From 8a6492919185bbe6c7635555a8d96bffa64c053a Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 2 Oct 2023 15:53:04 +0000 Subject: [PATCH 01/23] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 9786d4d7130..f1ee3fdae0f 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.27.0", + "version": "2.28.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 23b7a3590c8..e7576a482eb 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa -__version__ = '2.27.0' +__version__ = '2.28.0-dev' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index d9a7cece46b..fbaead105b0 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.27.0" +appVersion: "2.28.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.89 +version: 1.6.90-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 0b45289f48b9a68db35528ff3a2daecd493468ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 11:28:25 -0500 Subject: [PATCH 02/23] Bump nginx from `16164a4` to `4c93a3b` (#8770) Bumps nginx from `16164a4` to `4c93a3b`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Dockerfile.nginx-alpine | 2 +- Dockerfile.nginx-debian | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.nginx-alpine b/Dockerfile.nginx-alpine index 69e6a47bc72..132b144d960 100644 --- a/Dockerfile.nginx-alpine +++ b/Dockerfile.nginx-alpine @@ -140,7 +140,7 @@ COPY manage.py ./ COPY dojo/ ./dojo/ RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true -FROM nginx:1.25.2-alpine@sha256:16164a43b5faec40adb521e98272edc528e74f31c1352719132b8f7e53418d70 +FROM nginx:1.25.2-alpine@sha256:4c93a3bd8bf95412889dd84213570102176b6052d88bb828eaf449c56aca55ef ARG uid=1001 ARG appuser=defectdojo COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/ diff --git a/Dockerfile.nginx-debian b/Dockerfile.nginx-debian index 16e1f67d989..552864046f2 100644 --- a/Dockerfile.nginx-debian +++ b/Dockerfile.nginx-debian @@ -75,7 +75,7 @@ COPY dojo/ ./dojo/ RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true -FROM nginx:1.25.2-alpine@sha256:16164a43b5faec40adb521e98272edc528e74f31c1352719132b8f7e53418d70 +FROM nginx:1.25.2-alpine@sha256:4c93a3bd8bf95412889dd84213570102176b6052d88bb828eaf449c56aca55ef ARG uid=1001 ARG appuser=defectdojo COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/ From 338d34520c8b238014092f909e974619e48258d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 15:08:46 -0500 Subject: [PATCH 03/23] Bump coverage from 7.3.1 to 7.3.2 (#8782) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.3.1 to 7.3.2. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.3.1...7.3.2) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d417acca136..118f6590f90 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,7 @@ asteval==0.9.31 bleach==6.0.0 bleach[css] celery==5.3.4 -coverage==7.3.1 +coverage==7.3.2 defusedxml==0.7.1 django_celery_results==2.5.1 django-auditlog==2.3.0 From 3adf137f494b6af1fe8ac9e8a9d123650ae015b9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 16:39:53 -0500 Subject: [PATCH 04/23] Bump boto3 from 1.28.57 to 1.28.58 (#8780) Bumps [boto3](https://github.com/boto/boto3) from 1.28.57 to 1.28.58. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.28.57...1.28.58) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 118f6590f90..facb555c75f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -78,7 +78,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.28.57 # Required for Celery Broker AWS (SQS) support +boto3==1.28.58 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.0 fontawesomefree==6.4.2 From 9bbf49a991ef17e4bc94b6a89f68b2e509a3ac3d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Oct 2023 12:53:00 -0500 Subject: [PATCH 05/23] Bump psycopg2-binary from 2.9.8 to 2.9.9 (#8792) Bumps [psycopg2-binary](https://github.com/psycopg/psycopg2) from 2.9.8 to 2.9.9. - [Changelog](https://github.com/psycopg/psycopg2/blob/master/NEWS) - [Commits](https://github.com/psycopg/psycopg2/compare/2.9.8...2.9.9) --- updated-dependencies: - dependency-name: psycopg2-binary dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index facb555c75f..c5d11e37bd8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -37,7 +37,7 @@ mysqlclient==2.1.1 openpyxl==3.1.2 xlrd==1.2.0 Pillow==10.0.1 # required by django-imagekit -psycopg2-binary==2.9.8 +psycopg2-binary==2.9.9 cryptography==41.0.4 python-dateutil==2.8.2 pytz==2023.3.post1 From be0a8fbb2128d06e9e0310e6a01ce1f7aeebc471 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Oct 2023 12:53:24 -0500 Subject: [PATCH 06/23] Bump boto3 from 1.28.58 to 1.28.59 (#8791) Bumps [boto3](https://github.com/boto/boto3) from 1.28.58 to 1.28.59. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.28.58...1.28.59) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index c5d11e37bd8..6f39d17d742 100644 --- a/requirements.txt +++ b/requirements.txt @@ -78,7 +78,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.28.58 # Required for Celery Broker AWS (SQS) support +boto3==1.28.59 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.0 fontawesomefree==6.4.2 From 110b2db10ebd3c9ade1c747878b737e929caf498 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 4 Oct 2023 12:53:50 -0500 Subject: [PATCH 07/23] Update redis:7.2.1-alpine Docker digest from 7.2.1 to 7.2.1-alpine (docker-compose.yml) (#8790) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index ebc59d2a842..c70fc0fb932 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -156,7 +156,7 @@ services: volumes: - defectdojo_rabbitmq:/var/lib/rabbitmq redis: - image: redis:7.2.1-alpine@sha256:9150d86fe2a9d03bbdb15bb9758fa5e3d24632386af8f6eb4d675ee4c976f499 + image: redis:7.2.1-alpine@sha256:343e6546f35877801de0b8580274a5e3a8e8464cabe545a2dd9f3c78df77542a profiles: - mysql-redis - postgres-redis From f85429b238f2e740ccd8554d773b7e260089d428 Mon Sep 17 00:00:00 2001 From: Daryl Walleck Date: Mon, 9 Oct 2023 08:10:38 -0500 Subject: [PATCH 08/23] Browser tests should use the latest Chrome stable release (#8783) * Browser tests should use the latest Chrome stable release * Add dependencies for chrome binary and added to path * Don't try to add chrome to path * Added script to find chrome dependencies * Correct var name and added missing && * Hard code location of chrome binary * Remove unused import * Removed -j from unzipping of chrome binary * Giving credit to parts of the solution --- Dockerfile.integration-tests-debian | 44 ++++++++++++------- docker/entrypoint-integration-tests.sh | 1 + docker/install_chrome_dependencies.py | 60 ++++++++++++++++++++++++++ 3 files changed, 89 insertions(+), 16 deletions(-) create mode 100644 docker/install_chrome_dependencies.py diff --git a/Dockerfile.integration-tests-debian b/Dockerfile.integration-tests-debian index 6b2e7e97a62..1f9ab1cf28a 100644 --- a/Dockerfile.integration-tests-debian +++ b/Dockerfile.integration-tests-debian @@ -14,31 +14,43 @@ RUN \ gpg \ default-jre-headless \ jq \ + apt-file \ + libnss3 \ + xvfb \ && \ apt-get clean && \ - rm -rf /var/lib/apt/lists && \ true -# Installing Google Chrome browser +RUN pip install --no-cache-dir selenium==4.9.0 requests + +# Install the latest Google Chrome stable release +WORKDIR /opt/chrome RUN \ - curl -sS -o - https://dl.google.com/linux/linux_signing_key.pub | apt-key add && \ - echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list && \ - apt-get -y update && \ - apt-get -y install \ - google-chrome-stable=117.0.5938.132-1 \ - && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists && \ - true + chrome_url=$(curl https://googlechromelabs.github.io/chrome-for-testing/last-known-good-versions-with-downloads.json | jq -r '.channels[] | select(.channel == "Stable") | .downloads.chrome[] | select(.platform == "linux64").url') && \ + wget $chrome_url && \ + unzip chrome-linux64.zip && \ + rm -rf chrome-linux64.zip && \ + chmod -R 0755 . && \ + ln -s /opt/chrome/chrome-linux64/chrome /usr/bin/chrome -RUN pip install --no-cache-dir selenium==4.9.0 requests +# Install the dependencies for Google Chrome +RUN apt-file update +COPY docker/install_chrome_dependencies.py install_chrome_dependencies.py +RUN \ + missing_chrome_deps=$(python install_chrome_dependencies.py) && \ + apt-get -y install $missing_chrome_deps + +# Install a suggested list of additional packages (https://stackoverflow.com/a/76734752) +RUN apt-get install -y libxi6 libgconf-2-4 jq libjq1 libonig5 libxkbcommon0 libxss1 libglib2.0-0 libnss3 \ + libfontconfig1 libatk-bridge2.0-0 libatspi2.0-0 libgtk-3-0 libpango-1.0-0 libgdk-pixbuf2.0-0 libxcomposite1 \ + libxcursor1 libxdamage1 libxtst6 libappindicator3-1 libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libxfixes3 \ + libdbus-1-3 libexpat1 libgcc1 libnspr4 libgbm1 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxext6 \ + libxrandr2 libxrender1 gconf-service ca-certificates fonts-liberation libappindicator1 lsb-release xdg-utils -# Installing Chromedriver +# Installing the latest stable Google Chrome driver release WORKDIR /opt/chrome-driver RUN \ - chrome_version=$(apt-cache show google-chrome-stable | grep Version | awk '{print $2}' | cut -d '-' -f 1) && \ - chrome_version_blob=$(curl -k https://googlechromelabs.github.io/chrome-for-testing/known-good-versions-with-downloads.json | jq ".versions[] | select(.version==\"$chrome_version\")") && \ - chromedriver_url=https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/117.0.5938.92/linux64/chromedriver-linux64.zip && \ + chromedriver_url=$(curl https://googlechromelabs.github.io/chrome-for-testing/last-known-good-versions-with-downloads.json | jq -r '.channels[] | select(.channel == "Stable") | .downloads.chromedriver[] | select(.platform == "linux64").url') && \ wget $chromedriver_url && \ unzip -j chromedriver-linux64.zip chromedriver-linux64/chromedriver && \ rm -rf chromedriver-linux64.zip && \ diff --git a/docker/entrypoint-integration-tests.sh b/docker/entrypoint-integration-tests.sh index 3da46f9bc66..e76bcac998e 100755 --- a/docker/entrypoint-integration-tests.sh +++ b/docker/entrypoint-integration-tests.sh @@ -23,6 +23,7 @@ if [ $COUNTER -gt 10 ]; then fi export CHROMEDRIVER=$(find /opt/chrome-driver -name chromedriver) +export CHROME_PATH=/opt/chrome/chrome # Run available unittests with a simple setup # All available Integrationtest Scripts are activated below diff --git a/docker/install_chrome_dependencies.py b/docker/install_chrome_dependencies.py new file mode 100644 index 00000000000..5f4f714a430 --- /dev/null +++ b/docker/install_chrome_dependencies.py @@ -0,0 +1,60 @@ +""" +This solution is largely based on the Playwright's browser dependencies script at +https://github.com/microsoft/playwright/blob/main/utils/linux-browser-dependencies/inside_docker/list_dependencies.js +""" + +import subprocess + + +def find_packages(library_name): + stdout = run_command(["apt-file", "search", library_name]) + if not stdout.strip(): + return [] + libs = [line.split(":")[0] for line in stdout.strip().split("\n")] + return list(set(libs)) + + +def run_command(cmd, cwd=None, env=None): + result = subprocess.run(cmd, cwd=cwd, env=env, capture_output=True, text=True) + return result.stdout + + +def ldd(file_path): + stdout = run_command(["ldd", file_path]) + # For simplicity, I'm assuming if we get an error, the code is non-zero. + try: + result = subprocess.run( + ["ldd", file_path], capture_output=True, text=True + ) + stdout = result.stdout + code = result.returncode + except subprocess.CalledProcessError: + stdout = "" + code = 1 + return stdout, code + + +raw_deps = ldd("/opt/chrome/chrome") +dependencies = raw_deps[0].splitlines() + +missing_deps = { + r[0].strip() + for d in dependencies + for r in [d.split("=>")] + if len(r) == 2 and r[1].strip() == "not found" +} + +missing_packages = [] +for d in missing_deps: + all_packages = find_packages(d) + packages = [ + p + for p in all_packages + if not any( + p.endswith(suffix) for suffix in ["-dbg", "-test", "tests", "-dev", "-mesa"] + ) + ] + for p in packages: + missing_packages.append(p) + +print(" ".join(missing_packages)) From d36b1e386acd4b5151f0c88146d479493ddd30a4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 19:00:32 -0500 Subject: [PATCH 09/23] Update styfle/cancel-workflow-action action from 0.11.0 to v0.12.0 (.github/workflows/cancel-outdated-workflow-runs.yml) (#8784) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/cancel-outdated-workflow-runs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cancel-outdated-workflow-runs.yml b/.github/workflows/cancel-outdated-workflow-runs.yml index 205e6ef68c8..7d8dbcfa377 100644 --- a/.github/workflows/cancel-outdated-workflow-runs.yml +++ b/.github/workflows/cancel-outdated-workflow-runs.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 3 steps: - - uses: styfle/cancel-workflow-action@0.11.0 + - uses: styfle/cancel-workflow-action@0.12.0 with: workflow_id: 'integration-tests.yml,k8s-testing.yml,unit-tests.yml' access_token: ${{ github.token }} From 1fec02c6bb3434e93c8bad2f13cc159db042ae5a Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Tue, 10 Oct 2023 17:56:17 +0000 Subject: [PATCH 10/23] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index d907b921217..f1ee3fdae0f 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.27.1", + "version": "2.28.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index b87c0d4351e..e7576a482eb 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa -__version__ = '2.27.1' +__version__ = '2.28.0-dev' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index a2c0682a796..f21874e6dbc 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.27.1" +appVersion: "2.28.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.90 +version: 1.6.91-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 9346ad6d7c51dd062e3ed6770e38d0cf992393e8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:56:35 -0500 Subject: [PATCH 11/23] Update mysql:5.7.43 Docker digest from 5.7.43 to v (docker-compose.yml) (#8795) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c70fc0fb932..00446b60809 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -125,7 +125,7 @@ services: source: ./docker/extra_settings target: /app/docker/extra_settings mysql: - image: mysql:5.7.43@sha256:2c23f254c6b9444ecda9ba36051a9800e8934a2f5828ecc8730531db8142af83 + image: mysql:5.7.43@sha256:a06310bb26d02a6118ae7fa825c172a0bf594e178c72230fc31674f348033270 profiles: - mysql-rabbitmq - mysql-redis From dcf5d3b3c39d1ca8549f5fc5f37bc303eda5f57c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:56:45 -0500 Subject: [PATCH 12/23] Bump vulners from 2.1.0 to 2.1.1 (#8810) Bumps [vulners]() from 2.1.0 to 2.1.1. --- updated-dependencies: - dependency-name: vulners dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 451c7aa25fa..d9250231d85 100644 --- a/requirements.txt +++ b/requirements.txt @@ -80,5 +80,5 @@ blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support boto3==1.28.59 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 -vulners==2.1.0 +vulners==2.1.1 fontawesomefree==6.4.2 From e3c64d73e4e64d8d45bf2de3e6ddc9a79e683e89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:57:07 -0500 Subject: [PATCH 13/23] Bump markdown from 3.4.4 to 3.5 (#8807) Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.4.4 to 3.5. - [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md) - [Commits](https://github.com/Python-Markdown/markdown/compare/3.4.4...3.5) --- updated-dependencies: - dependency-name: markdown dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d9250231d85..d164aa21a0e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -32,7 +32,7 @@ humanize==4.8.0 jira==3.5.2 PyGithub==1.58.2 lxml==4.9.3 -Markdown==3.4.4 +Markdown==3.5 mysqlclient==2.1.1 openpyxl==3.1.2 xlrd==1.2.0 From bf7dc53ac8771d21221a131272b68d147c158d89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:57:31 -0500 Subject: [PATCH 14/23] Bump bleach from 6.0.0 to 6.1.0 (#8806) Bumps [bleach](https://github.com/mozilla/bleach) from 6.0.0 to 6.1.0. - [Changelog](https://github.com/mozilla/bleach/blob/main/CHANGES) - [Commits](https://github.com/mozilla/bleach/compare/v6.0.0...v6.1.0) --- updated-dependencies: - dependency-name: bleach dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d164aa21a0e..b986e0a1aab 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ # requirements.txt for DefectDojo using Python 3.x asteval==0.9.31 -bleach==6.0.0 +bleach==6.1.0 bleach[css] celery==5.3.4 coverage==7.3.2 From d904adcffcaf68a06ae2ff467fc0d277e17d9848 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:57:44 -0500 Subject: [PATCH 15/23] Bump boto3 from 1.28.59 to 1.28.62 (#8805) Bumps [boto3](https://github.com/boto/boto3) from 1.28.59 to 1.28.62. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.28.59...1.28.62) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index b986e0a1aab..fe637d756d9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -78,7 +78,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.28.59 # Required for Celery Broker AWS (SQS) support +boto3==1.28.62 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.4.2 From eba1e2f3731a518d38086c0629c0d21bc72614ce Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:57:53 -0500 Subject: [PATCH 16/23] Update stefanzweifel/git-auto-commit-action action from v4.16.0 to v5 (.github/workflows/release-3-master-into-dev.yml) (#8804) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/plantuml.yml | 2 +- .github/workflows/release-1-create-pr.yml | 2 +- .github/workflows/release-3-master-into-dev.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/plantuml.yml b/.github/workflows/plantuml.yml index b16d79baa8d..c6016c03984 100644 --- a/.github/workflows/plantuml.yml +++ b/.github/workflows/plantuml.yml @@ -33,7 +33,7 @@ jobs: with: args: -v -tpng ${{ steps.getfile.outputs.files }} - name: Push Local Changes - uses: stefanzweifel/git-auto-commit-action@v4.16.0 + uses: stefanzweifel/git-auto-commit-action@v5.0.0 with: commit_user_name: "PlantUML_bot" commit_user_email: "noreply@defectdojo.org" diff --git a/.github/workflows/release-1-create-pr.yml b/.github/workflows/release-1-create-pr.yml index f3e1d0c278f..70964a047db 100644 --- a/.github/workflows/release-1-create-pr.yml +++ b/.github/workflows/release-1-create-pr.yml @@ -75,7 +75,7 @@ jobs: grep -H version helm/defectdojo/Chart.yaml - name: Push version changes - uses: stefanzweifel/git-auto-commit-action@v4.16.0 + uses: stefanzweifel/git-auto-commit-action@v5.0.0 with: commit_user_name: "${{ env.GIT_USERNAME }}" commit_user_email: "${{ env.GIT_EMAIL }}" diff --git a/.github/workflows/release-3-master-into-dev.yml b/.github/workflows/release-3-master-into-dev.yml index 4d5cebcdac8..2b1a153f1bb 100644 --- a/.github/workflows/release-3-master-into-dev.yml +++ b/.github/workflows/release-3-master-into-dev.yml @@ -57,7 +57,7 @@ jobs: grep version components/package.json - name: Push version changes - uses: stefanzweifel/git-auto-commit-action@v4.16.0 + uses: stefanzweifel/git-auto-commit-action@v5.0.0 with: commit_user_name: "${{ env.GIT_USERNAME }}" commit_user_email: "${{ env.GIT_EMAIL }}" @@ -123,7 +123,7 @@ jobs: grep version components/package.json - name: Push version changes - uses: stefanzweifel/git-auto-commit-action@v4.16.0 + uses: stefanzweifel/git-auto-commit-action@v5.0.0 with: commit_user_name: "${{ env.GIT_USERNAME }}" commit_user_email: "${{ env.GIT_EMAIL }}" From 43ef7f6df4459e1bf3e0853f2caa402cd1906d93 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:58:04 -0500 Subject: [PATCH 17/23] Update rabbitmq:3.12.6-alpine Docker digest from 3.12.6 to 3.12.6-alpine (docker-compose.yml) (#8800) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 00446b60809..20ee31102f7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -149,7 +149,7 @@ services: volumes: - defectdojo_postgres:/var/lib/postgresql/data rabbitmq: - image: rabbitmq:3.12.6-alpine@sha256:a21880dc5e2b4581c0dd762337c7112475a2d8daba697e1c6192923ebad91739 + image: rabbitmq:3.12.6-alpine@sha256:23ec95b20e371821e791220da01aef9f7064a1b2a2171f1bd4d02ab03cbd3d95 profiles: - mysql-rabbitmq - postgres-rabbitmq From 426d61e2777d55ab7bddea591cb4a7c5b81f1fda Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:58:22 -0500 Subject: [PATCH 18/23] Update postgres:16.0-alpine Docker digest from 16.0 to 16.0-alpine (docker-compose.yml) (#8799) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 20ee31102f7..063ca327ed1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -138,7 +138,7 @@ services: volumes: - defectdojo_data:/var/lib/mysql postgres: - image: postgres:16.0-alpine@sha256:2ccd6655060d7b06c71f86094e8c7a28bdcc8a80b43baca4b1dabb29cff138a2 + image: postgres:16.0-alpine@sha256:bfd42bb6358aee8a305ec3f51d505d6b9e406cf3ce800914a66741dba18b8263 profiles: - postgres-rabbitmq - postgres-redis From b506e9866b1cd143b12020a52739a4f1b4505b42 Mon Sep 17 00:00:00 2001 From: tomaszn Date: Fri, 13 Oct 2023 00:45:42 +0200 Subject: [PATCH 19/23] [ENHANCEMENT] AWS Security Hub parser: include more vulnerability details (#8664) * AWS Security Hub parser: include additional vulnerability details * AWS Security Hub parser: improvements for ECR findings * AWS Security Hub parser: mark findings as static --- dojo/tools/awssecurityhub/parser.py | 49 +- unittests/scans/awssecurityhub/README.md | 2 +- .../scans/awssecurityhub/inspector_ecr.json | 805 ++++++++++++++++++ unittests/tools/test_awssecurityhub_parser.py | 23 +- 4 files changed, 866 insertions(+), 13 deletions(-) create mode 100644 unittests/scans/awssecurityhub/inspector_ecr.json diff --git a/dojo/tools/awssecurityhub/parser.py b/dojo/tools/awssecurityhub/parser.py index 4d01e4c343c..2e411ce259b 100644 --- a/dojo/tools/awssecurityhub/parser.py +++ b/dojo/tools/awssecurityhub/parser.py @@ -25,12 +25,14 @@ def get_items(self, tree: dict, test): # DefectDojo/django-DefectDojo/issues/2780 findings = tree.get("Findings", tree.get("findings", None)) - if not findings: - return list() + if not isinstance(findings, list): + raise ValueError("Incorrect Security Hub report format") for node in findings: item = get_item(node, test) key = node["Id"] + if not isinstance(key, str): + raise ValueError("Incorrect Security Hub report format") items[key] = item return list(items.values()) @@ -42,6 +44,8 @@ def get_item(finding: dict, test): title = finding.get("Title", "") severity = finding.get("Severity", {}).get("Label", "INFORMATIONAL").title() mitigation = "" + impact = [] + references = [] unsaved_vulnerability_ids = [] if aws_scanner_type == "Inspector": description = f"This is an Inspector Finding\n{finding.get('Description', '')}" @@ -50,12 +54,18 @@ def get_item(finding: dict, test): # Save the CVE if it is present if cve := vulnerability.get("Id"): unsaved_vulnerability_ids.append(cve) + for alias in vulnerability.get("RelatedVulnerabilities", []): + if alias != cve: + unsaved_vulnerability_ids.append(alias) # Add information about the vulnerable packages to the description and mitigation vulnerable_packages = vulnerability.get("VulnerablePackages", []) for package in vulnerable_packages: mitigation += f"- Update {package.get('Name', '')}-{package.get('Version', '')}\n" if remediation := package.get("Remediation"): mitigation += f"\t- {remediation}\n" + if vendor := vulnerability.get("Vendor"): + if vendor_url := vendor.get("Url"): + references.append(vendor_url) if finding.get("ProductFields", {}).get("aws/inspector/FindingStatus", "ACTIVE") == "ACTIVE": mitigated = None @@ -91,27 +101,44 @@ def get_item(finding: dict, test): is_Mitigated = False active = True - resources = finding.get("Resources", "") - resource_id = resources[0]["Id"].split(":")[-1] - references = finding.get("Remediation", {}).get("Recommendation", {}).get("Url") + title_suffix = "" + for resource in finding.get("Resources", []): + if resource.get("Type") == "AwsEcrContainerImage": + details = resource.get("Details", {}).get("AwsEcrContainerImage") + arn = resource.get("Id") + if details: + impact.append(f"Image ARN: {arn}") + impact.append(f"Registry: {details.get('RegistryId')}") + impact.append(f"Repository: {details.get('RepositoryName')}") + impact.append(f"Image digest: {details.get('ImageDigest')}") + title_suffix = f" - Image: {arn.split('/', 1)[1]}" # repo-name/sha256:digest + else: # generic implementation + resource_id = resource["Id"].split(":")[-1] + impact.append(f"Resource: {resource_id}") + title_suffix = f" - Resource: {resource_id}" + + if remediation_rec_url := finding.get("Remediation", {}).get("Recommendation", {}).get("Url"): + references.append(remediation_rec_url) false_p = False - finding = Finding( - title=f"{title} - Resource: {resource_id}", + result = Finding( + title=f"{title}{title_suffix}", test=test, description=description, mitigation=mitigation, - references=references, + references="\n".join(references), severity=severity, - impact=f"Resource: {resource_id}", + impact="\n".join(impact), active=active, verified=False, false_p=false_p, unique_id_from_tool=finding_id, mitigated=mitigated, is_mitigated=is_Mitigated, + static_finding=True, + dynamic_finding=False, ) # Add the unsaved vulnerability ids - finding.unsaved_vulnerability_ids = unsaved_vulnerability_ids + result.unsaved_vulnerability_ids = unsaved_vulnerability_ids - return finding + return result diff --git a/unittests/scans/awssecurityhub/README.md b/unittests/scans/awssecurityhub/README.md index cc00b1b3972..dd08fde5e85 100644 --- a/unittests/scans/awssecurityhub/README.md +++ b/unittests/scans/awssecurityhub/README.md @@ -10,7 +10,7 @@ To keep some order, let's keep them prefixed with the names of the services that * `inspector_ec2_`: findings from AWS Inspector with results of scanning EC2 instances -* `inspector_ecr_`: findings from AWS Inspector with results of Enhanced ECR Scanning +* `inspector_ecr_`: findings from AWS Inspector with results of Enhanced ECR Scanning, currently contains 7 findings with vulnerabilities associated with 8 different values of `PackageManager` * `inspector_lambda_`: findings from AWS Inspector with results of scanning Lambdas diff --git a/unittests/scans/awssecurityhub/inspector_ecr.json b/unittests/scans/awssecurityhub/inspector_ecr.json new file mode 100644 index 00000000000..daa4225e61a --- /dev/null +++ b/unittests/scans/awssecurityhub/inspector_ecr.json @@ -0,0 +1,805 @@ +{ + "Findings": [ + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:eu-central-1:123456789012:finding/fbd353dda17ad52c47774ad7d62360b2", + "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "eu-central-1", + "GeneratorId": "AWSInspector", + "AwsAccountId": "123456789012", + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"], + "FirstObservedAt": "2023-08-23T14:00:39Z", + "LastObservedAt": "2023-08-30T21:11:07Z", + "CreatedAt": "2023-08-23T14:00:39Z", + "UpdatedAt": "2023-08-30T21:11:07Z", + "Severity": { + "Label": "MEDIUM", + "Normalized": 40 + }, + "Title": "CVE-2023-2650 - openssl", + "Description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time comp...Truncated", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "6.5", + "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "DEBIAN_11", + "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:d5fad00d4eb04c332a8728ee7642bff8fb9cd3cec653ca301ab69a4ca075a757", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/inspector/arn:aws:inspector2:eu-central-1:123456789012:finding/fbd353dda17ad52c47774ad7d62360b2", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEcrContainerImage", + "Id": "arn:aws:ecr:eu-central-1:123456789012:repository/repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", + "Partition": "aws", + "Region": "eu-central-1", + "Details": { + "AwsEcrContainerImage": { + "RegistryId": "123456789012", + "RepositoryName": "repo-os", + "Architecture": "amd64", + "ImageDigest": "sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", + "ImageTags": ["2023-08-23"], + "ImagePublishedAt": "2023-08-23T14:00:14Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2023-2650", + "VulnerablePackages": [ + { + "Name": "openssl", + "Version": "1.1.1n", + "Epoch": "0", + "Release": "0+deb11u4", + "Architecture": "AMD64", + "PackageManager": "OS", + "FixedInVersion": "0:1.1.1n-0+deb11u5", + "Remediation": "apt-get update && apt-get upgrade", + "SourceLayerHash": "sha256:d5fad00d4eb04c332a8728ee7642bff8fb9cd3cec653ca301ab69a4ca075a757" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": 6.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Source": "NVD" + }, + { + "Version": "3.1", + "BaseScore": 6.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "DEBIAN_CVE", + "Url": "https://security-tracker.debian.org/tracker/CVE-2023-2650", + "VendorSeverity": "not yet assigned" + }, + "ReferenceUrls": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "FixAvailable": "YES", + "EpssScore": 0.0014, + "ExploitAvailable": "NO" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM" + }, + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:eu-central-1:123456789012:finding/fabd67b4e814d66ce64fb34f2f20b559", + "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "eu-central-1", + "GeneratorId": "AWSInspector", + "AwsAccountId": "123456789012", + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"], + "FirstObservedAt": "2023-08-09T06:27:25Z", + "LastObservedAt": "2023-08-30T21:11:47Z", + "CreatedAt": "2023-08-09T06:27:25Z", + "UpdatedAt": "2023-08-30T21:11:47Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70 + }, + "Title": "CVE-2022-32149 - golang.org/x/text, golang.org/x/text and 1 more", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "7.5", + "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "DEBIAN_12", + "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:98386e4f090a680777a76ed54c91064550622229029076560f990b1c2cb3f4cf,sha256:98386e4f090a680777a76ed54c91064550622229029076560f990b1c2cb3f4cf,sha256:98386e4f090a680777a76ed54c91064550622229029076560f990b1c2cb3f4cf", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/inspector/arn:aws:inspector2:eu-central-1:123456789012:finding/fabd67b4e814d66ce64fb34f2f20b559", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEcrContainerImage", + "Id": "arn:aws:ecr:eu-central-1:123456789012:repository/repo-gomod/sha256:a94c3dfd6c8ecb573a30fae7c18cf682de4b6c16f3c7250c107de1770db41220", + "Partition": "aws", + "Region": "eu-central-1", + "Details": { + "AwsEcrContainerImage": { + "RegistryId": "123456789012", + "RepositoryName": "repo-gomod", + "Architecture": "amd64", + "ImageDigest": "sha256:a94c3dfd6c8ecb573a30fae7c18cf682de4b6c16f3c7250c107de1770db41220", + "ImageTags": ["c-c4036e958892d4e087301fa446c19ff5b7b80ecd"], + "ImagePublishedAt": "2023-08-01T13:13:45Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2022-32149", + "VulnerablePackages": [ + { + "Name": "golang.org/x/text", + "Version": "0.3.8-0.20220509174342-b4bca84b0361", + "Epoch": "0", + "PackageManager": "GOMOD", + "FilePath": "usr/local/go/src/go.mod", + "FixedInVersion": "0.3.8", + "Remediation": "Update text to 0.3.8", + "SourceLayerHash": "sha256:98386e4f090a680777a76ed54c91064550622229029076560f990b1c2cb3f4cf" + }, + { + "Name": "golang.org/x/text", + "Version": "0.3.3", + "Epoch": "0", + "PackageManager": "GOMOD", + "FilePath": "usr/local/go/src/something/go.sum", + "FixedInVersion": "0.3.8", + "Remediation": "Update text to 0.3.8", + "SourceLayerHash": "sha256:98386e4f090a680777a76ed54c91064550622229029076560f990b1c2cb3f4cf" + }, + { + "Name": "golang.org/x/text", + "Version": "0.3.8-0.20220509174342-b4bca84b0361", + "Epoch": "0", + "PackageManager": "GOMOD", + "FilePath": "usr/local/go/src/go.sum", + "FixedInVersion": "0.3.8", + "Remediation": "Update text to 0.3.8", + "SourceLayerHash": "sha256:98386e4f090a680777a76ed54c91064550622229029076560f990b1c2cb3f4cf" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD" + }, + { + "Version": "3.1", + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "NVD", + "Url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", + "VendorSeverity": "HIGH", + "VendorCreatedAt": "2022-10-14T15:15:00Z", + "VendorUpdatedAt": "2022-10-18T17:41:00Z" + }, + "ReferenceUrls": [ + "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" + ], + "FixAvailable": "YES", + "ExploitAvailable": "YES" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "HIGH" + }, + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:eu-central-1:123456789012:finding/ed174f9755171e51f5f45e2bfc0bb685", + "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "eu-central-1", + "GeneratorId": "AWSInspector", + "AwsAccountId": "123456789012", + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"], + "FirstObservedAt": "2023-08-30T14:28:53Z", + "LastObservedAt": "2023-08-30T14:28:53Z", + "CreatedAt": "2023-08-30T14:28:53Z", + "UpdatedAt": "2023-08-30T14:28:53Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70 + }, + "Title": "CVE-2022-25883 - semver", + "Description": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "7.5", + "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "ALPINE_LINUX_3_18", + "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:751194035c3611aead30c71ecc70008764778b49867f805c9a12b0c42a5e07bf", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/inspector/arn:aws:inspector2:eu-central-1:123456789012:finding/ed174f9755171e51f5f45e2bfc0bb685", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEcrContainerImage", + "Id": "arn:aws:ecr:eu-central-1:123456789012:repository/repo-nodepkg/sha256:1e9cf640d33e8a4fca7cb8d7ddf952ef0a3cd54b9446567d44e638a6571385bd", + "Partition": "aws", + "Region": "eu-central-1", + "Details": { + "AwsEcrContainerImage": { + "RegistryId": "123456789012", + "RepositoryName": "repo-nodepkg", + "Architecture": "amd64", + "ImageDigest": "sha256:1e9cf640d33e8a4fca7cb8d7ddf952ef0a3cd54b9446567d44e638a6571385bd", + "ImageTags": ["c-5081c9b0cf8160ea0c46bd49a1362f92f3aa4e73"], + "ImagePublishedAt": "2023-08-30T14:28:45Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2022-25883", + "VulnerablePackages": [ + { + "Name": "semver", + "Version": "7.5.1", + "Epoch": "0", + "PackageManager": "NODEPKG", + "FilePath": "usr/local/lib/node_modules/npm/node_modules/semver/package.json", + "FixedInVersion": "7.5.2", + "Remediation": "Update semver to 7.5.2", + "SourceLayerHash": "sha256:751194035c3611aead30c71ecc70008764778b49867f805c9a12b0c42a5e07bf" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD" + }, + { + "Version": "3.1", + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "NVD", + "Url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "VendorSeverity": "HIGH", + "VendorCreatedAt": "2023-06-21T05:15:00Z", + "VendorUpdatedAt": "2023-07-12T00:53:00Z" + }, + "FixAvailable": "YES", + "ExploitAvailable": "YES" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "HIGH" + }, + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:eu-central-1:123456789012:finding/fb283a3490f48eec11b6500faab7470c", + "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "eu-central-1", + "GeneratorId": "AWSInspector", + "AwsAccountId": "123456789012", + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"], + "FirstObservedAt": "2023-08-10T07:36:46Z", + "LastObservedAt": "2023-08-21T17:01:53Z", + "CreatedAt": "2023-08-10T07:36:46Z", + "UpdatedAt": "2023-08-21T17:01:53Z", + "Severity": { + "Label": "CRITICAL", + "Normalized": 90 + }, + "Title": "CVE-2023-37920 - certifi, certifi and 2 more", + "Description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "9.8", + "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "DEBIAN_11", + "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:5d982d4bf57c6a5661a4a4624fa46b4235430afdfc5c7477457e76ac0f780d7e,sha256:5d982d4bf57c6a5661a4a4624fa46b4235430afdfc5c7477457e76ac0f780d7e,sha256:3d418b079937b4bec95f67f57b775741b05df804006733b418dd0633d553c751,sha256:5d982d4bf57c6a5661a4a4624fa46b4235430afdfc5c7477457e76ac0f780d7e", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/inspector/arn:aws:inspector2:eu-central-1:123456789012:finding/fb283a3490f48eec11b6500faab7470c", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEcrContainerImage", + "Id": "arn:aws:ecr:eu-central-1:123456789012:repository/repo-poetry/sha256:d0406162a81777e5fe3eb5835fec5d4436ca750a1e12e367474efc39cc62cfbf", + "Partition": "aws", + "Region": "eu-central-1", + "Details": { + "AwsEcrContainerImage": { + "RegistryId": "123456789012", + "RepositoryName": "repo-poetry", + "Architecture": "amd64", + "ImageDigest": "sha256:d0406162a81777e5fe3eb5835fec5d4436ca750a1e12e367474efc39cc62cfbf", + "ImageTags": ["tag1", "tag2", "tag-last"], + "ImagePublishedAt": "2023-08-10T07:36:02Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2023-37920", + "VulnerablePackages": [ + { + "Name": "certifi", + "Version": "2022.12.7", + "Epoch": "0", + "PackageManager": "POETRY", + "FilePath": "app/poetry.lock", + "FixedInVersion": "2023.7.22", + "Remediation": "Update certifi to 2023.7.22", + "SourceLayerHash": "sha256:5d982d4bf57c6a5661a4a4624fa46b4235430afdfc5c7477457e76ac0f780d7e" + }, + { + "Name": "certifi", + "Version": "2023.5.7", + "Epoch": "0", + "PackageManager": "POETRY", + "FilePath": "app/poetry.lock", + "FixedInVersion": "2023.7.22", + "Remediation": "Update certifi to 2023.7.22", + "SourceLayerHash": "sha256:5d982d4bf57c6a5661a4a4624fa46b4235430afdfc5c7477457e76ac0f780d7e" + }, + { + "Name": "certifi", + "Version": "2023.5.7", + "Epoch": "0", + "PackageManager": "PYTHONPKG", + "FilePath": "app/.cache/pypoetry/virtualenvs/something-ANnMAkq9-py3.9/lib/python3.9/site-packages/certifi-2023.5.7.dist-info/METADATA", + "FixedInVersion": "2023.7.22", + "Remediation": "Update certifi to 2023.7.22", + "SourceLayerHash": "sha256:3d418b079937b4bec95f67f57b775741b05df804006733b418dd0633d553c751" + }, + { + "Name": "certifi", + "Version": "2022.12.7", + "Epoch": "0", + "PackageManager": "POETRY", + "FilePath": "app/poetry.lock", + "FixedInVersion": "2023.7.22", + "Remediation": "Update certifi to 2023.7.22", + "SourceLayerHash": "sha256:5d982d4bf57c6a5661a4a4624fa46b4235430afdfc5c7477457e76ac0f780d7e" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": 9.8, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "Source": "NVD" + }, + { + "Version": "3.1", + "BaseScore": 9.8, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "NVD", + "Url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37920", + "VendorSeverity": "CRITICAL", + "VendorCreatedAt": "2023-07-25T21:15:00Z", + "VendorUpdatedAt": "2023-08-12T06:16:00Z" + }, + "ReferenceUrls": [ + "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/" + ], + "FixAvailable": "YES", + "ExploitAvailable": "NO" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "CRITICAL" + }, + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:eu-central-1:123456789012:finding/b05900ac9880dc902ef729b72a91a21a", + "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "eu-central-1", + "GeneratorId": "AWSInspector", + "AwsAccountId": "123456789012", + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"], + "FirstObservedAt": "2023-08-21T13:40:40Z", + "LastObservedAt": "2023-08-21T13:41:59Z", + "CreatedAt": "2023-08-21T13:40:40Z", + "UpdatedAt": "2023-08-21T13:41:59Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70 + }, + "Title": "CVE-2022-31163 - tzinfo", + "Description": "TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a p...Truncated", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "8.1", + "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "ALPINE_LINUX_3_17", + "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:6ce38273df14da22f8dbb8d224d0f7ed007da6daa6fde797eb3e505e8932eb20", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/inspector/arn:aws:inspector2:eu-central-1:123456789012:finding/b05900ac9880dc902ef729b72a91a21a", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEcrContainerImage", + "Id": "arn:aws:ecr:eu-central-1:123456789012:repository/repo-bundler/sha256:f15d536b44e9700b6d687947139cec8f7741ea4f796f807d4d909b68fb34c418", + "Partition": "aws", + "Region": "eu-central-1", + "Details": { + "AwsEcrContainerImage": { + "RegistryId": "123456789012", + "RepositoryName": "repo-bundler", + "Architecture": "amd64", + "ImageDigest": "sha256:f15d536b44e9700b6d687947139cec8f7741ea4f796f807d4d909b68fb34c418", + "ImagePublishedAt": "2023-08-21T13:40:31Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2022-31163", + "VulnerablePackages": [ + { + "Name": "tzinfo", + "Version": "1.2.9", + "Epoch": "0", + "PackageManager": "BUNDLER", + "FilePath": "app/node_modules/@something/Gemfile.lock", + "FixedInVersion": "1.2.10", + "Remediation": "Update tzinfo to 1.2.10", + "SourceLayerHash": "sha256:6ce38273df14da22f8dbb8d224d0f7ed007da6daa6fde797eb3e505e8932eb20" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": 8.1, + "BaseVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "Source": "NVD" + }, + { + "Version": "3.1", + "BaseScore": 8.1, + "BaseVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "NVD", + "Url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31163", + "VendorSeverity": "HIGH", + "VendorCreatedAt": "2022-07-22T04:15:00Z", + "VendorUpdatedAt": "2022-10-26T19:00:00Z" + }, + "ReferenceUrls": [ + "https://lists.debian.org/debian-lts-announce/2022/08/msg00009.html" + ], + "FixAvailable": "YES", + "ExploitAvailable": "NO" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "HIGH" + }, + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:eu-central-1:123456789012:finding/1f46c626e66f19961cb634e30463b913", + "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "eu-central-1", + "GeneratorId": "AWSInspector", + "AwsAccountId": "123456789012", + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"], + "FirstObservedAt": "2023-08-21T13:39:12Z", + "LastObservedAt": "2023-08-21T13:41:58Z", + "CreatedAt": "2023-08-21T13:39:12Z", + "UpdatedAt": "2023-08-21T13:41:58Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70 + }, + "Title": "CVE-2023-37788 - github.com/elazarl/goproxy", + "Description": "goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors.", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "7.5", + "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "ALPINE_LINUX_3_17", + "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:ead62b4140ce38991b50e86efa65ebae81a6384f2024e8147b4b85d05f2bb5fa", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/inspector/arn:aws:inspector2:eu-central-1:123456789012:finding/1f46c626e66f19961cb634e30463b913", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEcrContainerImage", + "Id": "arn:aws:ecr:eu-central-1:123456789012:repository/repo-gobinary/sha256:6b48d92046b51a4761462e432d99724343006425dca0694b41634fd0b6ecce7c", + "Partition": "aws", + "Region": "eu-central-1", + "Details": { + "AwsEcrContainerImage": { + "RegistryId": "123456789012", + "RepositoryName": "repo-gobinary", + "Architecture": "amd64", + "ImageDigest": "sha256:6b48d92046b51a4761462e432d99724343006425dca0694b41634fd0b6ecce7c", + "ImageTags": ["tag-2023.123", "c-12345"], + "ImagePublishedAt": "2023-08-21T13:39:01Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2023-37788", + "VulnerablePackages": [ + { + "Name": "github.com/elazarl/goproxy", + "Version": "v0.0.0-20220901064549-fbd10ff4f5a1", + "Epoch": "0", + "PackageManager": "GOBINARY", + "FilePath": "app/snyk-alpine", + "FixedInVersion": "0.0.0-20230731152917-f99041a5c027", + "Remediation": "Update goproxy to 0.0.0-20230731152917-f99041a5c027", + "SourceLayerHash": "sha256:ead62b4140ce38991b50e86efa65ebae81a6384f2024e8147b4b85d05f2bb5fa" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD" + }, + { + "Version": "3.1", + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "NVD", + "Url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37788", + "VendorSeverity": "HIGH", + "VendorCreatedAt": "2023-07-18T19:15:00Z", + "VendorUpdatedAt": "2023-07-27T04:05:00Z" + }, + "FixAvailable": "YES", + "ExploitAvailable": "YES" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "HIGH" + }, + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:eu-central-1:123456789012:finding/8ba5034cf5b39282316fb9a919a2c556", + "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "eu-central-1", + "GeneratorId": "AWSInspector", + "AwsAccountId": "123456789012", + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"], + "FirstObservedAt": "2023-08-21T07:01:06Z", + "LastObservedAt": "2023-08-21T13:06:22Z", + "CreatedAt": "2023-08-21T07:01:06Z", + "UpdatedAt": "2023-08-21T13:06:22Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70 + }, + "Title": "CVE-2023-25194 - org.apache.kafka:kafka-clients", + "Description": "A possible security vulnerability has been identified in Apache Kafka Connect API.\nThis requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config\nand a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.\nWhen configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config`\nproperty for any of the connector's Kafka clients to \"com.sun.security.auth.module.JndiLoginModule\", which can be done via the\n`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.\nThis will allow the server to connect to the attacker's LDAP server\nand deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.\nAttacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerabili...Truncated", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "8.8", + "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "ALPINE_LINUX_3_15", + "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:66023291c834d436a456d628643f8ae182ab688f2ea3d9f7741652027dec1efb", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/inspector/arn:aws:inspector2:eu-central-1:123456789012:finding/8ba5034cf5b39282316fb9a919a2c556", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEcrContainerImage", + "Id": "arn:aws:ecr:eu-central-1:123456789012:repository/repo-jar/sha256:856d54232d3e463b6aa99d3f951cac8bacb6deb95e5795c1440f4be4ad60cf63", + "Partition": "aws", + "Region": "eu-central-1", + "Details": { + "AwsEcrContainerImage": { + "RegistryId": "123456789012", + "RepositoryName": "repo-jar", + "Architecture": "amd64", + "ImageDigest": "sha256:856d54232d3e463b6aa99d3f951cac8bacb6deb95e5795c1440f4be4ad60cf63", + "ImageTags": ["tag123"], + "ImagePublishedAt": "2023-08-21T07:00:59Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2023-25194", + "VulnerablePackages": [ + { + "Name": "org.apache.kafka:kafka-clients", + "Version": "3.1.2", + "Epoch": "0", + "PackageManager": "JAR", + "FilePath": "app/app.jar", + "FixedInVersion": "3.4.0", + "Remediation": "Update kafka-clients to 3.4.0", + "SourceLayerHash": "sha256:66023291c834d436a456d628643f8ae182ab688f2ea3d9f7741652027dec1efb" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": 8.8, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "Source": "NVD" + }, + { + "Version": "3.1", + "BaseScore": 8.8, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "NVD", + "Url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25194", + "VendorSeverity": "HIGH", + "VendorCreatedAt": "2023-02-07T20:15:00Z", + "VendorUpdatedAt": "2023-07-21T12:15:00Z" + }, + "ReferenceUrls": [ + "https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz", + "https://kafka.apache.org/cve-list" + ], + "FixAvailable": "YES", + "ExploitAvailable": "YES" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "HIGH" + }, + "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"] + } + } + ] +} diff --git a/unittests/tools/test_awssecurityhub_parser.py b/unittests/tools/test_awssecurityhub_parser.py index 60de0e7485f..5619f4f4ce5 100644 --- a/unittests/tools/test_awssecurityhub_parser.py +++ b/unittests/tools/test_awssecurityhub_parser.py @@ -20,6 +20,7 @@ def test_one_finding(self): self.assertEqual("Informational", finding.severity) self.assertTrue(finding.is_mitigated) self.assertFalse(finding.active) + self.assertEqual("https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation", finding.references) def test_one_finding_active(self): with open(get_unit_tests_path() + sample_path("config_one_finding_active.json")) as test_file: @@ -58,7 +59,11 @@ def test_inspector_ec2(self): findings = parser.get_findings(test_file, Test()) self.assertEqual(5, len(findings)) finding = findings[0] - self.assertIn("CVE-2022-3643", finding.title) + self.assertEqual("CVE-2022-3643 - kernel - Resource: i-11111111111111111", finding.title) + self.assertEqual("Resource: i-11111111111111111", finding.impact) + self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) + self.assertEqual("CVE-2022-3643", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("- Update kernel-4.14.301\n\t- yum update kernel\n", finding.mitigation) def test_inspector_ec2_with_no_vulnerabilities(self): with open(get_unit_tests_path() + sample_path("inspector_ec2_cve_no_vulnerabilities.json")) as test_file: @@ -76,3 +81,19 @@ def test_inspector_ec2_ghsa(self): self.assertFalse(finding.is_mitigated) self.assertTrue(finding.active) self.assertIn("GHSA-p98r-538v-jgw5", finding.title) + self.assertSetEqual({"CVE-2023-34256", "GHSA-p98r-538v-jgw5"}, set(finding.unsaved_vulnerability_ids)) + self.assertEqual("https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-p98r-538v-jgw5", finding.references) + + def test_inspector_ecr(self): + with open(get_unit_tests_path() + sample_path("inspector_ecr.json")) as test_file: + parser = AwsSecurityHubParser() + findings = parser.get_findings(test_file, Test()) + self.assertEqual(7, len(findings)) + + finding = findings[0] + self.assertEqual("Medium", finding.severity) + self.assertFalse(finding.is_mitigated) + self.assertTrue(finding.active) + self.assertEqual("CVE-2023-2650 - openssl - Image: repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", finding.title) + self.assertIn("repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", finding.impact) + self.assertIn("Repository: repo-os", finding.impact) From 01038ad62046d10284d6b9ead1db507b98631e0d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Oct 2023 10:00:20 -0500 Subject: [PATCH 20/23] Bump boto3 from 1.28.62 to 1.28.63 (#8826) Bumps [boto3](https://github.com/boto/boto3) from 1.28.62 to 1.28.63. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.28.62...1.28.63) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index fe637d756d9..bf826e287eb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -78,7 +78,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.28.62 # Required for Celery Broker AWS (SQS) support +boto3==1.28.63 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.4.2 From 8d352698af74e83e3812c49ba23eb786983119b8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 13 Oct 2023 10:00:55 -0500 Subject: [PATCH 21/23] Update rabbitmq:3.12.6-alpine Docker digest from 3.12.6 to 3.12.6-alpine (docker-compose.yml) (#8825) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 063ca327ed1..f07c7261840 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -149,7 +149,7 @@ services: volumes: - defectdojo_postgres:/var/lib/postgresql/data rabbitmq: - image: rabbitmq:3.12.6-alpine@sha256:23ec95b20e371821e791220da01aef9f7064a1b2a2171f1bd4d02ab03cbd3d95 + image: rabbitmq:3.12.6-alpine@sha256:0636edac61179f9c499fec1f8f031101df3fce0bec8b01cf1021278bf5e18ac9 profiles: - mysql-rabbitmq - postgres-rabbitmq From 5c5b25ddc3b73ddc6aadf0d946c6de4d82d1140a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Oct 2023 10:01:17 -0500 Subject: [PATCH 22/23] Bump sqlalchemy from 2.0.21 to 2.0.22 (#8827) Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.21 to 2.0.22. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index bf826e287eb..8e2025068a8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,7 +43,7 @@ python-dateutil==2.8.2 pytz==2023.3.post1 redis==5.0.1 requests==2.31.0 -sqlalchemy==2.0.21 # Required by Celery broker transport +sqlalchemy==2.0.22 # Required by Celery broker transport supervisor==4.2.5 urllib3==1.26.17 uWSGI==2.0.22 From 76b59c35b455d216def5f0065a34fefdb373d7d1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 13 Oct 2023 10:01:47 -0500 Subject: [PATCH 23/23] Update mysql:5.7.43 Docker digest from 5.7.43 to v (docker-compose.yml) (#8823) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index f07c7261840..435c716d098 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -125,7 +125,7 @@ services: source: ./docker/extra_settings target: /app/docker/extra_settings mysql: - image: mysql:5.7.43@sha256:a06310bb26d02a6118ae7fa825c172a0bf594e178c72230fc31674f348033270 + image: mysql:5.7.43@sha256:4f9bfb0f7dd97739ceedb546b381534bb11e9b4abf013d6ad9ae6473fed66099 profiles: - mysql-rabbitmq - mysql-redis