github.com/ishita82/trivy-gitaction@v0.0.0-20240206054925-e937cc05f8e3/integration/testdata/spring4shell-jre11.json.golden (about) 1 { 2 "SchemaVersion": 2, 3 "CreatedAt": "2021-08-25T12:20:30.000000005Z", 4 "ArtifactName": "testdata/fixtures/images/spring4shell-jre11.tar.gz", 5 "ArtifactType": "container_image", 6 "Metadata": { 7 "OS": { 8 "Family": "debian", 9 "Name": "11.3" 10 }, 11 "ImageID": "sha256:ed8f0747d483b60657982f0ef1ba74482aed08795cf0eb774b00bc53022a8351", 12 "DiffIDs": [ 13 "sha256:608f3a074261105f129d707e4d9ad3d41b5baa94887f092b7c2857f7274a2fce", 14 "sha256:1f6e409d1c59c8e06608a024b82d50490313abc3b2ff93730e43135d5be0cd72", 15 "sha256:1f0e278ace87a84577de56c99e5c05c6af6f8b582d1eb8dfd7de7be4cf215775", 16 "sha256:64272e9218cd019d57b84ac283aa35036cbd8c1dcface8c69f756088a0a13c45", 17 "sha256:8e6776c643c1db15d540016171fe04137ee2a26c7d0b18bfebdcbd31c6b0d8b3", 18 "sha256:0b201a611e5455d637c719d70eb5dd76fd4154bc4a5cf597d67ed2fb6647cc42", 19 "sha256:19da2426772aaa344a242e474fd7906d272fc8ded6eef5b4e461a4aa0725d7e5", 20 "sha256:1fdc094b0e85888d2204310083e3c09fff6a4daeecf22692aa6be5e8b4001f94", 21 "sha256:192960b65b1579403b36581de471fd2bd75a043b4743552f27ba16623f02c68f" 22 ], 23 "ImageConfig": { 24 "architecture": "amd64", 25 "created": "2022-06-07T03:41:13.228952Z", 26 "docker_version": "20.10.14", 27 "history": [ 28 { 29 "created": "2022-03-29T00:22:18.812238611Z", 30 "created_by": "/bin/sh -c #(nop) ADD file:966d3669b40f5fbaecee1ecbeb58debe19001076da5d94717080d55efbc25971 in / " 31 }, 32 { 33 "created": "2022-03-29T00:22:19.186561403Z", 34 "created_by": "/bin/sh -c #(nop) CMD [\"bash\"]", 35 "empty_layer": true 36 }, 37 { 38 "created": "2022-03-29T00:52:15.681202963Z", 39 "created_by": "/bin/sh -c set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tca-certificates p11-kit \t; \trm -rf /var/lib/apt/lists/*" 40 }, 41 { 42 "created": "2022-03-29T00:55:28.571451389Z", 43 "created_by": "/bin/sh -c #(nop) ENV JAVA_HOME=/usr/local/openjdk-11", 44 "empty_layer": true 45 }, 46 { 47 "created": "2022-03-29T00:55:29.092016566Z", 48 "created_by": "/bin/sh -c { echo '#/bin/sh'; echo 'echo \"$JAVA_HOME\"'; } \u003e /usr/local/bin/docker-java-home \u0026\u0026 chmod +x /usr/local/bin/docker-java-home \u0026\u0026 [ \"$JAVA_HOME\" = \"$(docker-java-home)\" ] # backwards compatibility" 49 }, 50 { 51 "created": "2022-03-29T00:55:29.206969756Z", 52 "created_by": "/bin/sh -c #(nop) ENV PATH=/usr/local/openjdk-11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 53 "empty_layer": true 54 }, 55 { 56 "created": "2022-03-29T00:55:29.302995298Z", 57 "created_by": "/bin/sh -c #(nop) ENV LANG=C.UTF-8", 58 "empty_layer": true 59 }, 60 { 61 "created": "2022-03-29T00:55:29.392969112Z", 62 "created_by": "/bin/sh -c #(nop) ENV JAVA_VERSION=11.0.14.1", 63 "empty_layer": true 64 }, 65 { 66 "created": "2022-03-29T00:56:45.085797918Z", 67 "created_by": "/bin/sh -c set -eux; \t\tarch=\"$(dpkg --print-architecture)\"; \tcase \"$arch\" in \t\t'amd64') \t\t\tdownloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.14.1%2B1/OpenJDK11U-jre_x64_linux_11.0.14.1_1.tar.gz'; \t\t\t;; \t\t'arm64') \t\t\tdownloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.14.1%2B1/OpenJDK11U-jre_aarch64_linux_11.0.14.1_1.tar.gz'; \t\t\t;; \t\t*) echo \u003e\u00262 \"error: unsupported architecture: '$arch'\"; exit 1 ;; \tesac; \t\tsavedAptMark=\"$(apt-mark showmanual)\"; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tdirmngr \t\tgnupg \t\twget \t; \trm -rf /var/lib/apt/lists/*; \t\twget --progress=dot:giga -O openjdk.tgz \"$downloadUrl\"; \twget --progress=dot:giga -O openjdk.tgz.asc \"$downloadUrl.sign\"; \t\texport GNUPGHOME=\"$(mktemp -d)\"; \tgpg --batch --keyserver keyserver.ubuntu.com --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \tgpg --batch --keyserver keyserver.ubuntu.com --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \tgpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \t\t| tee /dev/stderr \t\t| grep '0xA5CD6035332FA671' \t\t| grep 'Andrew Haley'; \tgpg --batch --verify openjdk.tgz.asc openjdk.tgz; \tgpgconf --kill all; \trm -rf \"$GNUPGHOME\"; \t\tmkdir -p \"$JAVA_HOME\"; \ttar --extract \t\t--file openjdk.tgz \t\t--directory \"$JAVA_HOME\" \t\t--strip-components 1 \t\t--no-same-owner \t; \trm openjdk.tgz*; \t\tapt-mark auto '.*' \u003e /dev/null; \t[ -z \"$savedAptMark\" ] || apt-mark manual $savedAptMark \u003e /dev/null; \tapt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \t\t{ \t\techo '#!/usr/bin/env bash'; \t\techo 'set -Eeuo pipefail'; \t\techo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth \"$JAVA_HOME/lib/security/cacerts\"'; \t} \u003e /etc/ca-certificates/update.d/docker-openjdk; \tchmod +x /etc/ca-certificates/update.d/docker-openjdk; \t/etc/ca-certificates/update.d/docker-openjdk; \t\tfind \"$JAVA_HOME/lib\" -name '*.so' -exec dirname '{}' ';' | sort -u \u003e /etc/ld.so.conf.d/docker-openjdk.conf; \tldconfig; \t\tjava -Xshare:dump; \t\tjava --version" 68 }, 69 { 70 "created": "2022-03-30T05:16:56.493239413Z", 71 "created_by": "/bin/sh -c #(nop) ENV CATALINA_HOME=/usr/local/tomcat", 72 "empty_layer": true 73 }, 74 { 75 "created": "2022-03-30T05:16:56.592339446Z", 76 "created_by": "/bin/sh -c #(nop) ENV PATH=/usr/local/tomcat/bin:/usr/local/openjdk-11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 77 "empty_layer": true 78 }, 79 { 80 "created": "2022-03-30T05:16:57.135799132Z", 81 "created_by": "/bin/sh -c mkdir -p \"$CATALINA_HOME\"" 82 }, 83 { 84 "created": "2022-03-30T05:16:57.234962251Z", 85 "created_by": "/bin/sh -c #(nop) WORKDIR /usr/local/tomcat", 86 "empty_layer": true 87 }, 88 { 89 "created": "2022-03-30T05:16:57.332478398Z", 90 "created_by": "/bin/sh -c #(nop) ENV TOMCAT_NATIVE_LIBDIR=/usr/local/tomcat/native-jni-lib", 91 "empty_layer": true 92 }, 93 { 94 "created": "2022-03-30T05:16:57.423152329Z", 95 "created_by": "/bin/sh -c #(nop) ENV LD_LIBRARY_PATH=/usr/local/tomcat/native-jni-lib", 96 "empty_layer": true 97 }, 98 { 99 "created": "2022-03-30T05:38:59.455604207Z", 100 "created_by": "/bin/sh -c #(nop) ENV GPG_KEYS=05AB33110949707C93A279E3D3EFE6B686867BA6 07E48665A34DCAFAE522E5E6266191C37C037D42 47309207D818FFD8DCD3F83F1931D684307A10A5 541FBE7D8F78B25E055DDEE13C370389288584E7 5C3C5F3E314C866292F359A8F3AD5C94A67F707E 765908099ACF92702C7D949BFA0C35EA8AA299F1 79F7026C690BAA50B92CD8B66A3AD3F4F22C4FED 9BA44C2621385CB966EBA586F72C284D731FABEE A27677289986DB50844682F8ACB77FC2E86E29AC A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 F3A04C595DB5B6A5F1ECA43E3B7BBB100D811BBE F7DA48BB64BCB84ECBA7EE6935CD23C10D498E23", 101 "empty_layer": true 102 }, 103 { 104 "created": "2022-03-30T05:38:59.550766811Z", 105 "created_by": "/bin/sh -c #(nop) ENV TOMCAT_MAJOR=8", 106 "empty_layer": true 107 }, 108 { 109 "created": "2022-03-30T05:38:59.643674076Z", 110 "created_by": "/bin/sh -c #(nop) ENV TOMCAT_VERSION=8.5.77", 111 "empty_layer": true 112 }, 113 { 114 "created": "2022-03-30T05:38:59.744285526Z", 115 "created_by": "/bin/sh -c #(nop) ENV TOMCAT_SHA512=50f96584cbbbeeda92a3b573e7fe7e2c49e57ed4bc5246257dc1409abac0710b49fa7049a0dd9a3b8467bca2aa078ef608f49b676c1abf12529528ff71bb0260", 116 "empty_layer": true 117 }, 118 { 119 "created": "2022-03-30T05:39:00.204794279Z", 120 "created_by": "/bin/sh -c #(nop) COPY dir:92f3a0f303b55a048a73bf243c664f89aa86500eab95c7d20c2da44ed3fb434b in /usr/local/tomcat " 121 }, 122 { 123 "created": "2022-03-30T05:39:03.786979035Z", 124 "created_by": "/bin/sh -c set -eux; \tapt-get update; \txargs -rt apt-get install -y --no-install-recommends \u003c \"$TOMCAT_NATIVE_LIBDIR/.dependencies.txt\"; \trm -rf /var/lib/apt/lists/*" 125 }, 126 { 127 "created": "2022-03-30T05:39:05.151055599Z", 128 "created_by": "/bin/sh -c set -eux; \tnativeLines=\"$(catalina.sh configtest 2\u003e\u00261)\"; \tnativeLines=\"$(echo \"$nativeLines\" | grep 'Apache Tomcat Native')\"; \tnativeLines=\"$(echo \"$nativeLines\" | sort -u)\"; \tif ! echo \"$nativeLines\" | grep -E 'INFO: Loaded( APR based)? Apache Tomcat Native library' \u003e\u00262; then \t\techo \u003e\u00262 \"$nativeLines\"; \t\texit 1; \tfi" 129 }, 130 { 131 "created": "2022-03-30T05:39:05.243348189Z", 132 "created_by": "/bin/sh -c #(nop) EXPOSE 8080", 133 "empty_layer": true 134 }, 135 { 136 "created": "2022-03-30T05:39:05.342897424Z", 137 "created_by": "/bin/sh -c #(nop) CMD [\"catalina.sh\" \"run\"]", 138 "empty_layer": true 139 }, 140 { 141 "created": "2022-06-07T03:41:13.228952Z", 142 "created_by": "/bin/sh -c #(nop) COPY file:4a1136b54136f8775efe918c4cd6af1ad1e507b36a49286d4f2c6bde722d33f4 in /usr/local/tomcat/webapps/ " 143 } 144 ], 145 "os": "linux", 146 "rootfs": { 147 "type": "layers", 148 "diff_ids": [ 149 "sha256:608f3a074261105f129d707e4d9ad3d41b5baa94887f092b7c2857f7274a2fce", 150 "sha256:1f6e409d1c59c8e06608a024b82d50490313abc3b2ff93730e43135d5be0cd72", 151 "sha256:1f0e278ace87a84577de56c99e5c05c6af6f8b582d1eb8dfd7de7be4cf215775", 152 "sha256:64272e9218cd019d57b84ac283aa35036cbd8c1dcface8c69f756088a0a13c45", 153 "sha256:8e6776c643c1db15d540016171fe04137ee2a26c7d0b18bfebdcbd31c6b0d8b3", 154 "sha256:0b201a611e5455d637c719d70eb5dd76fd4154bc4a5cf597d67ed2fb6647cc42", 155 "sha256:19da2426772aaa344a242e474fd7906d272fc8ded6eef5b4e461a4aa0725d7e5", 156 "sha256:1fdc094b0e85888d2204310083e3c09fff6a4daeecf22692aa6be5e8b4001f94", 157 "sha256:192960b65b1579403b36581de471fd2bd75a043b4743552f27ba16623f02c68f" 158 ] 159 }, 160 "config": { 161 "Cmd": [ 162 "catalina.sh", 163 "run" 164 ], 165 "Env": [ 166 "PATH=/usr/local/tomcat/bin:/usr/local/openjdk-11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 167 "JAVA_HOME=/usr/local/openjdk-11", 168 "LANG=C.UTF-8", 169 "JAVA_VERSION=11.0.14.1", 170 "CATALINA_HOME=/usr/local/tomcat", 171 "TOMCAT_NATIVE_LIBDIR=/usr/local/tomcat/native-jni-lib", 172 "LD_LIBRARY_PATH=/usr/local/tomcat/native-jni-lib", 173 "GPG_KEYS=05AB33110949707C93A279E3D3EFE6B686867BA6 07E48665A34DCAFAE522E5E6266191C37C037D42 47309207D818FFD8DCD3F83F1931D684307A10A5 541FBE7D8F78B25E055DDEE13C370389288584E7 5C3C5F3E314C866292F359A8F3AD5C94A67F707E 765908099ACF92702C7D949BFA0C35EA8AA299F1 79F7026C690BAA50B92CD8B66A3AD3F4F22C4FED 9BA44C2621385CB966EBA586F72C284D731FABEE A27677289986DB50844682F8ACB77FC2E86E29AC A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 F3A04C595DB5B6A5F1ECA43E3B7BBB100D811BBE F7DA48BB64BCB84ECBA7EE6935CD23C10D498E23", 174 "TOMCAT_MAJOR=8", 175 "TOMCAT_VERSION=8.5.77", 176 "TOMCAT_SHA512=50f96584cbbbeeda92a3b573e7fe7e2c49e57ed4bc5246257dc1409abac0710b49fa7049a0dd9a3b8467bca2aa078ef608f49b676c1abf12529528ff71bb0260" 177 ], 178 "Image": "sha256:8ac2c9cef8f1bb48394c1b2ee81cc1d2096323a7a7cec4781d601eeaf7c32b03", 179 "WorkingDir": "/usr/local/tomcat", 180 "ExposedPorts": { 181 "8080/tcp": {} 182 } 183 } 184 } 185 }, 186 "Results": [ 187 { 188 "Target": "testdata/fixtures/images/spring4shell-jre11.tar.gz (debian 11.3)", 189 "Class": "os-pkgs", 190 "Type": "debian" 191 }, 192 { 193 "Target": "Java", 194 "Class": "lang-pkgs", 195 "Type": "jar", 196 "Vulnerabilities": [ 197 { 198 "VulnerabilityID": "CVE-2022-22965", 199 "PkgName": "org.springframework:spring-beans", 200 "PkgPath": "usr/local/tomcat/webapps/helloworld.war/WEB-INF/lib/spring-beans-5.3.15.jar", 201 "PkgIdentifier": { 202 "PURL": "pkg:maven/org.springframework/spring-beans@5.3.15" 203 }, 204 "InstalledVersion": "5.3.15", 205 "FixedVersion": "5.3.18", 206 "Status": "fixed", 207 "Layer": { 208 "Digest": "sha256:b47862f824700e0ea830e568e989fba777d8223c1f8321c6256b0c965b9f61ee", 209 "DiffID": "sha256:192960b65b1579403b36581de471fd2bd75a043b4743552f27ba16623f02c68f" 210 }, 211 "SeveritySource": "ghsa", 212 "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-22965", 213 "DataSource": { 214 "ID": "ghsa", 215 "Name": "GitHub Security Advisory Maven", 216 "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" 217 }, 218 "Title": "spring-framework: RCE via Data Binding on JDK 9+", 219 "Description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", 220 "Severity": "CRITICAL", 221 "CweIDs": [ 222 "CWE-94" 223 ], 224 "VendorSeverity": { 225 "ghsa": 4, 226 "nvd": 4, 227 "redhat": 3 228 }, 229 "CVSS": { 230 "ghsa": { 231 "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 232 "V3Score": 9.8 233 }, 234 "nvd": { 235 "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", 236 "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 237 "V2Score": 7.5, 238 "V3Score": 9.8 239 }, 240 "redhat": { 241 "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 242 "V3Score": 8.1 243 } 244 }, 245 "References": [ 246 "https://github.com/advisories/GHSA-36p3-wjmg-h94x" 247 ] 248 } 249 ] 250 }, 251 { 252 "Target": "", 253 "Class": "custom", 254 "CustomResources": [ 255 { 256 "Type": "spring4shell/java-major-version", 257 "FilePath": "/usr/local/openjdk-11/release", 258 "Layer": { 259 "Digest": "sha256:e94fd7d3bf7a9b78b61be8303cd35eb9da3f8d121cf572a3b8878cbf11e84818", 260 "DiffID": "sha256:64272e9218cd019d57b84ac283aa35036cbd8c1dcface8c69f756088a0a13c45" 261 }, 262 "Data": "11.0.14.1" 263 }, 264 { 265 "Type": "spring4shell/tomcat-version", 266 "FilePath": "/usr/local/tomcat/RELEASE-NOTES", 267 "Layer": { 268 "Digest": "sha256:ac3639dc6fd33e9eeead58a99c277cb06b8f69ba6a30fe7028e9677a67d94bd8", 269 "DiffID": "sha256:0b201a611e5455d637c719d70eb5dd76fd4154bc4a5cf597d67ed2fb6647cc42" 270 }, 271 "Data": "8.5.77" 272 } 273 ] 274 } 275 ] 276 }