cyber-dojo
flows
runner-archived-at-1709658802
artifacts
189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
runner-archived-at-1709658802
Test runner
cyberdojo/runner:f88d904
Compliant
Download Evidence Package
JSON
{ "created_at": 1705490496.699156, "fingerprint": "189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06", "filename": "cyberdojo/runner:f88d904", "git_commit": "f88d9046c40de6d92e016d0a266e7b75d12f919f", "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7554943027", "commit_url": "https://github.com/cyber-dojo/runner/commit/f88d9046c40de6d92e016d0a266e7b75d12f919f", "evidence": { "branch-coverage": { "evidence_type": "generic", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7554943027", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 15, "missed": 37, "total": 52 }, "lines": { "covered": 257, "missed": 85, "total": 342 } }, "code": { "branches": { "covered": 6, "missed": 0, "total": 6 }, "lines": { "covered": 129, "missed": 0, "total": 129 } }, "test": { "branches": { "covered": 5, "missed": 0, "total": 5 }, "lines": { "covered": 529, "missed": 0, "total": 529 } } }, "timestamp": 1705490536 }, "server": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 33, "missed": 19, "total": 52 }, "lines": { "covered": 333, "missed": 25, "total": 358 } }, "code": { "branches": { "covered": 64, "missed": 2, "total": 66 }, "lines": { "covered": 558, "missed": 1, "total": 559 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 963, "missed": 0, "total": 963 } } }, "timestamp": 1705490498 } }, "created_at": 1705490538.740895, "has_audit_package": false }, "snyk-scan": { "evidence_type": "snyk", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7677677113", "evidence_archive_fingerprint": "7501cd7af35b9ebe731b8b1763f55208722faff79d345f9f68707555ccb6c125", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 833, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-03-01T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/docker@*", "google.golang.org/protobuf/encoding/protojson@v1.28.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.28.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 785, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/protobuf/encoding/protojson@v1.31.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.31.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "severityThreshold": "medium", "summary": "1 medium or high or critical severity vulnerable dependency path", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 723, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-03-01T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/protobuf/encoding/protojson@v1.30.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.30.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 109, "docker": { "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/runner:f88d904", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1706346923.1353915, "has_audit_package": true } }, "reported_by": "ci-pipelines", "git_commit_info": { "sha1": "f88d9046c40de6d92e016d0a266e7b75d12f919f", "message": "Dockerfile: upgrade base image and update .snyk file", "author": "JonJagger <jon@kosli.com>", "timestamp": 1705490374, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/runner", "template": [ "artifact", "branch-coverage", "snyk-scan" ], "last_modified_at": 1706346923.1353915, "deployments": [ 75, 74 ], "state": "COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/runner-archived-at-1709658802/artifacts/189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/runner-archived-at-1709658802/fingerprint/189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06" }
Artifact Information |
|
Name | cyberdojo/runner:f88d904 |
Fingerprint | 189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06 |
Git commit |
f88d904
JonJagger <jon@kosli.com> (main)
1705490374.0 • 3 months ago
Dockerfile: upgrade base image and update .snyk file
|
CI Build | https://github.com/cyber-dojo/runner/actions/runs/7554943027 |
Running | - |
Exited | aws-beta#3023 aws-prod#2145 |
Last modified | 1706346923.1353915 • 2 months ago |
Approvals
None |
Evidence
Evidence for 'branch-coverage'
{ "evidence_type": "generic", "name": "branch-coverage", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7554943027", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 15, "missed": 37, "total": 52 }, "lines": { "covered": 257, "missed": 85, "total": 342 } }, "code": { "branches": { "covered": 6, "missed": 0, "total": 6 }, "lines": { "covered": 129, "missed": 0, "total": 129 } }, "test": { "branches": { "covered": 5, "missed": 0, "total": 5 }, "lines": { "covered": 529, "missed": 0, "total": 529 } } }, "timestamp": 1705490536 }, "server": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 33, "missed": 19, "total": 52 }, "lines": { "covered": 333, "missed": 25, "total": 358 } }, "code": { "branches": { "covered": 64, "missed": 2, "total": 66 }, "lines": { "covered": 558, "missed": 1, "total": 559 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 963, "missed": 0, "total": 963 } } }, "timestamp": 1705490498 } }, "created_at": 1705490538.740895, "has_audit_package": false }
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7677677113", "evidence_archive_fingerprint": "7501cd7af35b9ebe731b8b1763f55208722faff79d345f9f68707555ccb6c125", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 833, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-03-01T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/docker@*", "google.golang.org/protobuf/encoding/protojson@v1.28.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.28.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 785, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/protobuf/encoding/protojson@v1.31.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.31.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "severityThreshold": "medium", "summary": "1 medium or high or critical severity vulnerable dependency path", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 723, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-29T01:11:20.311137Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay during the establishment of the secure channel. An attacker can manipulate handshake sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected `chacha20-poly1305@openssh.com` encryption and `*-etm@openssh.com` MAC algorithms in the affected configuration, and use unaffected algorithms like `AES-GCM` instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97023", "probability": "0.43479" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2024-01-01T09:00:03.647231Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/mwiede/jsch/commit/6214da974286a8b94a95f4cf6cec96e972ffd370" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-03-01T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nUpgrade `google.golang.org/protobuf/encoding/protojson` to version 1.32.0 or higher.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-03-01T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.32.0" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/protobuf/encoding/protojson@v1.30.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-29T11:55:36.470401Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "<1.32.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.30.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-03-01T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-03-01T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-03-01T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "severityThreshold": "medium", "summary": "6 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 109, "docker": { "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904@sha256:189ba146abfdf5a0d5aacbe7a9945adfeac4d36b5bece6d8a22be75a55b52b06/runner:f88d904", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-OPENSSH-6139287:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-28T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-ALPINE319-OPENSSL-6159994:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6152404:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-03-01T12:49:02.243Z\n created: 2024-01-12T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/runner:f88d904", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1706346923.1353915, "has_audit_package": true }