColumn": 1 63 } 64 } 65 } 66 ] 67 } 68 ], 69 "columnKind": "utf16CodeUnits", 70 "originalUriBaseIds": { 71 "ROOTPATH": { 72 "uri": "file:///" 73 } 74 } 75 } 76 ] 77 }