From 20b3566afa1304178275d746e664d5fcb48385a3 Mon Sep 17 00:00:00 2001 From: senglezou Date: Thu, 11 Sep 2025 17:42:37 +0100 Subject: [PATCH] construct uniform paths from existing supported sarif tools path is of the form "file://" --- sarif/sarif.go | 117 +++++- sarif/sarif_test.go | 521 +++++++++++++++++++++++++- sarif/testdata/osv-scanner.sarif.json | 71 +--- 3 files changed, 628 insertions(+), 81 deletions(-) diff --git a/sarif/sarif.go b/sarif/sarif.go index 92aedc5..4694a3d 100644 --- a/sarif/sarif.go +++ b/sarif/sarif.go @@ -32,6 +32,10 @@ type SarifTransformer struct { ruleToEcosystem map[string]string richDescription bool dataSource *ocsffindinginfo.DataSource + + // the root path to which all file paths should be relative to, will be ultimately removed from findings, + // this is used to handle CI/CD cases where findings have absolute path to the filesystem as opposed to project root. + workspacePath string } var typeName = map[int64]string{ @@ -76,6 +80,7 @@ func NewTransformer( guidProvider StableUUIDProvider, richDescription bool, dataSource *ocsffindinginfo.DataSource, + workspacePath string, ) (*SarifTransformer, error) { if scanResult == nil { return nil, errors.Errorf("method 'NewTransformer called with nil scanResult") @@ -97,6 +102,11 @@ func NewTransformer( return nil, errors.Errorf("invalid data source provider: %w", err) } + cleanedWorkspacePath := filepath.Clean(workspacePath) + if !filepath.IsAbs(cleanedWorkspacePath) { + return nil, errors.Errorf("workspace path must be an absolute path") + } + return &SarifTransformer{ clock: clock, sarifResult: *scanResult, @@ -106,6 +116,7 @@ func NewTransformer( taxasByCWEID: make(map[string]sarif.ReportingDescriptor), richDescription: richDescription, dataSource: dataSource, + workspacePath: cleanedWorkspacePath, }, nil } @@ -161,7 +172,10 @@ func (s *SarifTransformer) transformToOCSF( res *sarif.Result, ) (*ocsf.VulnerabilityFinding, error) { slog.Debug("parsing run from", slog.String("toolname", toolName)) - affectedCode, affectedPackages := s.mapAffected(res) + affectedCode, affectedPackages, err := s.mapAffected(res) + if err != nil { + return nil, errors.Errorf("could not map affected code/packages: %w", err) + } var ( ruleID *string @@ -346,6 +360,75 @@ func (s *SarifTransformer) isSnykURI(uri string) bool { return strings.HasPrefix(uri, "https_//") } +func (s *SarifTransformer) relativePath(path string) (string, error) { + if s.workspacePath == "" { + return path, nil + } + + if !strings.HasPrefix(path, s.workspacePath) { + return "", errors.Errorf( + "%s: result is not inside expected directory: %s", + path, + s.workspacePath, + ) + } + + relativePath, err := filepath.Rel(s.workspacePath, path) + if err != nil { + return "", errors.Errorf( + "could not get relative path from path %s using prefix %q", + path, + s.workspacePath, + ) + } + + return relativePath, nil +} + +// normalisePath will take a given path and construct a file url pointing to +// the file relative to the workspacePath +func (s *SarifTransformer) normalisePath( + path string, + uriBaseId *string, +) (*ocsf.File, error) { + parsedPath, err := url.Parse(path) + if err != nil { + return nil, errors.Errorf("%s: could not parse path: %w", path, err) + } + + cleanedPath := filepath.Clean( + filepath.Join(parsedPath.Host, parsedPath.Path), + ) + + if uriBaseId != nil { + slog.Info("path has a non-nil uriBaseId", slog.String("uri_base_id", *uriBaseId)) + } + + switch { + case uriBaseId != nil && strings.ToLower(*uriBaseId) == "%srcroot%" && filepath.IsAbs(cleanedPath): + // this should be a relative path and it's not, so we should return an error + return nil, errors.Errorf("%s: path was expected to be relative but it's absolute", cleanedPath) + case s.workspacePath != "" && filepath.IsAbs(cleanedPath): + relativePath, err := s.relativePath(cleanedPath) + if err != nil { + return nil, err + } + + cleanedPath = relativePath + } + + // validate that we created a URL correctly + finalPath := "file://" + cleanedPath + if _, err := url.Parse(finalPath); err != nil { + return nil, errors.Errorf("could not parse final path %s as url: %w", finalPath, err) + } + + return &ocsf.File{ + Name: cleanedPath, + Path: utils.Ptr(finalPath), + }, nil +} + func (s *SarifTransformer) mapAffectedPackage(fixes []sarif.Fix, purl packageurl.PackageURL) *ocsf.AffectedPackage { affectedPackage := &ocsf.AffectedPackage{ Purl: utils.Ptr(purl.String()), @@ -440,11 +523,11 @@ func (s *SarifTransformer) rulesToEcosystem() map[string]string { return result } -func (s *SarifTransformer) mapAffected(res *sarif.Result) ([]*ocsf.AffectedCode, []*ocsf.AffectedPackage) { +func (s *SarifTransformer) mapAffected(res *sarif.Result) ([]*ocsf.AffectedCode, []*ocsf.AffectedPackage, error) { var affectedCode []*ocsf.AffectedCode var affectedPackages []*ocsf.AffectedPackage if s.dataSource.TargetType == ocsffindinginfo.DataSource_TARGET_TYPE_WEBSITE { // websites do not carry code or package info - return nil, nil + return nil, nil, nil } for _, location := range res.Locations { @@ -469,15 +552,21 @@ func (s *SarifTransformer) mapAffected(res *sarif.Result) ([]*ocsf.AffectedCode, } if physicalLocation.ArtifactLocation != nil && physicalLocation.ArtifactLocation.Uri != nil { + uri := *location.PhysicalLocation.ArtifactLocation.Uri if p := s.detectPackageFromPhysicalLocation(*physicalLocation, pkgType); p != nil { affectedPackages = append(affectedPackages, s.mapAffectedPackage(res.Fixes, *p)) - } else if !s.isSnykURI(*location.PhysicalLocation.ArtifactLocation.Uri) { // Snyk special case, they use the repo url with some weird replacement as the artifact location + } else if !s.isSnykURI(uri) { + finalFile, err := s.normalisePath( + uri, + location.PhysicalLocation.ArtifactLocation.UriBaseId, + ) + if err != nil { + return nil, nil, errors.Errorf("could not construct path for affected code: %w", err) + } + ac := &ocsf.AffectedCode{ - File: &ocsf.File{ - Name: *location.PhysicalLocation.ArtifactLocation.Uri, - Path: utils.Ptr(fmt.Sprintf("file://%s", *location.PhysicalLocation.ArtifactLocation.Uri)), - }, + File: finalFile, } if physicalLocation.Region != nil { @@ -500,7 +589,7 @@ func (s *SarifTransformer) mapAffected(res *sarif.Result) ([]*ocsf.AffectedCode, } } - return affectedCode, affectedPackages + return affectedCode, affectedPackages, nil } func (s *SarifTransformer) mapSeverity(sarifResLevel sarif.ResultLevel) ocsf.VulnerabilityFinding_SeverityId { @@ -648,9 +737,17 @@ func (s *SarifTransformer) mergeDataSources( if s.isSnykURI(*location.PhysicalLocation.ArtifactLocation.Uri) { dataSource.Uri = nil } else { + finalPath, err := s.normalisePath( + *location.PhysicalLocation.ArtifactLocation.Uri, + location.PhysicalLocation.ArtifactLocation.UriBaseId, + ) + if err != nil { + return nil, errors.Errorf("could not construct path for repository data source: %w", err) + } + dataSource.Uri = &ocsffindinginfo.DataSource_URI{ UriSchema: ocsffindinginfo.DataSource_URI_SCHEMA_FILE, - Path: "file://" + filepath.Clean(*location.PhysicalLocation.ArtifactLocation.Uri), + Path: *finalPath.Path, } } diff --git a/sarif/sarif_test.go b/sarif/sarif_test.go index b9c5a15..84c45fb 100644 --- a/sarif/sarif_test.go +++ b/sarif/sarif_test.go @@ -4,6 +4,7 @@ import ( "context" _ "embed" "encoding/json" + "net/url" "os" "testing" "time" @@ -12,6 +13,7 @@ import ( ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1" ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/types/known/timestamppb" @@ -490,7 +492,7 @@ func Test_ParseOut(t *testing.T) { }, } transformer, err := sariftransformer.NewTransformer( - &sarifOutput, "", clock, nil, true, datasource, + &sarifOutput, "", clock, nil, true, datasource, "/source-code/workspace/", ) require.NoError(t, err) actualIssues, err := transformer.ToOCSF(context.Background()) @@ -759,7 +761,7 @@ func Test_ParseOut(t *testing.T) { }, } transformer, err := sariftransformer.NewTransformer( - &sarifOutput, "npm", clock, nil, true, dataSource, + &sarifOutput, "npm", clock, nil, true, dataSource, "/source-code/workspace/", ) require.NoError(t, err) actualIssues, err := transformer.ToOCSF(context.Background()) @@ -1060,7 +1062,7 @@ func Test_ParseOut(t *testing.T) { } transformer, err := sariftransformer.NewTransformer( - &sarifOutput, "", clock, nil, true, dataSource, + &sarifOutput, "", clock, nil, true, dataSource, "/source-code/workspace/", ) require.NoError(t, err) @@ -1367,7 +1369,7 @@ func Test_ParseOut(t *testing.T) { }, } transformer, err := sariftransformer.NewTransformer( - &sarifOutput, "", clock, nil, true, dataSource, + &sarifOutput, "", clock, nil, true, dataSource, "/source-code/workspace/", ) require.NoError(t, err) actualIssues, err := transformer.ToOCSF(context.Background()) @@ -1570,7 +1572,7 @@ func Test_ParseOut(t *testing.T) { }, } transformer, err := sariftransformer.NewTransformer( - &sarifOutput, "docker", clock, nil, true, dataSource, + &sarifOutput, "docker", clock, nil, true, dataSource, "/source-code/workspace/", ) require.NoError(t, err) actualIssues, err := transformer.ToOCSF(context.Background()) @@ -1912,7 +1914,7 @@ func Test_ParseOut(t *testing.T) { }, } transformer, err := sariftransformer.NewTransformer( - &sarifOutput, "", clock, nil, true, dataSource, + &sarifOutput, "", clock, nil, true, dataSource, "/source-code/workspace/", ) require.NoError(t, err) @@ -2177,7 +2179,7 @@ func Test_ParseOut(t *testing.T) { }, } transformer, err := sariftransformer.NewTransformer( - &sarifOutput, "", clock, nil, true, dataSource, + &sarifOutput, "", clock, nil, true, dataSource, "/source-code/workspace/", ) require.NoError(t, err) actualIssues, err := transformer.ToOCSF(context.Background()) @@ -2198,9 +2200,302 @@ func Test_ParseOut(t *testing.T) { actualIssues[i].FindingInfo.DataSources = nil } + require.EqualExportedValues(t, expectedIssues, actualIssues) + }) + t.Run("osv-scanner testcase", func(t *testing.T) { + exampleOutput, err := os.ReadFile("./testdata/osv-scanner.sarif.json") + require.NoError(t, err) + + var sarifOutput sarif.SchemaJson + require.NoError(t, json.Unmarshal(exampleOutput, &sarifOutput)) + marshalledDataSources := []string{} + + // datasource 0 + datasource := &ocsffindinginfo.DataSource{ + TargetType: ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY, + Uri: &ocsffindinginfo.DataSource_URI{ + UriSchema: ocsffindinginfo.DataSource_URI_SCHEMA_FILE, + Path: "file://requirements.txt", + }, + SourceCodeMetadata: &ocsffindinginfo.DataSource_SourceCodeMetadata{ + RepositoryUrl: "github.com/foo/bar", + Reference: "main", + }, + } + marshalledDataSource, err := protojson.Marshal(datasource) + require.NoError(t, err) + + marshalledDataSources = append(marshalledDataSources, string(marshalledDataSource)) + + // datasource 1 + datasource.Uri.Path = "file://requirements.txt" + marshalledDataSource, err = protojson.Marshal(datasource) + marshalledDataSources = append(marshalledDataSources, string(marshalledDataSource)) + require.NoError(t, err) + + // datasource 2 + datasource.Uri.Path = "file://requirements.txt" + marshalledDataSource, err = protojson.Marshal(datasource) + marshalledDataSources = append(marshalledDataSources, string(marshalledDataSource)) + require.NoError(t, err) + + // reset for the test + datasource.LocationData = nil + clock := clockwork.NewFakeClockAt(staticNow) + now := staticNow + expectedIssues := []*ocsf.VulnerabilityFinding{ + { + ActivityId: ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE, + ActivityName: utils.Ptr("ACTIVITY_ID_CREATE"), + CategoryName: utils.Ptr("CATEGORY_UID_FINDINGS"), + CategoryUid: ocsf.VulnerabilityFinding_CATEGORY_UID_FINDINGS, + ClassName: utils.Ptr("CLASS_UID_VULNERABILITY_FINDING"), + ClassUid: ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING, + Confidence: utils.Ptr("CONFIDENCE_ID_UNKNOWN"), + ConfidenceId: utils.Ptr(ocsf.VulnerabilityFinding_CONFIDENCE_ID_UNKNOWN), + Count: utils.Ptr(int32(1)), + FindingInfo: &ocsf.FindingInfo{ + CreatedTime: utils.Ptr(now.Unix()), + CreatedTimeDt: timestamppb.New(now), + DataSources: []string{string(marshalledDataSources[0])}, + Desc: utils.Ptr("PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n Help: **Your dependency is vulnerable to [CVE-2019-20477](https://osv.dev/list?q=CVE-2019-20477)**\n(Also published as: [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176), [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f), ).\n\n## [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n## [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3pqx-4fqf-j49f | pyyaml | 5.2 |\n| PYSEC-2020-176 | pyyaml | 5.2b1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-20477\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + FirstSeenTime: utils.Ptr(now.Unix()), + FirstSeenTimeDt: timestamppb.New(now), + LastSeenTime: utils.Ptr(now.Unix()), + LastSeenTimeDt: timestamppb.New(now), + ModifiedTime: utils.Ptr(now.Unix()), + ModifiedTimeDt: timestamppb.New(now), + ProductUid: utils.Ptr("osv-scanner"), + Uid: "CVE-2019-20477", + Title: "CVE-2019-20477: Deserialization of Untrusted Data in PyYAML", + }, + Message: utils.Ptr("PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n Help: **Your dependency is vulnerable to [CVE-2019-20477](https://osv.dev/list?q=CVE-2019-20477)**\n(Also published as: [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176), [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f), ).\n\n## [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n## [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3pqx-4fqf-j49f | pyyaml | 5.2 |\n| PYSEC-2020-176 | pyyaml | 5.2b1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-20477\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + Metadata: &ocsf.Metadata{ + EventCode: utils.Ptr("CVE-2019-20477"), + Product: &ocsf.Product{ + Name: utils.Ptr("osv-scanner"), + }, + Uid: utils.Ptr("e59cb884-75c6-5795-8e6e-55b398625dca"), + }, + Severity: utils.Ptr("SEVERITY_ID_MEDIUM"), + SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM, + StartTime: utils.Ptr(now.Unix()), + StatusId: utils.Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW), + Status: utils.Ptr("STATUS_ID_NEW"), + Time: now.Unix(), + TimeDt: timestamppb.New(now), + TypeName: utils.Ptr("Create"), + TypeUid: int64(200201), + Vulnerabilities: []*ocsf.Vulnerability{ + { + AffectedCode: []*ocsf.AffectedCode{ + { + File: &ocsf.File{ + Name: "requirements.txt", + Path: utils.Ptr("file://requirements.txt"), + }, + }, + }, + Cve: &ocsf.Cve{ + Desc: utils.Ptr("PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342."), + Uid: "CVE-2019-20477", + }, + Desc: utils.Ptr("PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n Help: **Your dependency is vulnerable to [CVE-2019-20477](https://osv.dev/list?q=CVE-2019-20477)**\n(Also published as: [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176), [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f), ).\n\n## [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n## [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3pqx-4fqf-j49f | pyyaml | 5.2 |\n| PYSEC-2020-176 | pyyaml | 5.2b1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-20477\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + FirstSeenTime: utils.Ptr(now.Unix()), + FirstSeenTimeDt: timestamppb.New(now), + FixAvailable: utils.Ptr(false), + IsFixAvailable: utils.Ptr(false), + LastSeenTime: utils.Ptr(now.Unix()), + LastSeenTimeDt: timestamppb.New(now), + Severity: utils.Ptr("SEVERITY_ID_MEDIUM"), + Title: utils.Ptr("CVE-2019-20477: Deserialization of Untrusted Data in PyYAML"), + VendorName: utils.Ptr("osv-scanner"), + }, + }, + }, + { + ActivityId: ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE, + ActivityName: utils.Ptr("ACTIVITY_ID_CREATE"), + CategoryName: utils.Ptr("CATEGORY_UID_FINDINGS"), + CategoryUid: ocsf.VulnerabilityFinding_CATEGORY_UID_FINDINGS, + ClassName: utils.Ptr("CLASS_UID_VULNERABILITY_FINDING"), + ClassUid: ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING, + Confidence: utils.Ptr("CONFIDENCE_ID_UNKNOWN"), + ConfidenceId: utils.Ptr(ocsf.VulnerabilityFinding_CONFIDENCE_ID_UNKNOWN), + Count: utils.Ptr(int32(1)), + FindingInfo: &ocsf.FindingInfo{ + CreatedTime: utils.Ptr(now.Unix()), + CreatedTimeDt: timestamppb.New(now), + DataSources: []string{string(marshalledDataSources[1])}, + Desc: utils.Ptr("A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n Help: **Your dependency is vulnerable to [CVE-2020-1747](https://osv.dev/list?q=CVE-2020-1747)**\n(Also published as: [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96), [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx), ).\n\n## [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n## [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6757-jp84-gxfx | pyyaml | 5.3.1 |\n| PYSEC-2020-96 | pyyaml | 5.3.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-1747\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + FirstSeenTime: utils.Ptr(now.Unix()), + FirstSeenTimeDt: timestamppb.New(now), + LastSeenTime: utils.Ptr(now.Unix()), + LastSeenTimeDt: timestamppb.New(now), + ModifiedTime: utils.Ptr(now.Unix()), + ModifiedTimeDt: timestamppb.New(now), + ProductUid: utils.Ptr("osv-scanner"), + Uid: "CVE-2020-1747", + Title: "CVE-2020-1747: Improper Input Validation in PyYAML", + }, + Message: utils.Ptr("A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n Help: **Your dependency is vulnerable to [CVE-2020-1747](https://osv.dev/list?q=CVE-2020-1747)**\n(Also published as: [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96), [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx), ).\n\n## [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n## [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6757-jp84-gxfx | pyyaml | 5.3.1 |\n| PYSEC-2020-96 | pyyaml | 5.3.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-1747\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + Metadata: &ocsf.Metadata{ + EventCode: utils.Ptr("CVE-2020-1747"), + Product: &ocsf.Product{ + Name: utils.Ptr("osv-scanner"), + }, + Uid: utils.Ptr("100b0df7-55da-5ebf-8bff-ada3115650a2"), + }, + Severity: utils.Ptr("SEVERITY_ID_MEDIUM"), + SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM, + StartTime: utils.Ptr(now.Unix()), + StatusId: utils.Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW), + Status: utils.Ptr("STATUS_ID_NEW"), + Time: now.Unix(), + TimeDt: timestamppb.New(now), + TypeName: utils.Ptr("Create"), + TypeUid: int64(200201), + Vulnerabilities: []*ocsf.Vulnerability{ + { + AffectedCode: []*ocsf.AffectedCode{ + { + File: &ocsf.File{ + Name: "requirements.txt", + Path: utils.Ptr("file://requirements.txt"), + }, + }, + }, + Cve: &ocsf.Cve{ + Desc: utils.Ptr("A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor."), + Uid: "CVE-2020-1747", + }, + Desc: utils.Ptr("A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n Help: **Your dependency is vulnerable to [CVE-2020-1747](https://osv.dev/list?q=CVE-2020-1747)**\n(Also published as: [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96), [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx), ).\n\n## [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n## [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6757-jp84-gxfx | pyyaml | 5.3.1 |\n| PYSEC-2020-96 | pyyaml | 5.3.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-1747\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + FirstSeenTime: utils.Ptr(now.Unix()), + FirstSeenTimeDt: timestamppb.New(now), + FixAvailable: utils.Ptr(false), + IsFixAvailable: utils.Ptr(false), + LastSeenTime: utils.Ptr(now.Unix()), + LastSeenTimeDt: timestamppb.New(now), + Severity: utils.Ptr("SEVERITY_ID_MEDIUM"), + Title: utils.Ptr("CVE-2020-1747: Improper Input Validation in PyYAML"), + VendorName: utils.Ptr("osv-scanner"), + }, + }, + }, + { + ActivityId: ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE, + ActivityName: utils.Ptr("ACTIVITY_ID_CREATE"), + CategoryName: utils.Ptr("CATEGORY_UID_FINDINGS"), + CategoryUid: ocsf.VulnerabilityFinding_CATEGORY_UID_FINDINGS, + ClassName: utils.Ptr("CLASS_UID_VULNERABILITY_FINDING"), + ClassUid: ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING, + Confidence: utils.Ptr("CONFIDENCE_ID_UNKNOWN"), + ConfidenceId: utils.Ptr(ocsf.VulnerabilityFinding_CONFIDENCE_ID_UNKNOWN), + Count: utils.Ptr(int32(1)), + FindingInfo: &ocsf.FindingInfo{ + CreatedTime: utils.Ptr(now.Unix()), + CreatedTimeDt: timestamppb.New(now), + DataSources: []string{string(marshalledDataSources[2])}, + Desc: utils.Ptr("A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n Help: **Your dependency is vulnerable to [CVE-2020-14343](https://osv.dev/list?q=CVE-2020-14343)**\n(Also published as: [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142), [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4), ).\n\n## [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n## [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8q59-q68h-6hv4 | pyyaml | 5.4 |\n| PYSEC-2021-142 | pyyaml | 5.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-14343\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + FirstSeenTime: utils.Ptr(now.Unix()), + FirstSeenTimeDt: timestamppb.New(now), + LastSeenTime: utils.Ptr(now.Unix()), + LastSeenTimeDt: timestamppb.New(now), + ModifiedTime: utils.Ptr(now.Unix()), + ModifiedTimeDt: timestamppb.New(now), + ProductUid: utils.Ptr("osv-scanner"), + Uid: "CVE-2020-14343", + Title: "CVE-2020-14343: Improper Input Validation in PyYAML", + }, + Message: utils.Ptr("A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n Help: **Your dependency is vulnerable to [CVE-2020-14343](https://osv.dev/list?q=CVE-2020-14343)**\n(Also published as: [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142), [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4), ).\n\n## [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n## [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8q59-q68h-6hv4 | pyyaml | 5.4 |\n| PYSEC-2021-142 | pyyaml | 5.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-14343\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + Metadata: &ocsf.Metadata{ + EventCode: utils.Ptr("CVE-2020-14343"), + Product: &ocsf.Product{ + Name: utils.Ptr("osv-scanner"), + }, + Uid: utils.Ptr("10f342c1-d006-594a-823d-9c52e8b2771a"), + }, + Severity: utils.Ptr("SEVERITY_ID_MEDIUM"), + SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM, + StartTime: utils.Ptr(now.Unix()), + StatusId: utils.Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW), + Status: utils.Ptr("STATUS_ID_NEW"), + Time: now.Unix(), + TimeDt: timestamppb.New(now), + TypeName: utils.Ptr("Create"), + TypeUid: int64(200201), + Vulnerabilities: []*ocsf.Vulnerability{ + { + AffectedCode: []*ocsf.AffectedCode{ + { + File: &ocsf.File{ + Name: "requirements.txt", + Path: utils.Ptr("file://requirements.txt"), + }, + }, + }, + Cve: &ocsf.Cve{ + Desc: utils.Ptr("A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747."), + Uid: "CVE-2020-14343", + }, + AffectedPackages: nil, + Desc: utils.Ptr("A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n Help: **Your dependency is vulnerable to [CVE-2020-14343](https://osv.dev/list?q=CVE-2020-14343)**\n(Also published as: [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142), [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4), ).\n\n## [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n## [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8q59-q68h-6hv4 | pyyaml | 5.4 |\n| PYSEC-2021-142 | pyyaml | 5.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-14343\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"), + FirstSeenTime: utils.Ptr(now.Unix()), + FirstSeenTimeDt: timestamppb.New(now), + FixAvailable: utils.Ptr(false), + IsFixAvailable: utils.Ptr(false), + LastSeenTime: utils.Ptr(now.Unix()), + LastSeenTimeDt: timestamppb.New(now), + Severity: utils.Ptr("SEVERITY_ID_MEDIUM"), + Title: utils.Ptr("CVE-2020-14343: Improper Input Validation in PyYAML"), + VendorName: utils.Ptr("osv-scanner"), + }, + }, + }, + } + transformer, err := sariftransformer.NewTransformer( + &sarifOutput, "", clock, nil, true, datasource, "/workspace/source-code/", + ) + require.NoError(t, err) + actualIssues, err := transformer.ToOCSF(context.Background()) + + require.NoError(t, err) + require.Equal(t, len(actualIssues), len(expectedIssues)) + // handle datasource differently see https://github.com/golang/protobuf/issues/1121 + for i, e := range expectedIssues { + var expectedDataSource, actualDatasource ocsffindinginfo.DataSource + require.Equal(t, len(e.FindingInfo.DataSources), len(actualIssues[i].FindingInfo.DataSources)) + + for j, d := range e.GetFindingInfo().DataSources { + require.NoError(t, + protojson.Unmarshal( + []byte(d), + &expectedDataSource, + ), + ) + + require.NoError(t, + protojson.Unmarshal( + []byte(actualIssues[i].FindingInfo.DataSources[j]), + &actualDatasource, + ), + ) + + require.EqualExportedValuesf(t, + &expectedDataSource, + &actualDatasource, + "datasource for finding index %d is not equal", i, + ) + } + + expectedIssues[i].FindingInfo.DataSources = nil + actualIssues[i].FindingInfo.DataSources = nil + } + require.EqualExportedValues(t, expectedIssues, actualIssues) }) } + func Test_MergeDataSources_EcosystemFallback(t *testing.T) { // Edge case: SARIF finding for container image, no ecosystem in SARIF, should fallback to datasource's OCI metadata PURL sarifResult := sarif.SchemaJson{ @@ -2233,7 +2528,7 @@ func Test_MergeDataSources_EcosystemFallback(t *testing.T) { Tag: "v1.2.3", }, } - transformer, err := sariftransformer.NewTransformer(&sarifResult, "", clockwork.NewFakeClock(), nil, false, dataSource) + transformer, err := sariftransformer.NewTransformer(&sarifResult, "", clockwork.NewFakeClock(), nil, false, dataSource, "/source-code/workspace/") require.NoError(t, err) issues, err := transformer.ToOCSF(context.Background()) require.NoError(t, err) @@ -2287,10 +2582,216 @@ func Test_MergeDataSources_MissingMetadataError(t *testing.T) { nil, false, dataSource, + "/source-code/workspace/", ) require.NoError(t, err) _, err = transformer.ToOCSF(context.Background()) - require.Error(t, err) - require.Contains(t, err.Error(), "could not parse pURL based on the artifact location URI and no datasource provided") + require.ErrorIs(t, err, url.EscapeError("%PK")) +} + +func TestNormaliseResultPath(t *testing.T) { + t.Run("normalise correct paths", func(t *testing.T) { + // Edge case: SARIF finding for container image, no ecosystem, no OCI metadata, should error + sarifResult := sarif.SchemaJson{ + Runs: []sarif.Run{ + { + Results: []sarif.Result{ + { + RuleId: utils.Ptr("CVE-2020-36048"), + Message: sarif.Message{ + Text: utils.Ptr("Parse an absolute path with no hint"), + }, + Locations: []sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + Uri: utils.Ptr("/workspace/source-code/main.go"), + }, + }, + }, + }, + }, + { + RuleId: utils.Ptr("CVE-2020-36048"), + Message: sarif.Message{ + Text: utils.Ptr("Parse an absolute path that requires cleaning"), + }, + Locations: []sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + Uri: utils.Ptr("/workspace/source-code/pkg/../main.go"), + }, + }, + }, + }, + }, + { + RuleId: utils.Ptr("CVE-2020-36048"), + Message: sarif.Message{ + Text: utils.Ptr("Parse an absolute path with a protocol prefix"), + }, + Locations: []sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + Uri: utils.Ptr("file:///workspace/source-code/main.go"), + }, + }, + }, + }, + }, + { + RuleId: utils.Ptr("CVE-2020-36048"), + Message: sarif.Message{ + Text: utils.Ptr("Parse an absolute path with a protocol prefix"), + }, + Locations: []sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + Uri: utils.Ptr("file:///workspace/source-code/main.go"), + UriBaseId: utils.Ptr("ROOTPATH"), + }, + }, + }, + }, + }, + { + RuleId: utils.Ptr("CVE-2020-36048"), + Message: sarif.Message{ + Text: utils.Ptr("Parse relative path without a hint"), + }, + Locations: []sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + Uri: utils.Ptr("main.go"), + }, + }, + }, + }, + }, + { + RuleId: utils.Ptr("CVE-2020-36048"), + Message: sarif.Message{ + Text: utils.Ptr("Parse relative path with hint"), + }, + Locations: []sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + Uri: utils.Ptr("main.go"), + UriBaseId: utils.Ptr("%SRCROOT%"), + }, + }, + }, + }, + }, + { + RuleId: utils.Ptr("CVE-2020-36048"), + Message: sarif.Message{ + Text: utils.Ptr("Parse a relative path that requires cleaning"), + }, + Locations: []sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + Uri: utils.Ptr("./main.go"), + }, + }, + }, + }, + }, + }, + }, + }, + } + + // Instead of calling mergeDataSources directly, use the public ToOCSF method + dataSource := &ocsffindinginfo.DataSource{ + TargetType: ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY, + SourceCodeMetadata: &ocsffindinginfo.DataSource_SourceCodeMetadata{}, + } + + transformer, err := sariftransformer.NewTransformer( + &sarifResult, + "", + clockwork.NewFakeClock(), + nil, + false, + dataSource, + "/workspace/source-code/", + ) + require.NoError(t, err) + + results, err := transformer.ToOCSF(context.Background()) + require.NoError(t, err) + + for index, result := range results { + dataSource := ocsffindinginfo.DataSource{} + + require.NoError(t, + protojson.Unmarshal( + []byte(result.GetFindingInfo().DataSources[0]), + &dataSource, + ), + ) + + assert.Equalf(t, + "file://main.go", + dataSource.Uri.Path, + "data source location is not the expected one for result %d", index, + ) + } + }) + + t.Run("absolute path without hint outside of expected directory returns error", func(t *testing.T) { + // Edge case: SARIF finding for container image, no ecosystem, no OCI metadata, should error + sarifResult := sarif.SchemaJson{ + Runs: []sarif.Run{ + { + Results: []sarif.Result{ + { + RuleId: utils.Ptr("CVE-2020-36048"), + Message: sarif.Message{ + Text: utils.Ptr("Parse an absolute path with no hint"), + }, + Locations: []sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + Uri: utils.Ptr("/workspace/scratch/main.go"), + }, + }, + }, + }, + }, + }, + }, + }, + } + + // Instead of calling mergeDataSources directly, use the public ToOCSF method + dataSource := &ocsffindinginfo.DataSource{ + TargetType: ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY, + SourceCodeMetadata: &ocsffindinginfo.DataSource_SourceCodeMetadata{}, + } + + transformer, err := sariftransformer.NewTransformer( + &sarifResult, + "", + clockwork.NewFakeClock(), + nil, + false, + dataSource, + "/workspace/source-code/", + ) + require.NoError(t, err) + + _, err = transformer.ToOCSF(context.Background()) + require.Error(t, err) + }) + } diff --git a/sarif/testdata/osv-scanner.sarif.json b/sarif/testdata/osv-scanner.sarif.json index 00499b0..3ab0b72 100644 --- a/sarif/testdata/osv-scanner.sarif.json +++ b/sarif/testdata/osv-scanner.sarif.json @@ -24,8 +24,8 @@ "GHSA-3pqx-4fqf-j49f" ], "help": { - "text": "**Your dependency is vulnerable to [CVE-2019-20477](https://osv.dev/list?q=CVE-2019-20477)**\n(Also published as: [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176), [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f), ).\n\n## [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n## [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/home/sg/Projects/smithy_security/smithy/tmp/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3pqx-4fqf-j49f | pyyaml | 5.2 |\n| PYSEC-2020-176 | pyyaml | 5.2b1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/home/sg/Projects/smithy_security/smithy/tmp/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-20477\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [CVE-2019-20477](https://osv.dev/list?q=CVE-2019-20477)**\n(Also published as: [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176), [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f), ).\n\n## [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n## [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/home/sg/Projects/smithy_security/smithy/tmp/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3pqx-4fqf-j49f | pyyaml | 5.2 |\n| PYSEC-2020-176 | pyyaml | 5.2b1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/home/sg/Projects/smithy_security/smithy/tmp/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-20477\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + "text": "**Your dependency is vulnerable to [CVE-2019-20477](https://osv.dev/list?q=CVE-2019-20477)**\n(Also published as: [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176), [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f), ).\n\n## [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n## [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3pqx-4fqf-j49f | pyyaml | 5.2 |\n| PYSEC-2020-176 | pyyaml | 5.2b1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-20477\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [CVE-2019-20477](https://osv.dev/list?q=CVE-2019-20477)**\n(Also published as: [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176), [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f), ).\n\n## [PYSEC-2020-176](https://osv.dev/vulnerability/PYSEC-2020-176)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n## [GHSA-3pqx-4fqf-j49f](https://osv.dev/vulnerability/GHSA-3pqx-4fqf-j49f)\n\n
\nDetails\n\n> PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3pqx-4fqf-j49f | pyyaml | 5.2 |\n| PYSEC-2020-176 | pyyaml | 5.2b1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-20477\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "properties": { "security-severity": "9.8" @@ -47,8 +47,8 @@ "GHSA-6757-jp84-gxfx" ], "help": { - "text": "**Your dependency is vulnerable to [CVE-2020-1747](https://osv.dev/list?q=CVE-2020-1747)**\n(Also published as: [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96), [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx), ).\n\n## [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n## [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/home/sg/Projects/smithy_security/smithy/tmp/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6757-jp84-gxfx | pyyaml | 5.3.1 |\n| PYSEC-2020-96 | pyyaml | 5.3.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/home/sg/Projects/smithy_security/smithy/tmp/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-1747\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [CVE-2020-1747](https://osv.dev/list?q=CVE-2020-1747)**\n(Also published as: [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96), [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx), ).\n\n## [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n## [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/home/sg/Projects/smithy_security/smithy/tmp/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6757-jp84-gxfx | pyyaml | 5.3.1 |\n| PYSEC-2020-96 | pyyaml | 5.3.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/home/sg/Projects/smithy_security/smithy/tmp/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-1747\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + "text": "**Your dependency is vulnerable to [CVE-2020-1747](https://osv.dev/list?q=CVE-2020-1747)**\n(Also published as: [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96), [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx), ).\n\n## [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n## [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6757-jp84-gxfx | pyyaml | 5.3.1 |\n| PYSEC-2020-96 | pyyaml | 5.3.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-1747\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [CVE-2020-1747](https://osv.dev/list?q=CVE-2020-1747)**\n(Also published as: [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96), [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx), ).\n\n## [PYSEC-2020-96](https://osv.dev/vulnerability/PYSEC-2020-96)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n## [GHSA-6757-jp84-gxfx](https://osv.dev/vulnerability/GHSA-6757-jp84-gxfx)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6757-jp84-gxfx | pyyaml | 5.3.1 |\n| PYSEC-2020-96 | pyyaml | 5.3.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-1747\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "properties": { "security-severity": "9.8" @@ -70,8 +70,8 @@ "GHSA-8q59-q68h-6hv4" ], "help": { - "text": "**Your dependency is vulnerable to [CVE-2020-14343](https://osv.dev/list?q=CVE-2020-14343)**\n(Also published as: [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142), [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4), ).\n\n## [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n## [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/home/sg/Projects/smithy_security/smithy/tmp/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8q59-q68h-6hv4 | pyyaml | 5.4 |\n| PYSEC-2021-142 | pyyaml | 5.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/home/sg/Projects/smithy_security/smithy/tmp/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-14343\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [CVE-2020-14343](https://osv.dev/list?q=CVE-2020-14343)**\n(Also published as: [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142), [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4), ).\n\n## [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n## [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/home/sg/Projects/smithy_security/smithy/tmp/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8q59-q68h-6hv4 | pyyaml | 5.4 |\n| PYSEC-2021-142 | pyyaml | 5.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/home/sg/Projects/smithy_security/smithy/tmp/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-14343\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + "text": "**Your dependency is vulnerable to [CVE-2020-14343](https://osv.dev/list?q=CVE-2020-14343)**\n(Also published as: [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142), [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4), ).\n\n## [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n## [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8q59-q68h-6hv4 | pyyaml | 5.4 |\n| PYSEC-2021-142 | pyyaml | 5.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-14343\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [CVE-2020-14343](https://osv.dev/list?q=CVE-2020-14343)**\n(Also published as: [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142), [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4), ).\n\n## [PYSEC-2021-142](https://osv.dev/vulnerability/PYSEC-2021-142)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n## [GHSA-8q59-q68h-6hv4](https://osv.dev/vulnerability/GHSA-8q59-q68h-6hv4)\n\n
\nDetails\n\n> A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\n\n
\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/workspace/source-code/requirements.txt | pyyaml | 5.1.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-8q59-q68h-6hv4 | pyyaml | 5.4 |\n| PYSEC-2021-142 | pyyaml | 5.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/workspace/source-code/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-14343\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "properties": { "security-severity": "9.8" @@ -84,7 +84,7 @@ "artifacts": [ { "location": { - "uri": "file:///home/sg/Projects/smithy_security/smithy/tmp/requirements.txt" + "uri": "file:///workspace/source-code/requirements.txt" }, "length": -1 } @@ -101,7 +101,7 @@ { "physicalLocation": { "artifactLocation": { - "uri": "file:///home/sg/Projects/smithy_security/smithy/tmp/requirements.txt" + "uri": "file:///workspace/source-code/requirements.txt" } } } @@ -118,7 +118,7 @@ { "physicalLocation": { "artifactLocation": { - "uri": "file:///home/sg/Projects/smithy_security/smithy/tmp/requirements.txt" + "uri": "file:///workspace/source-code/requirements.txt" } } } @@ -135,58 +135,7 @@ { "physicalLocation": { "artifactLocation": { - "uri": "file:///home/sg/Projects/smithy_security/smithy/tmp/requirements.txt" - } - } - } - ] - }, - { - "ruleId": "CVE-2019-20477", - "ruleIndex": 0, - "level": "warning", - "message": { - "text": "Package 'pyyaml@5.1.2' is vulnerable to 'CVE-2019-20477' (also known as 'PYSEC-2020-176', 'GHSA-3pqx-4fqf-j49f')." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///home/sg/Projects/smithy_security/smithy/tmp/requirements.txt" - } - } - } - ] - }, - { - "ruleId": "CVE-2020-1747", - "ruleIndex": 1, - "level": "warning", - "message": { - "text": "Package 'pyyaml@5.1.2' is vulnerable to 'CVE-2020-1747' (also known as 'PYSEC-2020-96', 'GHSA-6757-jp84-gxfx')." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///home/sg/Projects/smithy_security/smithy/tmp/requirements.txt" - } - } - } - ] - }, - { - "ruleId": "CVE-2020-14343", - "ruleIndex": 2, - "level": "warning", - "message": { - "text": "Package 'pyyaml@5.1.2' is vulnerable to 'CVE-2020-14343' (also known as 'PYSEC-2021-142', 'GHSA-8q59-q68h-6hv4')." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///home/sg/Projects/smithy_security/smithy/tmp/requirements.txt" + "uri": "file:///workspace/source-code/requirements.txt" } } }