cyber-dojo
flows
saver-archived-at-1707630914
artifacts
b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
saver-archived-at-1707630914
Group/Kata model+persistence
cyberdojo/saver:707759b
Non-compliant
Download Evidence Package
JSON
{
"created_at": 1694859361.9551513,
"fingerprint": "b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc",
"filename": "cyberdojo/saver:707759b",
"git_commit": "707759b47c210fc774ea212194419b00668305e7",
"build_url": "https://github.com/cyber-dojo/saver/actions/runs/6206737598",
"commit_url": "https://github.com/cyber-dojo/saver/commit/707759b47c210fc774ea212194419b00668305e7",
"evidence": {
"branch-coverage": {
"evidence_type": "generic",
"is_compliant": true,
"build_url": "https://github.com/cyber-dojo/saver/actions/runs/6206737598",
"description": "server & client branch-coverage reports",
"user_data": {
"client": {
"command_name": "Minitest",
"groups": {
"app": {
"branches": {
"covered": 2,
"missed": 0,
"total": 2
},
"lines": {
"covered": 127,
"missed": 0,
"total": 127
}
},
"test": {
"branches": {
"covered": 2,
"missed": 0,
"total": 2
},
"lines": {
"covered": 593,
"missed": 0,
"total": 593
}
}
},
"timestamp": 1694859375
},
"server": {
"command_name": "Minitest",
"groups": {
"app": {
"branches": {
"covered": 137,
"missed": 2,
"total": 139
},
"lines": {
"covered": 1233,
"missed": 10,
"total": 1243
}
},
"test": {
"branches": {
"covered": 12,
"missed": 0,
"total": 12
},
"lines": {
"covered": 1756,
"missed": 0,
"total": 1756
}
}
},
"timestamp": 1694859371
}
},
"created_at": 1694859376.9926128,
"has_audit_package": false
},
"snyk-scan": {
"evidence_type": "snyk",
"is_compliant": false,
"build_url": "https://github.com/cyber-dojo/saver/actions/runs/6206737598",
"evidence_archive_fingerprint": "01b71731f319632092dc61b7286bf9b87e5af709f1ac47a85f5425d18a666153",
"user_data": {},
"snyk_results": {
"applications": [
{
"dependencyCount": 0,
"displayTargetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent",
"docker": {},
"filesystemPolicy": true,
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": true,
"org": "jonjagger",
"packageManager": "maven",
"path": "cyberdojo/saver@sha256:b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc/saver@sha256:b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-PROCPSNG-5877704:\n - '*':\n reason: Wait for fix in base image\n expires: 2023-10-16T04:33:51.513Z\n created: 2023-09-16T04:33:51.517Z\n source: cli\npatch: {}\n",
"projectName": "cyberdojo/saver@sha256:b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent",
"summary": "No known vulnerabilities",
"targetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent",
"uniqueCount": 0,
"vulnerabilities": []
}
],
"dependencyCount": 84,
"docker": {
"baseImage": "ruby:3.2.2-alpine3.18",
"baseImageRemediation": {
"advice": [
{
"message": "Base Image Vulnerabilities Severity\nruby:3.2.2-alpine3.18 1 0 critical, 0 high, 1 medium, 0 low\n"
},
{
"bold": true,
"message": "Recommendations for base image upgrade:\n"
},
{
"bold": true,
"message": "Alternative image types"
},
{
"message": "Base Image Vulnerabilities Severity\nruby:3.3.0-preview2-slim-bullseye 58 0 critical, 0 high, 0 medium, 58 low\nruby:3.3.0-preview1-slim-bullseye 58 0 critical, 0 high, 0 medium, 58 low\nruby:3.2.2-slim-bullseye 58 0 critical, 0 high, 0 medium, 58 low\n"
}
],
"code": "REMEDIATION_AVAILABLE"
},
"binariesVulns": {
"affectedPkgs": {},
"issuesData": {}
}
},
"filesystemPolicy": true,
"filtered": {
"ignore": [
{
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-09-01T03:27:33.791819Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2023-08-08T01:10:53.366184Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 2.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2023-08-09T13:42:28.491986Z",
"severity": "low"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 2.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2023-08-30T23:03:26.681718Z",
"severity": "low"
}
],
"cvssScore": 5.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `procps-ng` package and not the `procps-ng` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nUnder some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.\n## Remediation\nUpgrade `Alpine:3.18` `procps-ng` to version 4.0.4-r0 or higher.\n## References\n- [trellixpsirt@trellix.com](https://gitlab.com/procps-ng/procps)\n- [trellixpsirt@trellix.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/)\n",
"disclosureTime": "2023-08-02T05:15:09.850000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.06936",
"probability": "0.00043"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-09-16T04:33:51.517Z",
"expires": "2023-10-16T04:33:51.513Z",
"path": [
"*"
],
"reason": "Wait for fix in base image",
"source": "cli"
}
]
},
"fixedIn": [
"4.0.4-r0"
],
"from": [
"docker-image|cyberdojo/saver@*",
"procps-ng/procps-ng@4.0.3-r1"
],
"id": "SNYK-ALPINE318-PROCPSNG-5877704",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-4016"
],
"CWE": [
"CWE-787"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-09-01T03:27:33.791830Z",
"name": "procps-ng/procps-ng",
"nearestFixedInVersion": "4.0.4-r0",
"nvdSeverity": "medium",
"packageManager": "alpine:3.18",
"packageName": "procps-ng",
"patches": [],
"publicationTime": "2023-09-01T03:27:33.761611Z",
"references": [
{
"title": "trellixpsirt@trellix.com",
"url": "https://gitlab.com/procps-ng/procps"
},
{
"title": "trellixpsirt@trellix.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<4.0.4-r0"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Out-of-bounds Write",
"upgradePath": [
false,
"procps-ng/procps-ng@4.0.4-r0"
],
"version": "4.0.3-r1"
},
{
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-09-01T03:27:33.791819Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2023-08-08T01:10:53.366184Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 2.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2023-08-09T13:42:28.491986Z",
"severity": "low"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 2.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2023-08-30T23:03:26.681718Z",
"severity": "low"
}
],
"cvssScore": 5.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `procps-ng` package and not the `procps-ng` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nUnder some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.\n## Remediation\nUpgrade `Alpine:3.18` `procps-ng` to version 4.0.4-r0 or higher.\n## References\n- [trellixpsirt@trellix.com](https://gitlab.com/procps-ng/procps)\n- [trellixpsirt@trellix.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/)\n",
"disclosureTime": "2023-08-02T05:15:09.850000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.06936",
"probability": "0.00043"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-09-16T04:33:51.517Z",
"expires": "2023-10-16T04:33:51.513Z",
"path": [
"*"
],
"reason": "Wait for fix in base image",
"source": "cli"
}
]
},
"fixedIn": [
"4.0.4-r0"
],
"from": [
"docker-image|cyberdojo/saver@*",
"procps-ng/libproc2@4.0.3-r1",
"procps-ng/procps-ng@4.0.3-r1"
],
"id": "SNYK-ALPINE318-PROCPSNG-5877704",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-4016"
],
"CWE": [
"CWE-787"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-09-01T03:27:33.791830Z",
"name": "procps-ng/procps-ng",
"nearestFixedInVersion": "4.0.4-r0",
"nvdSeverity": "medium",
"packageManager": "alpine:3.18",
"packageName": "procps-ng",
"patches": [],
"publicationTime": "2023-09-01T03:27:33.761611Z",
"references": [
{
"title": "trellixpsirt@trellix.com",
"url": "https://gitlab.com/procps-ng/procps"
},
{
"title": "trellixpsirt@trellix.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<4.0.4-r0"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Out-of-bounds Write",
"upgradePath": [],
"version": "4.0.3-r1"
},
{
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-09-01T03:27:33.791819Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2023-08-08T01:10:53.366184Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 2.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2023-08-09T13:42:28.491986Z",
"severity": "low"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 2.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2023-08-30T23:03:26.681718Z",
"severity": "low"
}
],
"cvssScore": 5.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `procps-ng` package and not the `procps-ng` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nUnder some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.\n## Remediation\nUpgrade `Alpine:3.18` `procps-ng` to version 4.0.4-r0 or higher.\n## References\n- [trellixpsirt@trellix.com](https://gitlab.com/procps-ng/procps)\n- [trellixpsirt@trellix.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/)\n",
"disclosureTime": "2023-08-02T05:15:09.850000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.06936",
"probability": "0.00043"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-09-16T04:33:51.517Z",
"expires": "2023-10-16T04:33:51.513Z",
"path": [
"*"
],
"reason": "Wait for fix in base image",
"source": "cli"
}
]
},
"fixedIn": [
"4.0.4-r0"
],
"from": [
"docker-image|cyberdojo/saver@*",
"procps-ng/libproc2@4.0.3-r1"
],
"id": "SNYK-ALPINE318-PROCPSNG-5877704",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-4016"
],
"CWE": [
"CWE-787"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-09-01T03:27:33.791830Z",
"name": "procps-ng/libproc2",
"nearestFixedInVersion": "4.0.4-r0",
"nvdSeverity": "medium",
"packageManager": "alpine:3.18",
"packageName": "procps-ng",
"patches": [],
"publicationTime": "2023-09-01T03:27:33.761611Z",
"references": [
{
"title": "trellixpsirt@trellix.com",
"url": "https://gitlab.com/procps-ng/procps"
},
{
"title": "trellixpsirt@trellix.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<4.0.4-r0"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Out-of-bounds Write",
"upgradePath": [
false,
"procps-ng/libproc2@4.0.4-r0"
],
"version": "4.0.3-r1"
}
],
"patch": []
},
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": false,
"org": "jonjagger",
"packageManager": "apk",
"path": "cyberdojo/saver@sha256:b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc/saver",
"platform": "linux/amd64",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-PROCPSNG-5877704:\n - '*':\n reason: Wait for fix in base image\n expires: 2023-10-16T04:33:51.513Z\n created: 2023-09-16T04:33:51.517Z\n source: cli\npatch: {}\n",
"projectName": "docker-image|cyberdojo/saver",
"summary": "5 vulnerable dependency paths",
"uniqueCount": 1,
"vulnerabilities": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-09-22T03:06:12.046945Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2023-09-21T01:10:49.366299Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nWhen curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit in how many or how large headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers and eventually cause curl to run out of heap memory.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.3.0-r0 or higher.\n## References\n- [support@hackerone.com](https://hackerone.com/reports/2072338)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/)\n",
"disclosureTime": "2023-09-15T04:15:10.127000Z",
"dockerBaseImage": "ruby:3.2.2-alpine3.18",
"dockerfileInstruction": "apk add git jq",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.14181",
"probability": "0.00046"
},
"exploit": "Not Defined",
"fixedIn": [
"8.3.0-r0"
],
"from": [
"docker-image|cyberdojo/saver@*",
"curl/libcurl@8.2.1-r0"
],
"id": "SNYK-ALPINE318-CURL-5914628",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38039"
],
"CWE": [
"CWE-770"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2023-09-22T03:06:12.046959Z",
"name": "curl/libcurl",
"nearestFixedInVersion": "8.3.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-09-22T03:06:12.022211Z",
"references": [
{
"title": "https://hackerone.com/reports/2072338",
"url": "https://hackerone.com/reports/2072338"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.3.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Allocation of Resources Without Limits or Throttling",
"upgradePath": [
false,
"curl/libcurl@8.3.0-r0"
],
"version": "8.2.1-r0"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-09-22T03:06:12.046945Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2023-09-21T01:10:49.366299Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nWhen curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit in how many or how large headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers and eventually cause curl to run out of heap memory.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.3.0-r0 or higher.\n## References\n- [support@hackerone.com](https://hackerone.com/reports/2072338)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/)\n",
"disclosureTime": "2023-09-15T04:15:10.127000Z",
"dockerBaseImage": "ruby:3.2.2-alpine3.18",
"dockerfileInstruction": "apk add git jq",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.14181",
"probability": "0.00046"
},
"exploit": "Not Defined",
"fixedIn": [
"8.3.0-r0"
],
"from": [
"docker-image|cyberdojo/saver@*",
"git/git@2.40.1-r0",
"curl/libcurl@8.2.1-r0"
],
"id": "SNYK-ALPINE318-CURL-5914628",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-38039"
],
"CWE": [
"CWE-770"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-09-22T03:06:12.046959Z",
"name": "curl/libcurl",
"nearestFixedInVersion": "8.3.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.18",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-09-22T03:06:12.022211Z",
"references": [
{
"title": "https://hackerone.com/reports/2072338",
"url": "https://hackerone.com/reports/2072338"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<8.3.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Allocation of Resources Without Limits or Throttling",
"upgradePath": [],
"version": "8.2.1-r0"
}
]
},
"created_at": 1695817523.5985677,
"has_audit_package": true
}
},
"git_commit_info": {
"sha1": "707759b47c210fc774ea212194419b00668305e7",
"message": "Upgrade base image, add snyk-scan and report to Kosli",
"author": "JonJagger <jon@kosli.com>",
"timestamp": 1694859113,
"branch": "main"
},
"repo_url": "https://github.com/cyber-dojo/saver",
"template": [
"artifact",
"branch-coverage",
"snyk-scan"
],
"last_modified_at": 1695817523.5985677,
"deployments": [
161,
160
],
"state": "NON-COMPLIANT",
"html_url": "https://app.kosli.com/cyber-dojo/flows/saver-archived-at-1707630914/artifacts/b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc",
"api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/saver-archived-at-1707630914/fingerprint/b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc"
}
Artifact Information |
|
| Name | cyberdojo/saver:707759b |
| Fingerprint | b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc |
| Git commit |
707759b
JonJagger <jon@kosli.com> (main)
1694859113.0 • 8 months ago
Upgrade base image, add snyk-scan and report to Kosli
|
| CI Build | https://github.com/cyber-dojo/saver/actions/runs/6206737598 |
| Running | - |
| Exited | aws-beta#1798 aws-prod#1067 |
| Last modified | 1695817523.5985677 • 7 months ago |
Approvals
| None |
Evidence
Evidence for 'branch-coverage'
{ "evidence_type": "generic", "name": "branch-coverage", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/saver/actions/runs/6206737598", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 2, "missed": 0, "total": 2 }, "lines": { "covered": 127, "missed": 0, "total": 127 } }, "test": { "branches": { "covered": 2, "missed": 0, "total": 2 }, "lines": { "covered": 593, "missed": 0, "total": 593 } } }, "timestamp": 1694859375 }, "server": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 137, "missed": 2, "total": 139 }, "lines": { "covered": 1233, "missed": 10, "total": 1243 } }, "test": { "branches": { "covered": 12, "missed": 0, "total": 12 }, "lines": { "covered": 1756, "missed": 0, "total": 1756 } } }, "timestamp": 1694859371 } }, "created_at": 1694859376.9926128, "has_audit_package": false }
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/saver/actions/runs/6206737598", "evidence_archive_fingerprint": "01b71731f319632092dc61b7286bf9b87e5af709f1ac47a85f5425d18a666153", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "cyberdojo/saver@sha256:b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc/saver@sha256:b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-PROCPSNG-5877704:\n - '*':\n reason: Wait for fix in base image\n expires: 2023-10-16T04:33:51.513Z\n created: 2023-09-16T04:33:51.517Z\n source: cli\npatch: {}\n", "projectName": "cyberdojo/saver@sha256:b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc:/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 84, "docker": { "baseImage": "ruby:3.2.2-alpine3.18", "baseImageRemediation": { "advice": [ { "message": "Base Image Vulnerabilities Severity\nruby:3.2.2-alpine3.18 1 0 critical, 0 high, 1 medium, 0 low\n" }, { "bold": true, "message": "Recommendations for base image upgrade:\n" }, { "bold": true, "message": "Alternative image types" }, { "message": "Base Image Vulnerabilities Severity\nruby:3.3.0-preview2-slim-bullseye 58 0 critical, 0 high, 0 medium, 58 low\nruby:3.3.0-preview1-slim-bullseye 58 0 critical, 0 high, 0 medium, 58 low\nruby:3.2.2-slim-bullseye 58 0 critical, 0 high, 0 medium, 58 low\n" } ], "code": "REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-09-01T03:27:33.791819Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-08-08T01:10:53.366184Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 2.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-08-09T13:42:28.491986Z", "severity": "low" }, { "assigner": "SUSE", "cvssV3BaseScore": 2.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-08-30T23:03:26.681718Z", "severity": "low" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `procps-ng` package and not the `procps-ng` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nUnder some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.\n## Remediation\nUpgrade `Alpine:3.18` `procps-ng` to version 4.0.4-r0 or higher.\n## References\n- [trellixpsirt@trellix.com](https://gitlab.com/procps-ng/procps)\n- [trellixpsirt@trellix.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/)\n", "disclosureTime": "2023-08-02T05:15:09.850000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06936", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-09-16T04:33:51.517Z", "expires": "2023-10-16T04:33:51.513Z", "path": [ "*" ], "reason": "Wait for fix in base image", "source": "cli" } ] }, "fixedIn": [ "4.0.4-r0" ], "from": [ "docker-image|cyberdojo/saver@*", "procps-ng/procps-ng@4.0.3-r1" ], "id": "SNYK-ALPINE318-PROCPSNG-5877704", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-4016" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-09-01T03:27:33.791830Z", "name": "procps-ng/procps-ng", "nearestFixedInVersion": "4.0.4-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "procps-ng", "patches": [], "publicationTime": "2023-09-01T03:27:33.761611Z", "references": [ { "title": "trellixpsirt@trellix.com", "url": "https://gitlab.com/procps-ng/procps" }, { "title": "trellixpsirt@trellix.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<4.0.4-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [ false, "procps-ng/procps-ng@4.0.4-r0" ], "version": "4.0.3-r1" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-09-01T03:27:33.791819Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-08-08T01:10:53.366184Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 2.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-08-09T13:42:28.491986Z", "severity": "low" }, { "assigner": "SUSE", "cvssV3BaseScore": 2.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-08-30T23:03:26.681718Z", "severity": "low" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `procps-ng` package and not the `procps-ng` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nUnder some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.\n## Remediation\nUpgrade `Alpine:3.18` `procps-ng` to version 4.0.4-r0 or higher.\n## References\n- [trellixpsirt@trellix.com](https://gitlab.com/procps-ng/procps)\n- [trellixpsirt@trellix.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/)\n", "disclosureTime": "2023-08-02T05:15:09.850000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06936", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-09-16T04:33:51.517Z", "expires": "2023-10-16T04:33:51.513Z", "path": [ "*" ], "reason": "Wait for fix in base image", "source": "cli" } ] }, "fixedIn": [ "4.0.4-r0" ], "from": [ "docker-image|cyberdojo/saver@*", "procps-ng/libproc2@4.0.3-r1", "procps-ng/procps-ng@4.0.3-r1" ], "id": "SNYK-ALPINE318-PROCPSNG-5877704", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-4016" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-09-01T03:27:33.791830Z", "name": "procps-ng/procps-ng", "nearestFixedInVersion": "4.0.4-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "procps-ng", "patches": [], "publicationTime": "2023-09-01T03:27:33.761611Z", "references": [ { "title": "trellixpsirt@trellix.com", "url": "https://gitlab.com/procps-ng/procps" }, { "title": "trellixpsirt@trellix.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<4.0.4-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "4.0.3-r1" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-09-01T03:27:33.791819Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-08-08T01:10:53.366184Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 2.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-08-09T13:42:28.491986Z", "severity": "low" }, { "assigner": "SUSE", "cvssV3BaseScore": 2.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2023-08-30T23:03:26.681718Z", "severity": "low" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `procps-ng` package and not the `procps-ng` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nUnder some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.\n## Remediation\nUpgrade `Alpine:3.18` `procps-ng` to version 4.0.4-r0 or higher.\n## References\n- [trellixpsirt@trellix.com](https://gitlab.com/procps-ng/procps)\n- [trellixpsirt@trellix.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/)\n", "disclosureTime": "2023-08-02T05:15:09.850000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06936", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-09-16T04:33:51.517Z", "expires": "2023-10-16T04:33:51.513Z", "path": [ "*" ], "reason": "Wait for fix in base image", "source": "cli" } ] }, "fixedIn": [ "4.0.4-r0" ], "from": [ "docker-image|cyberdojo/saver@*", "procps-ng/libproc2@4.0.3-r1" ], "id": "SNYK-ALPINE318-PROCPSNG-5877704", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-4016" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-09-01T03:27:33.791830Z", "name": "procps-ng/libproc2", "nearestFixedInVersion": "4.0.4-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.18", "packageName": "procps-ng", "patches": [], "publicationTime": "2023-09-01T03:27:33.761611Z", "references": [ { "title": "trellixpsirt@trellix.com", "url": "https://gitlab.com/procps-ng/procps" }, { "title": "trellixpsirt@trellix.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<4.0.4-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [ false, "procps-ng/libproc2@4.0.4-r0" ], "version": "4.0.3-r1" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "cyberdojo/saver@sha256:b84ae3f272f4871f8cc657316aee8c4429c7464d0da4d3a0c7f5d27d53fe04dc/saver", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-ALPINE318-PROCPSNG-5877704:\n - '*':\n reason: Wait for fix in base image\n expires: 2023-10-16T04:33:51.513Z\n created: 2023-09-16T04:33:51.517Z\n source: cli\npatch: {}\n", "projectName": "docker-image|cyberdojo/saver", "summary": "5 vulnerable dependency paths", "uniqueCount": 1, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-09-22T03:06:12.046945Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-09-21T01:10:49.366299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nWhen curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit in how many or how large headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers and eventually cause curl to run out of heap memory.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.3.0-r0 or higher.\n## References\n- [support@hackerone.com](https://hackerone.com/reports/2072338)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/)\n", "disclosureTime": "2023-09-15T04:15:10.127000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add git jq", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.14181", "probability": "0.00046" }, "exploit": "Not Defined", "fixedIn": [ "8.3.0-r0" ], "from": [ "docker-image|cyberdojo/saver@*", "curl/libcurl@8.2.1-r0" ], "id": "SNYK-ALPINE318-CURL-5914628", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38039" ], "CWE": [ "CWE-770" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2023-09-22T03:06:12.046959Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.3.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-09-22T03:06:12.022211Z", "references": [ { "title": "https://hackerone.com/reports/2072338", "url": "https://hackerone.com/reports/2072338" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<8.3.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [ false, "curl/libcurl@8.3.0-r0" ], "version": "8.2.1-r0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-09-22T03:06:12.046945Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-09-21T01:10:49.366299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.18` relevant fixed versions and status._\n\nWhen curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit in how many or how large headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers and eventually cause curl to run out of heap memory.\n## Remediation\nUpgrade `Alpine:3.18` `curl` to version 8.3.0-r0 or higher.\n## References\n- [support@hackerone.com](https://hackerone.com/reports/2072338)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/)\n", "disclosureTime": "2023-09-15T04:15:10.127000Z", "dockerBaseImage": "ruby:3.2.2-alpine3.18", "dockerfileInstruction": "apk add git jq", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.14181", "probability": "0.00046" }, "exploit": "Not Defined", "fixedIn": [ "8.3.0-r0" ], "from": [ "docker-image|cyberdojo/saver@*", "git/git@2.40.1-r0", "curl/libcurl@8.2.1-r0" ], "id": "SNYK-ALPINE318-CURL-5914628", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-38039" ], "CWE": [ "CWE-770" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-09-22T03:06:12.046959Z", "name": "curl/libcurl", "nearestFixedInVersion": "8.3.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.18", "packageName": "curl", "patches": [], "publicationTime": "2023-09-22T03:06:12.022211Z", "references": [ { "title": "https://hackerone.com/reports/2072338", "url": "https://hackerone.com/reports/2072338" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<8.3.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "8.2.1-r0" } ] }, "created_at": 1695817523.5985677, "has_audit_package": true }