diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 702d56f85e..7fb239f189 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -222,9 +222,8 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package Scanned /fixtures/locks-many/package-lock.json file and found 1 package Scanned /fixtures/locks-many/yarn.lock file and found 1 package Loaded filter from: /fixtures/locks-many/osv-scanner.toml -CVE-2022-48174 has been filtered out because: Test manifest file (alpine.cdx.xml) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Filtered 1 vulnerability from output No issues found --- @@ -252,7 +251,6 @@ Scanned /fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ -| https://osv.dev/CVE-2022-48174 | 9.8 | Alpine | busybox | 1.35.0-r29 | fixtures/sbom-insecure/alpine.cdx.xml | | https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r2 | fixtures/sbom-insecure/alpine.cdx.xml | | https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -371,12 +369,11 @@ No issues found [TestRun/one_specific_supported_sbom_with_vulns - 1] Scanned /fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 15 packages -+--------------------------------+------+-----------+---------+------------+---------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+--------------------------------+------+-----------+---------+------------+---------------------------------------+ -| https://osv.dev/CVE-2022-48174 | 9.8 | Alpine | busybox | 1.35.0-r29 | fixtures/sbom-insecure/alpine.cdx.xml | -| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r2 | fixtures/sbom-insecure/alpine.cdx.xml | -+--------------------------------+------+-----------+---------+------------+---------------------------------------+ ++--------------------------------+------+-----------+---------+-----------+---------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------------+------+-----------+---------+-----------+---------------------------------------+ +| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r2 | fixtures/sbom-insecure/alpine.cdx.xml | ++--------------------------------+------+-----------+---------+-----------+---------------------------------------+ --- @@ -762,9 +759,8 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package Scanned /fixtures/locks-many/package-lock.json file and found 1 package Scanned /fixtures/locks-many/yarn.lock file and found 1 package Loaded filter from: /fixtures/locks-many/osv-scanner.toml -CVE-2022-48174 has been filtered out because: Test manifest file (alpine.cdx.xml) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Filtered 1 vulnerability from output +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ @@ -787,9 +783,8 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package Scanned /fixtures/locks-many/package-lock.json file and found 1 package Scanned /fixtures/locks-many/yarn.lock file and found 1 package Loaded filter from: /fixtures/locks-many/osv-scanner.toml -CVE-2022-48174 has been filtered out because: Test manifest file (alpine.cdx.xml) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Filtered 1 vulnerability from output | License | No. of package versions | | --- | ---:| | Apache-2.0 | 1 | diff --git a/cmd/osv-scanner/fixtures/locks-many/alpine.cdx.xml b/cmd/osv-scanner/fixtures/locks-many/alpine.cdx.xml index 6a0e162114..1e8f20cf88 100644 --- a/cmd/osv-scanner/fixtures/locks-many/alpine.cdx.xml +++ b/cmd/osv-scanner/fixtures/locks-many/alpine.cdx.xml @@ -182,18 +182,18 @@ /bin/busybox - + Sören Tempel <soeren+alpine@soeren-tempel.net> busybox - 1.35.0-r29 + 1.36.1-r27 Size optimized toolbox of many common UNIX utilities GPL-2.0-only - cpe:2.3:a:busybox:busybox:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:busybox:busybox:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -208,24 +208,24 @@ 1dbf7a793afae640ea643a055b6dd4f430ac116b 962560 busybox - cmd:busybox=1.35.0-r29 + cmd:busybox=1.36.1-r27 Q1NN3sp0yr99btRysqty3nQUrWHaY= so:libc.musl-x86_64.so.1 509600 - + Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh - 1.35.0-r29 + 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only - cpe:2.3:a:busybox-binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -235,20 +235,20 @@ apkdb-cataloger ApkMetadata apk - cpe:2.3:a:busybox-binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox_binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox_binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh - cmd:sh=1.35.0-r29 + cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= - busybox=1.35.0-r29 + busybox=1.36.1-r27 1547 @@ -510,18 +510,18 @@ 37687 - + Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client - 1.35.0-r29 + 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only - cpe:2.3:a:ssl-client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -531,17 +531,17 @@ apkdb-cataloger ApkMetadata apk - cpe:2.3:a:ssl-client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl_client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl_client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl:ssl_client:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox - cmd:ssl_client=1.35.0-r29 + cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 @@ -601,4 +601,4 @@ - \ No newline at end of file + diff --git a/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml b/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml index f70df0c6df..1b81355989 100644 --- a/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml +++ b/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml @@ -182,18 +182,18 @@ /bin/busybox - + Sören Tempel <soeren+alpine@soeren-tempel.net> busybox - 1.35.0-r29 + 1.36.1-r27 Size optimized toolbox of many common UNIX utilities GPL-2.0-only - cpe:2.3:a:busybox:busybox:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:busybox:busybox:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -208,24 +208,24 @@ 1dbf7a793afae640ea643a055b6dd4f430ac116b 962560 busybox - cmd:busybox=1.35.0-r29 + cmd:busybox=1.36.1-r27 Q1NN3sp0yr99btRysqty3nQUrWHaY= so:libc.musl-x86_64.so.1 509600 - + Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh - 1.35.0-r29 + 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only - cpe:2.3:a:busybox-binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -235,20 +235,20 @@ apkdb-cataloger ApkMetadata apk - cpe:2.3:a:busybox-binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox_binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox_binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh - cmd:sh=1.35.0-r29 + cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= - busybox=1.35.0-r29 + busybox=1.36.1-r27 1547 @@ -510,18 +510,18 @@ 37687 - + Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client - 1.35.0-r29 + 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only - cpe:2.3:a:ssl-client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -531,17 +531,17 @@ apkdb-cataloger ApkMetadata apk - cpe:2.3:a:ssl-client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl_client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl_client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl:ssl_client:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox - cmd:ssl_client=1.35.0-r29 + cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 @@ -601,4 +601,4 @@ - \ No newline at end of file +