From 31ab35e0884e1a3003516269e896cb2822fdbb11 Mon Sep 17 00:00:00 2001 From: Zamir Martins Filho Date: Thu, 18 Sep 2025 13:01:59 -0400 Subject: [PATCH 1/3] Add events for Gemnasium EE: true Changelog: added --- ...t_gemnasium_scan_metrics_from_pipeline.yml | 24 + ...scan_performance_metrics_from_pipeline.yml | 22 + ...nasium_scan_sbom_metrics_from_pipeline.yml | 26 + .../security/process_scan_events_service.rb | 3 + ee/spec/factories/ci/job_artifacts.rb | 10 + ...anning-report-gemnasium-observability.json | 1100 +++++++++++++++++ .../process_scan_events_service_spec.rb | 35 + 7 files changed, 1220 insertions(+) create mode 100644 config/events/collect_gemnasium_scan_metrics_from_pipeline.yml create mode 100644 config/events/collect_gemnasium_scan_performance_metrics_from_pipeline.yml create mode 100644 config/events/collect_gemnasium_scan_sbom_metrics_from_pipeline.yml create mode 100644 ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-observability.json diff --git a/config/events/collect_gemnasium_scan_metrics_from_pipeline.yml b/config/events/collect_gemnasium_scan_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..a6b695d58a0589 --- /dev/null +++ b/config/events/collect_gemnasium_scan_metrics_from_pipeline.yml @@ -0,0 +1,24 @@ +--- +description: The event tracks Gemnasium scan data +internal_events: true +status: active +action: collect_gemnasium_scan_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + label: + description: Gemnasium version + value: + description: Number of vulnerabilities +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/config/events/collect_gemnasium_scan_performance_metrics_from_pipeline.yml b/config/events/collect_gemnasium_scan_performance_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..d86dadccef5d40 --- /dev/null +++ b/config/events/collect_gemnasium_scan_performance_metrics_from_pipeline.yml @@ -0,0 +1,22 @@ +--- +description: The event tracks Gemnasium performance data +internal_events: true +status: active +action: collect_gemnasium_scan_performance_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + value: + description: Scan duration in seconds +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/config/events/collect_gemnasium_scan_sbom_metrics_from_pipeline.yml b/config/events/collect_gemnasium_scan_sbom_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..15efcc09e66231 --- /dev/null +++ b/config/events/collect_gemnasium_scan_sbom_metrics_from_pipeline.yml @@ -0,0 +1,26 @@ +--- +description: The event tracks Gemnasium SBOM scan data +internal_events: true +status: active +action: collect_gemnasium_scan_sbom_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + label: + description: PURL type + value: + description: Components count + input_file_path: + description: Path of input (lock) file for SBOM +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/ee/app/services/security/process_scan_events_service.rb b/ee/app/services/security/process_scan_events_service.rb index 4ae67aae7c1e1f..3f9790021b21d2 100644 --- a/ee/app/services/security/process_scan_events_service.rb +++ b/ee/app/services/security/process_scan_events_service.rb @@ -17,6 +17,9 @@ class ProcessScanEventsService collect_dast_scan_runner_metrics_from_pipeline collect_dast_scan_vulnerability_metrics_from_pipeline collect_dast_scan_w3c_metrics_from_pipeline + collect_gemnasium_scan_metrics_from_pipeline + collect_gemnasium_scan_sbom_metrics_from_pipeline + collect_gemnasium_scan_performance_metrics_from_pipeline ].freeze def self.execute(pipeline) diff --git a/ee/spec/factories/ci/job_artifacts.rb b/ee/spec/factories/ci/job_artifacts.rb index 1a80c25b29943c..37d75d6f764f2e 100644 --- a/ee/spec/factories/ci/job_artifacts.rb +++ b/ee/spec/factories/ci/job_artifacts.rb @@ -309,6 +309,16 @@ end end + trait :dependency_scanning_gemnasium_observability do + file_format { :raw } + file_type { :dependency_scanning } + + after(:build) do |artifact, _| + artifact.file = fixture_file_upload( + Rails.root.join('ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-observability.json'), 'application/json') + end + end + trait :container_scanning do file_format { :raw } file_type { :container_scanning } diff --git a/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-observability.json b/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-observability.json new file mode 100644 index 00000000000000..c6f2f32b9e912f --- /dev/null +++ b/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-observability.json @@ -0,0 +1,1100 @@ +{ + "version": "15.1.4", + "vulnerabilities": [ + { + "id": "95e118ade6df522143c1c7fec272d216a2729ae4e543dced57aa4ce5e7902d30", + "name": "OS Command Injection", + "description": "Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting `preferLocal=true` which makes execa search for locally installed binaries and executes them.", + "severity": "Critical", + "solution": "Upgrade to version 2.0.0 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "execa" + }, + "version": "0.7.0" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-05cfa2e8-2d0c-42c1-8894-638e2f12ff3d", + "value": "05cfa2e8-2d0c-42c1-8894-638e2f12ff3d", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/execa/GMS-2020-2.yml" + } + ], + "cvss_vectors": [ + { + "vendor": "Unknown", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "Unknown", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C" + } + ], + "links": [ + { + "url": "https://github.com/sindresorhus/execa/releases/tag/v2.0.0" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "execa:0.7.0" + } + } + }, + { + "id": "a4075d88e9e21640bba6ec64dd7f20d85f58d12f94265fbc072ccbeec8a2f0ad", + "name": "Improper Input Validation", + "description": "lodash is vulnerable to Prototype Pollution. The function `defaultsDeep` could be tricked into adding or modifying properties of `Object.prototype` using a constructor payload.", + "severity": "Critical", + "solution": "Upgrade to version 4.17.12 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "lodash" + }, + "version": "4.17.10" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-4774cd67-936f-419e-8533-ae5cfe7db9f9", + "value": "4774cd67-936f-419e-8533-ae5cfe7db9f9", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/lodash/CVE-2019-10744.yml" + }, + { + "type": "cve", + "name": "CVE-2019-10744", + "value": "CVE-2019-10744", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "lodash:4.17.10" + } + } + }, + { + "id": "c533136291a252b72028914aef1f4030b6c281551d9798d645c7ab89e2fc60c2", + "name": "Uncontrolled Resource Consumption", + "description": "A prototype pollution vulnerability was found in lodash where the functions `merge`, `mergeWith`, and `defaultsDeep` can be tricked into adding or modifying properties of `Object.prototype`.", + "severity": "Critical", + "solution": "Upgrade to version 4.17.11 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "lodash" + }, + "version": "4.17.10" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-d8822263-8a6f-43ea-bb6b-7a2a0cabdf5c", + "value": "d8822263-8a6f-43ea-bb6b-7a2a0cabdf5c", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/lodash/CVE-2018-16487.yml" + }, + { + "type": "cve", + "name": "CVE-2018-16487", + "value": "CVE-2018-16487", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://hackerone.com/reports/380873" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "lodash:4.17.10" + } + } + }, + { + "id": "6a351088ef2ec589559549390ced97bcf06b0b34c2dc13f520e442510fe22627", + "name": "Argument Injection or Modification", + "description": "mixin-deep is vulnerable to Prototype Pollution. The function mixin-deep could be tricked into adding or modifying properties of `Object.prototype` using a constructor payload.", + "severity": "Critical", + "solution": "Upgrade to versions 1.3.2, 2.0.1 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "mixin-deep" + }, + "version": "1.3.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-04af00f2-3b09-4656-9f4b-bcb2f4ef3db1", + "value": "04af00f2-3b09-4656-9f4b-bcb2f4ef3db1", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/mixin-deep/CVE-2019-10746.yml" + }, + { + "type": "cve", + "name": "CVE-2019-10746", + "value": "CVE-2019-10746", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10746" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10746" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "mixin-deep:1.3.1" + } + } + }, + { + "id": "81101167479bf2a479e27e01c9f2ac975c7a71b6d3b60929a851a386a662ea3d", + "name": "Uncontrolled Resource Consumption", + "description": "set-value is vulnerable to Prototype Pollution. The function `mixin-deep` could be tricked into adding or modifying properties of `Object.prototype` using any of the constructor, prototype and `_proto_` payloads.", + "severity": "Critical", + "solution": "Upgrade to versions 2.0.1, 3.0.1 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "set-value" + }, + "version": "0.4.3" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-6f541fe7-9711-457a-8003-a52d8650b66f", + "value": "6f541fe7-9711-457a-8003-a52d8650b66f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/set-value/CVE-2019-10747.yml" + }, + { + "type": "cve", + "name": "CVE-2019-10747", + "value": "CVE-2019-10747", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10747" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "set-value:0.4.3" + } + } + }, + { + "id": "c442c2e7b5e8a59be00d13ed2fc9757a4edbfddef253a8b39cf7944da626243e", + "name": "Uncontrolled Resource Consumption", + "description": "set-value is vulnerable to Prototype Pollution. The function `mixin-deep` could be tricked into adding or modifying properties of `Object.prototype` using any of the constructor, prototype and `_proto_` payloads.", + "severity": "Critical", + "solution": "Upgrade to versions 2.0.1, 3.0.1 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "set-value" + }, + "version": "2.0.0" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-6f541fe7-9711-457a-8003-a52d8650b66f", + "value": "6f541fe7-9711-457a-8003-a52d8650b66f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/set-value/CVE-2019-10747.yml" + }, + { + "type": "cve", + "name": "CVE-2019-10747", + "value": "CVE-2019-10747", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10747" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "set-value:2.0.0" + } + } + }, + { + "id": "20c165dbfd46f50246dc5f92773167a42cb103e987631a751b301df4cba5c0c3", + "name": "Regular Expression Denial of Service", + "description": "A regex in the form of `/[x-\\ud800]/u` causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.", + "severity": "High", + "solution": "Upgrade to versions 5.7.4, 6.4.1, 7.1.1 or later.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "acorn" + }, + "version": "5.7.3" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-cd6cfe67-4650-49c6-a10a-ee4195a573fa", + "value": "cd6cfe67-4650-49c6-a10a-ee4195a573fa", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/acorn/GMS-2020-1.yml" + } + ], + "cvss_vectors": [ + { + "vendor": "Unknown", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "links": [ + { + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "url": "https://snyk.io/vuln/SNYK-JS-ACORN-559469" + }, + { + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "acorn:5.7.3" + } + } + }, + { + "id": "0d324ecb5d5a8eb266f63466bcb1d77e8bc0fbbeffbdaca17af125eaa5bbc885", + "name": "Regular Expression Denial of Service", + "description": "A regex in the form of `/[x-\\ud800]/u` causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.", + "severity": "High", + "solution": "Upgrade to versions 5.7.4, 6.4.1, 7.1.1 or later.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "acorn" + }, + "version": "6.4.0" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-cd6cfe67-4650-49c6-a10a-ee4195a573fa", + "value": "cd6cfe67-4650-49c6-a10a-ee4195a573fa", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/acorn/GMS-2020-1.yml" + } + ], + "cvss_vectors": [ + { + "vendor": "Unknown", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "links": [ + { + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "url": "https://snyk.io/vuln/SNYK-JS-ACORN-559469" + }, + { + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "acorn:6.4.0" + } + } + }, + { + "id": "6ebe52b830eadaf5a4773e29c46f7e9c7f4d798576a5cb7a02eac6cba3d4eab1", + "name": "Improper Input Validation", + "description": "Decamelize uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.", + "severity": "High", + "solution": "Upgrade to version 1.1.2 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "decamelize" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-cfa05151-753f-4373-833c-a27e772c87a2", + "value": "cfa05151-753f-4373-833c-a27e772c87a2", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/decamelize/CVE-2017-16023.yml" + }, + { + "type": "cve", + "name": "CVE-2017-16023", + "value": "CVE-2017-16023", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16023" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16023" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "decamelize:1.1.1" + } + } + }, + { + "id": "f7c070b198c0e572b42e8f3764b357639253dbde1ea46d36948106fc5c324b10", + "name": "Type checking vulnerability", + "description": "`ctorName` allows external user input to overwrite certain internal attributes via a conflicting name.", + "severity": "High", + "solution": "Upgrade to version 6.0.3 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "kind-of" + }, + "version": "3.2.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-c69c3883-e67c-4be5-a4dd-ce1d82173049", + "value": "c69c3883-e67c-4be5-a4dd-ce1d82173049", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/kind-of/CVE-2019-20149.yml" + }, + { + "type": "cve", + "name": "CVE-2019-20149", + "value": "CVE-2019-20149", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20149" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "https://github.com/jonschlinkert/kind-of/issues/30" + }, + { + "url": "https://github.com/jonschlinkert/kind-of/pull/31" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20149" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "kind-of:3.2.2" + } + } + }, + { + "id": "ba7927b851867dbe51bc887ca5e4d8613231127b0f8f8917ac1df3bd76185eea", + "name": "Type checking vulnerability", + "description": "`ctorName` allows external user input to overwrite certain internal attributes via a conflicting name.", + "severity": "High", + "solution": "Upgrade to version 6.0.3 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "kind-of" + }, + "version": "4.0.0" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-c69c3883-e67c-4be5-a4dd-ce1d82173049", + "value": "c69c3883-e67c-4be5-a4dd-ce1d82173049", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/kind-of/CVE-2019-20149.yml" + }, + { + "type": "cve", + "name": "CVE-2019-20149", + "value": "CVE-2019-20149", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20149" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "https://github.com/jonschlinkert/kind-of/issues/30" + }, + { + "url": "https://github.com/jonschlinkert/kind-of/pull/31" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20149" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "kind-of:4.0.0" + } + } + }, + { + "id": "d835b655be86d39a77dcf2be964ab37fe168f93db43f2dd46acf9f1aea84d00a", + "name": "Type checking vulnerability", + "description": "`ctorName` allows external user input to overwrite certain internal attributes via a conflicting name.", + "severity": "High", + "solution": "Upgrade to version 6.0.3 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "kind-of" + }, + "version": "5.1.0" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-c69c3883-e67c-4be5-a4dd-ce1d82173049", + "value": "c69c3883-e67c-4be5-a4dd-ce1d82173049", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/kind-of/CVE-2019-20149.yml" + }, + { + "type": "cve", + "name": "CVE-2019-20149", + "value": "CVE-2019-20149", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20149" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "https://github.com/jonschlinkert/kind-of/issues/30" + }, + { + "url": "https://github.com/jonschlinkert/kind-of/pull/31" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20149" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "kind-of:5.1.0" + } + } + }, + { + "id": "6e80125b83898491e9d607139014f3a00e3a533854858e343472268ba4023836", + "name": "Type checking vulnerability", + "description": "`ctorName` allows external user input to overwrite certain internal attributes via a conflicting name.", + "severity": "High", + "solution": "Upgrade to version 6.0.3 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "kind-of" + }, + "version": "6.0.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-c69c3883-e67c-4be5-a4dd-ce1d82173049", + "value": "c69c3883-e67c-4be5-a4dd-ce1d82173049", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/kind-of/CVE-2019-20149.yml" + }, + { + "type": "cve", + "name": "CVE-2019-20149", + "value": "CVE-2019-20149", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20149" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "https://github.com/jonschlinkert/kind-of/issues/30" + }, + { + "url": "https://github.com/jonschlinkert/kind-of/pull/31" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20149" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "kind-of:6.0.2" + } + } + }, + { + "id": "6f034745c016512a96de7053e9d24f48a2dfc4344e5336f2003401a6d26a4257", + "name": "Object Prototype Pollution", + "description": "Prototype pollution attack when using `_.zipObjectDeep` in lodash.", + "severity": "High", + "solution": "Upgrade to version 4.17.20 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "lodash" + }, + "version": "4.17.10" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-1f7fa42b-6b17-46b7-88a5-8995b43d298f", + "value": "1f7fa42b-6b17-46b7-88a5-8995b43d298f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/lodash/CVE-2020-8203.yml" + }, + { + "type": "cve", + "name": "CVE-2020-8203", + "value": "CVE-2020-8203", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8203" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/lodash/lodash/issues/4874" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "lodash:4.17.10" + } + } + }, + { + "id": "78acb11bc04d24ce80d5892ac35b8d1154c00452885a01bf111732881bf937e6", + "name": "Object Prototype Pollution", + "description": "Prototype pollution attack when using `_.zipObjectDeep` in lodash.", + "severity": "High", + "solution": "Upgrade to version 4.17.20 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "lodash" + }, + "version": "4.17.15" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-1f7fa42b-6b17-46b7-88a5-8995b43d298f", + "value": "1f7fa42b-6b17-46b7-88a5-8995b43d298f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/lodash/CVE-2020-8203.yml" + }, + { + "type": "cve", + "name": "CVE-2020-8203", + "value": "CVE-2020-8203", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8203" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/lodash/lodash/issues/4874" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "lodash:4.17.15" + } + } + }, + { + "id": "9aa3de1cabc8a00be028cf7d54e673039db5a87feb5c519f99b3a236aa700070", + "name": "Uncontrolled Resource Consumption", + "description": "lodash is affected by Uncontrolled Resource Consumption which can lead to a denial of service.", + "severity": "Medium", + "solution": "Upgrade to version 4.17.11 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "lodash" + }, + "version": "4.17.10" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-109f3b4c-bdb3-48be-b2f9-e0348fba64bd", + "value": "109f3b4c-bdb3-48be-b2f9-e0348fba64bd", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/lodash/CVE-2019-1010266.yml" + }, + { + "type": "cve", + "name": "CVE-2019-1010266", + "value": "CVE-2019-1010266", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "https://github.com/lodash/lodash/issues/3359" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "lodash:4.17.10" + } + } + }, + { + "id": "424ce71b62b4c3e4d9c6895facf9d42824125932a78727517eafdfa8fbde8e8c", + "name": "Improper Input Validation", + "description": "minimist could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.", + "severity": "Medium", + "solution": "Upgrade to version 1.2.2 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "minimist" + }, + "version": "0.0.8" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-53e8766c-27eb-4278-8c4f-3dcef53a68bf", + "value": "53e8766c-27eb-4278-8c4f-3dcef53a68bf", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/minimist/CVE-2020-7598.yml" + }, + { + "type": "cve", + "name": "CVE-2020-7598", + "value": "CVE-2020-7598", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "minimist:0.0.8" + } + } + }, + { + "id": "5bde45fd64c7e86f1e8422c1ba37dde520cdcfe3e47a41b12b964add6ff07ca2", + "name": "Improper Input Validation", + "description": "yargs-parser could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.", + "severity": "Medium", + "solution": "Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "yargs-parser" + }, + "version": "8.1.0" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-a9e73366-2694-40b0-bcc1-795368307084", + "value": "a9e73366-2694-40b0-bcc1-795368307084", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/yargs-parser/CVE-2020-7608.yml" + }, + { + "type": "cve", + "name": "CVE-2020-7608", + "value": "CVE-2020-7608", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "vendor": "NVD", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "yargs-parser:8.1.0" + } + } + }, + { + "id": "092b4bb732959dcbe450891a4bc4383199c6b0f22ee209807d28a633654b48a4", + "name": "Improper Input Validation", + "description": "yargs-parser could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.", + "severity": "Medium", + "solution": "Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or above.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "yargs-parser" + }, + "version": "9.0.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-a9e73366-2694-40b0-bcc1-795368307084", + "value": "a9e73366-2694-40b0-bcc1-795368307084", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/yargs-parser/CVE-2020-7608.yml" + }, + { + "type": "cve", + "name": "CVE-2020-7608", + "value": "CVE-2020-7608", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "vendor": "NVD", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "yargs-parser:9.0.2" + } + } + }, + { + "id": "084449a2d123457ebe9c8336ee951664e2605ee4d30e410f40eb14804529da0a", + "name": "Regular Expression Denial of Service", + "description": "Decamelize uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.", + "severity": "Unknown", + "solution": "Upgrade to version 1.1.2 or later.", + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "decamelize" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-980f208d-a755-46f3-8bac-4decf4c48f56", + "value": "980f208d-a755-46f3-8bac-4decf4c48f56", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/npm/decamelize/GMS-2015-53.yml" + } + ], + "links": [ + { + "url": "https://github.com/sindresorhus/decamelize/issues/5" + }, + { + "url": "https://nodesecurity.io/advisories/308" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "decamelize:1.1.1" + } + } + } + ], + "scan": { + "analyzer": { + "id": "gemnasium", + "name": "Gemnasium", + "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium", + "vendor": { + "name": "GitLab" + }, + "version": "6.1.9" + }, + "scanner": { + "id": "gemnasium", + "name": "Gemnasium", + "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium", + "vendor": { + "name": "GitLab" + }, + "version": "6.1.9" + }, + "type": "dependency_scanning", + "start_time": "2025-09-08T11:14:29", + "end_time": "2025-09-08T11:14:36", + "status": "success", + "observability": { + "events": [ + { + "event": "collect_gemnasium_scan_metrics_from_pipeline", + "property": "e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4", + "label": "6.1.9", + "value": 100 + }, + { + "event": "collect_gemnasium_scan_sbom_metrics_from_pipeline", + "property": "e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4", + "label": "npm", + "value": 352, + "input_file_path": "package-lock.json" + }, + { + "event": "collect_gemnasium_scan_performance_metrics_from_pipeline", + "property": "e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4", + "value": 40 + } + ] + } + } +} diff --git a/ee/spec/services/security/process_scan_events_service_spec.rb b/ee/spec/services/security/process_scan_events_service_spec.rb index 2f33f729627353..a9d3e4c1c4188c 100644 --- a/ee/spec/services/security/process_scan_events_service_spec.rb +++ b/ee/spec/services/security/process_scan_events_service_spec.rb @@ -248,5 +248,40 @@ end end end + + context 'with DS Gemnasium scan events' do + using RSpec::Parameterized::TableSyntax + + let(:ds_artifact) { create(:ee_ci_job_artifact, :dependency_scanning_gemnasium_observability) } + let(:ds_pipeline) { ds_artifact.job.pipeline } + let(:ds_service_object) { described_class.new(ds_pipeline) } + + where(:event_name, :expected_properties) do + 'collect_gemnasium_scan_metrics_from_pipeline' | { + property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', + label: '6.1.9', + value: 100 + } + 'collect_gemnasium_scan_sbom_metrics_from_pipeline' | { + property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', + label: 'npm', + value: 352, + input_file_path: "package-lock.json" + } + 'collect_gemnasium_scan_performance_metrics_from_pipeline' | { + property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', + value: 40 + } + end + + with_them do + it "triggers event data from '#{params[:event_name]}'" do + expect { ds_service_object.execute }.to trigger_internal_events(event_name).with( + project: ds_pipeline.project, + additional_properties: expected_properties + ) + end + end + end end end -- GitLab From 1f6fe2a2ff1a8035628e68e95de8c17bc6f8a0c3 Mon Sep 17 00:00:00 2001 From: Nick Ilieskou Date: Fri, 19 Sep 2025 12:36:17 +0200 Subject: [PATCH 2/3] Add events for gemnasium-python and gemnasium-maven --- ...asium_maven_scan_metrics_from_pipeline.yml | 24 +++++++++++++++++ ...scan_performance_metrics_from_pipeline.yml | 22 ++++++++++++++++ ..._maven_scan_sbom_metrics_from_pipeline.yml | 26 +++++++++++++++++++ ...sium_python_scan_metrics_from_pipeline.yml | 24 +++++++++++++++++ ...scan_performance_metrics_from_pipeline.yml | 22 ++++++++++++++++ ...python_scan_sbom_metrics_from_pipeline.yml | 26 +++++++++++++++++++ .../security/process_scan_events_service.rb | 6 +++++ 7 files changed, 150 insertions(+) create mode 100644 config/events/collect_gemnasium_maven_scan_metrics_from_pipeline.yml create mode 100644 config/events/collect_gemnasium_maven_scan_performance_metrics_from_pipeline.yml create mode 100644 config/events/collect_gemnasium_maven_scan_sbom_metrics_from_pipeline.yml create mode 100644 config/events/collect_gemnasium_python_scan_metrics_from_pipeline.yml create mode 100644 config/events/collect_gemnasium_python_scan_performance_metrics_from_pipeline.yml create mode 100644 config/events/collect_gemnasium_python_scan_sbom_metrics_from_pipeline.yml diff --git a/config/events/collect_gemnasium_maven_scan_metrics_from_pipeline.yml b/config/events/collect_gemnasium_maven_scan_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..f6544edff28191 --- /dev/null +++ b/config/events/collect_gemnasium_maven_scan_metrics_from_pipeline.yml @@ -0,0 +1,24 @@ +--- +description: The event tracks Gemnasium scan data +internal_events: true +status: active +action: collect_gemnasium_maven_scan_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + label: + description: Gemnasium version + value: + description: Number of vulnerabilities +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/config/events/collect_gemnasium_maven_scan_performance_metrics_from_pipeline.yml b/config/events/collect_gemnasium_maven_scan_performance_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..9ac7760b667bfc --- /dev/null +++ b/config/events/collect_gemnasium_maven_scan_performance_metrics_from_pipeline.yml @@ -0,0 +1,22 @@ +--- +description: The event tracks Gemnasium performance data +internal_events: true +status: active +action: collect_gemnasium_maven_scan_performance_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + value: + description: Scan duration in seconds +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/config/events/collect_gemnasium_maven_scan_sbom_metrics_from_pipeline.yml b/config/events/collect_gemnasium_maven_scan_sbom_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..baed7714ba1efa --- /dev/null +++ b/config/events/collect_gemnasium_maven_scan_sbom_metrics_from_pipeline.yml @@ -0,0 +1,26 @@ +--- +description: The event tracks Gemnasium SBOM scan data +internal_events: true +status: active +action: collect_gemnasium_maven_scan_sbom_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + label: + description: PURL type + value: + description: Components count + input_file_path: + description: Path of input (lock) file for SBOM +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/config/events/collect_gemnasium_python_scan_metrics_from_pipeline.yml b/config/events/collect_gemnasium_python_scan_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..c7023bb0ff584f --- /dev/null +++ b/config/events/collect_gemnasium_python_scan_metrics_from_pipeline.yml @@ -0,0 +1,24 @@ +--- +description: The event tracks Gemnasium scan data +internal_events: true +status: active +action: collect_gemnasium_python_scan_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + label: + description: Gemnasium version + value: + description: Number of vulnerabilities +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/config/events/collect_gemnasium_python_scan_performance_metrics_from_pipeline.yml b/config/events/collect_gemnasium_python_scan_performance_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..e856503aab5545 --- /dev/null +++ b/config/events/collect_gemnasium_python_scan_performance_metrics_from_pipeline.yml @@ -0,0 +1,22 @@ +--- +description: The event tracks Gemnasium performance data +internal_events: true +status: active +action: collect_gemnasium_python_scan_performance_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + value: + description: Scan duration in seconds +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/config/events/collect_gemnasium_python_scan_sbom_metrics_from_pipeline.yml b/config/events/collect_gemnasium_python_scan_sbom_metrics_from_pipeline.yml new file mode 100644 index 00000000000000..e8cbfb8c2c1dad --- /dev/null +++ b/config/events/collect_gemnasium_python_scan_sbom_metrics_from_pipeline.yml @@ -0,0 +1,26 @@ +--- +description: The event tracks Gemnasium SBOM scan data +internal_events: true +status: active +action: collect_gemnasium_python_scan_sbom_metrics_from_pipeline +identifiers: +- project +- namespace +additional_properties: + property: + description: Scan UUID + label: + description: PURL type + value: + description: Components count + input_file_path: + description: Path of input (lock) file for SBOM +product_group: composition_analysis +product_categories: +- software_composition_analysis +milestone: '18.4' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202596/ +tiers: +- free +- premium +- ultimate diff --git a/ee/app/services/security/process_scan_events_service.rb b/ee/app/services/security/process_scan_events_service.rb index 3f9790021b21d2..f3b514d4fa76d7 100644 --- a/ee/app/services/security/process_scan_events_service.rb +++ b/ee/app/services/security/process_scan_events_service.rb @@ -20,6 +20,12 @@ class ProcessScanEventsService collect_gemnasium_scan_metrics_from_pipeline collect_gemnasium_scan_sbom_metrics_from_pipeline collect_gemnasium_scan_performance_metrics_from_pipeline + collect_gemnasium_maven_scan_metrics_from_pipeline + collect_gemnasium_maven_scan_sbom_metrics_from_pipeline + collect_gemnasium_maven_scan_performance_metrics_from_pipeline + collect_gemnasium_python_scan_metrics_from_pipeline + collect_gemnasium_python_scan_sbom_metrics_from_pipeline + collect_gemnasium_python_scan_performance_metrics_from_pipeline ].freeze def self.execute(pipeline) -- GitLab From 9aec2d0a6a2c770dfbbcb297482813e7b4f1acf9 Mon Sep 17 00:00:00 2001 From: Zamir Martins Filho Date: Fri, 19 Sep 2025 23:18:02 -0400 Subject: [PATCH 3/3] Update specs for gemnasium python and maven --- ee/spec/factories/ci/job_artifacts.rb | 14 +- ...-report-gemnasium-maven-observability.json | 3297 +++++++++++++++++ ...report-gemnasium-python-observability.json | 999 +++++ .../process_scan_events_service_spec.rb | 75 +- 4 files changed, 4362 insertions(+), 23 deletions(-) create mode 100644 ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-maven-observability.json create mode 100644 ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-python-observability.json diff --git a/ee/spec/factories/ci/job_artifacts.rb b/ee/spec/factories/ci/job_artifacts.rb index 37d75d6f764f2e..51caed75e2265a 100644 --- a/ee/spec/factories/ci/job_artifacts.rb +++ b/ee/spec/factories/ci/job_artifacts.rb @@ -309,13 +309,15 @@ end end - trait :dependency_scanning_gemnasium_observability do - file_format { :raw } - file_type { :dependency_scanning } + ['', 'python', 'maven'].each do |analyzer| + trait :"dependency_scanning_gemnasium#{analyzer.present? ? "_#{analyzer}" : ''}_observability" do + file_format { :raw } + file_type { :dependency_scanning } - after(:build) do |artifact, _| - artifact.file = fixture_file_upload( - Rails.root.join('ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-observability.json'), 'application/json') + after(:build) do |artifact, _| + artifact.file = fixture_file_upload( + Rails.root.join("ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium#{analyzer.present? ? "-#{analyzer}" : ''}-observability.json"), 'application/json') + end end end diff --git a/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-maven-observability.json b/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-maven-observability.json new file mode 100644 index 00000000000000..aad450a340882b --- /dev/null +++ b/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-maven-observability.json @@ -0,0 +1,3297 @@ +{ + "version": "15.1.4", + "vulnerabilities": [ + { + "id": "47c566d92dc385aacf5e87a3201d173ee3ef5cce144323401e3e5b0f7976df2c", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable by sending maliciously crafted JSON input to the `readValue` method of the `ObjectMapper`, bypassing a denylist that is ineffective if the `c3p0` libraries are available in the classpath.", + "severity": "Critical", + "solution": "Upgrade to versions 2.7.9.3, 2.8.11.1, 2.9.5 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-0a647516-66dc-4381-9da7-601193d849e6", + "value": "0a647516-66dc-4381-9da7-601193d849e6", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-7489.yml" + }, + { + "type": "cve", + "name": "CVE-2018-7489", + "value": "CVE-2018-7489", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + }, + { + "url": "http://www.securityfocus.com/bid/103203" + }, + { + "url": "http://www.securitytracker.com/id/1040693" + }, + { + "url": "http://www.securitytracker.com/id/1041890" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1931" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20180328-0001/" + }, + { + "url": "https://www.debian.org/security/2018/dsa-4190" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "95fd056b93aab5b79b210b35dba4630ad456befae987ee8bc774efdf7a499ef7", + "name": "Deserialization of Untrusted Data", + "description": "A flaw was discovered in jackson-databind where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.", + "severity": "Critical", + "solution": "Upgrade to versions 2.6.7.3, 2.8.11.5, 2.9.10 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-18cb0273-dc70-4b3e-9f99-febc2d1e6bd0", + "value": "18cb0273-dc70-4b3e-9f99-febc2d1e6bd0", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-14892.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14892", + "value": "CVE-2019-14892", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14892" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14892" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "eb850cfd682477d7abe587a316ed5b64ea54108e4d5183b7fd5558839aa2d0fa", + "name": "Server-Side Request Forgery (SSRF)", + "description": "FasterXML jackson-databind might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the `axis2-jaxws` class from polymorphic deserialization.", + "severity": "Critical", + "solution": "Upgrade to versions 2.6.7.2, 2.9.7 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-1c55a5df-5272-42bd-8b99-b2c315305990", + "value": "1c55a5df-5272-42bd-8b99-b2c315305990", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-14721.yml" + }, + { + "type": "cve", + "name": "CVE-2018-14721", + "value": "CVE-2018-14721", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "7d42d8fb8e95293b081012225421a0e0ac4aa083b8d37af208cf60eee0adbdc8", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.6 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-20072e68-d058-4a74-98ad-1a54d2bc85ea", + "value": "20072e68-d058-4a74-98ad-1a54d2bc85ea", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-24616.yml" + }, + { + "type": "cve", + "name": "CVE-2020-24616", + "value": "CVE-2020-24616", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2814" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24616" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "0783666199fe94543c1a51c2f5f1bfe7dd13d33f5cd43eb68bd3c7bb700a24ae", + "name": "Improper Input Validation", + "description": "`SubTypeValidator.java` in FasterXML jackson-databind mishandles default typing when ehcache is used (because of `net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup`), leading to remote code execution.", + "severity": "Critical", + "solution": "Upgrade to versions 2.7.9.6, 2.8.11.4, 2.9.9.2 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-2e639b4f-f53c-4a3e-a91f-d9731e93c4bc", + "value": "2e639b4f-f53c-4a3e-a91f-d9731e93c4bc", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-14379.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14379", + "value": "CVE-2019-14379", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "687ab39ac87333e2618845cdb7fe0ad3f99a9d1d3518b7832088ac0b1bb2b1f5", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded`.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-3bcf7a04-be2f-4852-a0df-dab725385718", + "value": "3bcf7a04-be2f-4852-a0df-dab725385718", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-11620.yml" + }, + { + "type": "cve", + "name": "CVE-2020-11620", + "value": "CVE-2020-11620", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2682" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11620" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "b65587ec0be43f20ce5d2464cd9cee78de25015f1f3f8ab5d97986bc1cc051e0", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable by sending maliciously crafted JSON input to the `readValue` method of the `ObjectMapper`, bypassing a denylist that is ineffective if the Spring libraries are available in the classpath.", + "severity": "Critical", + "solution": "Upgrade to versions 2.8.11, 2.9.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-3f9723f9-2899-414a-85c5-5bf83db14382", + "value": "3f9723f9-2899-414a-85c5-5bf83db14382", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2017-17485.yml" + }, + { + "type": "cve", + "name": "CVE-2017-17485", + "value": "CVE-2017-17485", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/archive/1/541652/100/0/threaded" + }, + { + "url": "http://www.securityfocus.com/archive/1/archive/1/541652/100/0/threaded" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1855" + }, + { + "url": "https://github.com/irsl/jackson-rce-via-spel/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20180201-0003/" + }, + { + "url": "https://www.debian.org/security/2018/dsa-4114" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "8eb9856bd505ea1fb12b57a426b8b6532e6d39ac90d47414718d8979ce6f4ec4", + "name": "Improper Input Validation", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the `commons-dbcp` jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of `org.apache.commons.dbcp.datasources.SharedPoolDataSource` and `org.apache.commons.dbcp.datasources.PerUserPoolDataSource` mishandling.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.1 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-523eaaba-031d-4454-9cc9-d6b0d6753d40", + "value": "523eaaba-031d-4454-9cc9-d6b0d6753d40", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-16942.yml" + }, + { + "type": "cve", + "name": "CVE-2019-16942", + "value": "CVE-2019-16942", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16942" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "89bc86064cff11776a6122611abbabded75b95f12cd5de773690f5a5f1c554e9", + "name": "Improper Input Validation", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of `com.p6spy.engine.spy.P6DataSource` mishandling.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.1 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-5ee60948-63a0-47a6-8807-378df68649fe", + "value": "5ee60948-63a0-47a6-8807-378df68649fe", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-16943.yml" + }, + { + "type": "cve", + "name": "CVE-2019-16943", + "value": "CVE-2019-16943", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16943" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "8a8f2d6bf920f65cf20f5ebbd476c7528a19b223055a87bbedd7cf8eb4805138", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `blaze-ds-opt` and `blaze-ds-core` classes from polymorphic deserialization.", + "severity": "Critical", + "solution": "Upgrade to versions 2.6.7.2, 2.9.7 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-607d0147-9c8a-409e-9f51-6f04a7e0ccda", + "value": "607d0147-9c8a-409e-9f51-6f04a7e0ccda", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-14719.yml" + }, + { + "type": "cve", + "name": "CVE-2018-14719", + "value": "CVE-2018-14719", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "fa93d0ab627a8291153e95ac6c69a0943165ce72a00d30a74b5b6502c58e7ee7", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `slf4j-ext` class from polymorphic deserialization.", + "severity": "Critical", + "solution": "Upgrade to versions 2.6.7.2, 2.9.7 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-73508662-4968-4c9f-9d28-4d023a05c568", + "value": "73508662-4968-4c9f-9d28-4d023a05c568", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-14718.yml" + }, + { + "type": "cve", + "name": "CVE-2018-14718", + "value": "CVE-2018-14718", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/106601" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "91a2070ed56a4655983c1c9b50d49ce19cbf3ec536cf91d3ca5a459ae07e68e9", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the `jboss-common-core` class from polymorphic deserialization.", + "severity": "Critical", + "solution": "Upgrade to versions 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-7c40ccdb-6610-4214-a217-e8ee78ac4122", + "value": "7c40ccdb-6610-4214-a217-e8ee78ac4122", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-19362.yml" + }, + { + "type": "cve", + "name": "CVE-2018-19362", + "value": "CVE-2018-19362", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/107985" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186" + }, + { + "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "ecd11f23967bd1762ce25ca1227ba22cf1ddeb28795e27226c2ee8b08073cebf", + "name": "Deserialization of Untrusted Data", + "description": "A flaw was discovered in FasterXML jackson-databind that permits polymorphic deserialization of malicious objects. Specifically when the xalan JNDI gadget is used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()`. The gadget may also be combined with `@JsonTypeInfo` when it is using `Id.CLASS` or `Id.MINIMAL_CLASS`, or in any other way which `ObjectMapper.readValue` might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", + "severity": "Critical", + "solution": "Upgrade to versions 2.8.11.5, 2.9.10 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-818c1b22-effd-4eb1-bf4b-d6d540effe21", + "value": "818c1b22-effd-4eb1-bf4b-d6d540effe21", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-14893.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14893", + "value": "CVE-2019-14893", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14893" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "f16d41fc736237e456f34ba6ab3528a54990940e03a46cca0705267e2e339273", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the `openjpa` class from polymorphic deserialization.", + "severity": "Critical", + "solution": "Upgrade to versions 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-8496ae15-5730-4977-a603-d708dc85e883", + "value": "8496ae15-5730-4977-a603-d708dc85e883", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-19361.yml" + }, + { + "type": "cve", + "name": "CVE-2018-19361", + "value": "CVE-2018-19361", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/107985" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186" + }, + { + "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "cf45fcf901458daacecd0f0e2aabb2dc7eb95eb63e99d3c845f79765a93d9818", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean`.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-8b40451d-5a8f-443e-ada7-42da12f9bd9c", + "value": "8b40451d-5a8f-443e-ada7-42da12f9bd9c", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-11619.yml" + }, + { + "type": "cve", + "name": "CVE-2020-11619", + "value": "CVE-2020-11619", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2680" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11619" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "3420ed865f1121703d18a8dda7543f6fe1e8305ca88dfadd6582317b8afb192d", + "name": "Improper Input Validation", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to `com.zaxxer.hikari.HikariDataSource`. This is a different vulnerability than CVE-2019-14540.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-97c5173b-cc37-461f-9dd2-399c1f3f474c", + "value": "97c5173b-cc37-461f-9dd2-399c1f3f474c", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-16335.yml" + }, + { + "type": "cve", + "name": "CVE-2019-16335", + "value": "CVE-2019-16335", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16335" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "af65b0c6319fa836a6b8efcfd115e3c060ccadd0bb12328d2d685a2ac5d00add", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.", + "severity": "Critical", + "solution": "Upgrade to versions 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-ac9dc2e0-8dab-4842-ac1d-4791aa3fa258", + "value": "ac9dc2e0-8dab-4842-ac1d-4791aa3fa258", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-19360.yml" + }, + { + "type": "cve", + "name": "CVE-2018-19360", + "value": "CVE-2018-19360", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/107985" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186" + }, + { + "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "9be0c082929c69da801a07167d0c4d6a1c947e4610e0abb1c420cca870f69f24", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPConfig`.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-bfaa41f0-a3df-4046-b361-84d05814aeca", + "value": "bfaa41f0-a3df-4046-b361-84d05814aeca", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-9548.yml" + }, + { + "type": "cve", + "name": "CVE-2020-9548", + "value": "CVE-2020-9548", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "475b62aac29b5eda75939eee53beea4d5c2c4a5c8cdf6994503a038822d8a66a", + "name": "Improper Restriction of XML External Entity Reference", + "description": "FasterXML jackson-databind might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.", + "severity": "Critical", + "solution": "Upgrade to versions 2.6.7.2, 2.9.7 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-d6655adf-d79b-42d5-bb2f-04c030a5eeef", + "value": "d6655adf-d79b-42d5-bb2f-04c030a5eeef", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-14720.yml" + }, + { + "type": "cve", + "name": "CVE-2018-14720", + "value": "CVE-2018-14720", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "a03453ea88fac832d338d85b1ce0eb0eb68bd84979cc0d668cbbe2c377bb2540", + "name": "Improper Input Validation", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to `com.zaxxer.hikari.HikariConfig`.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-dccd96de-e4ca-4391-bb31-64a1f1c97904", + "value": "dccd96de-e4ca-4391-bb31-64a1f1c97904", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-14540.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14540", + "value": "CVE-2019-14540", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14540" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "fce634567fd34ca431e8f6d14251aefc83585b36356e9438e6c1eddeb5d71a09", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind lacks certain `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.3 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-e7bf8528-85d0-4a59-827b-d99cb5faebd3", + "value": "e7bf8528-85d0-4a59-827b-d99cb5faebd3", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-8840.yml" + }, + { + "type": "cve", + "name": "CVE-2020-8840", + "value": "CVE-2020-8840", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "00b12b388e957610cd027adfe08a325b252c71432a29e185918e97f9a2fefd58", + "name": "Deserialization of Untrusted Data", + "description": "An issue was discovered in FasterXML jackson-databind. The use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content.", + "severity": "Critical", + "solution": "Upgrade to versions 2.7.9.4, 2.8.11.2, 2.9.6 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-f0aa9227-06f3-4eb9-a7d8-4186304b8d73", + "value": "f0aa9227-06f3-4eb9-a7d8-4186304b8d73", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-11307.yml" + }, + { + "type": "cve", + "name": "CVE-2018-11307", + "value": "CVE-2018-11307", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "6e5bedfd39ddbe61d7a2fad70ce3cac7a5004fa253efa629eed231ddf56ccc13", + "name": "Improper Input Validation", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-fb4fd9b5-f692-49b5-9cf4-ca82958f2a53", + "value": "fb4fd9b5-f692-49b5-9cf4-ca82958f2a53", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-17267.yml" + }, + { + "type": "cve", + "name": "CVE-2019-17267", + "value": "CVE-2019-17267", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2460" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17267" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "bf375dd57aa57226d289f9177a8cd42114717e94813d110e7a4b7fdd59a4d561", + "name": "Improper Input Validation", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the `apache-log4j-extra` in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.1 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-fc79306c-cbe4-47bd-80a9-d2610a560930", + "value": "fc79306c-cbe4-47bd-80a9-d2610a560930", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-17531.yml" + }, + { + "type": "cve", + "name": "CVE-2019-17531", + "value": "CVE-2019-17531", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "0ce2479f184d58bed690609cd9498321f5e0635bfcf4ef27e09f057490148c70", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig`.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-fd4026b3-7569-4355-8630-1605bc2a5ee3", + "value": "fd4026b3-7569-4355-8630-1605bc2a5ee3", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-9547.yml" + }, + { + "type": "cve", + "name": "CVE-2020-9547", + "value": "CVE-2020-9547", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "ebf82713ebd060d3b6da27b1937bf7a09340acb2a974027ef08ff1fc15895da9", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig`.", + "severity": "Critical", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-fedb776b-74bb-494a-b877-69a557392300", + "value": "fedb776b-74bb-494a-b877-69a557392300", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-9546.yml" + }, + { + "type": "cve", + "name": "CVE-2020-9546", + "value": "CVE-2020-9546", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "b9a72e98bae8a3804ef97dae31b2d46be9bd88c3df7c08df46db73db0b3b1695", + "name": "Unsafe deserialization in TcpServer", + "description": "A malicious user can send a network message to the Geode locator and execute code if certain classes are present on the classpath.", + "severity": "Critical", + "solution": "Upgrade to version 1.4.0 or higher. In addition, users should set the flag validate-serializable-objects.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-08ee7d04-c94e-4938-a745-ffdddab7bd3f", + "value": "08ee7d04-c94e-4938-a745-ffdddab7bd3f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-15692.yml" + }, + { + "type": "cve", + "name": "CVE-2017-15692", + "value": "CVE-2017-15692", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15692" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://issues.apache.org/jira/browse/GEODE-3923" + }, + { + "url": "https://lists.apache.org/thread.html/5a453c1543e66704d39c233aef0023a492860e579eb9d6b6ffb0c5c2@%3Cdev.geode.apache.org%3E" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "cc00198120483d994e434eac48f9eda1ad27657c3e93c29526ca7da168772453", + "name": "Authorization bypass in JGroups", + "description": "JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors.", + "severity": "Critical", + "solution": "Upgrade to version 4.0 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.jgroups/jgroups" + }, + "version": "3.6.10.Final" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-e03ae964-1815-4d53-8709-85335366d0c8", + "value": "e03ae964-1815-4d53-8709-85335366d0c8", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.jgroups/jgroups/CVE-2016-2141.yml" + }, + { + "type": "cve", + "name": "CVE-2016-2141", + "value": "CVE-2016-2141", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2141" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1313589" + }, + { + "url": "https://issues.jboss.org/browse/JGRP-2021" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.jgroups/jgroups:3.6.10.Final" + } + } + }, + { + "id": "5dc37a12f5c3183c8ef8155de5e8f45ed27dd848693725734b07a2f12d0a4de3", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable via two different gadgets that bypass a denylist.", + "severity": "High", + "solution": "Upgrade to versions 2.7.9.5, 2.8.11.1, 2.9.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-0e5fec86-8e66-474c-9e93-b7e519017fe3", + "value": "0e5fec86-8e66-474c-9e93-b7e519017fe3", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-5968.yml" + }, + { + "type": "cve", + "name": "CVE-2018-5968", + "value": "CVE-2018-5968", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1899" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5968" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20180423-0002/" + }, + { + "url": "https://www.debian.org/security/2018/dsa-4114" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "2bc9f753efe2ecfd3fdc49763c020707125636b626a872c6bae62e85e53eda39", + "name": "Deserialization of Untrusted Data", + "description": "When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.", + "severity": "High", + "solution": "Upgrade to versions 2.7.9.4, 2.8.11.2, 2.9.6 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-0e64d9f6-1019-4c26-982c-220bf9cbc832", + "value": "0e64d9f6-1019-4c26-982c-220bf9cbc832", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-12022.yml" + }, + { + "type": "cve", + "name": "CVE-2018-12022", + "value": "CVE-2018-12022", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/107585" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "017962114ce2d2e4f8699915962c0f692e900221a66b66afeddca8f730e59bb0", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `javax.swing.JEditorPane`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-28e2c4f0-bf52-4af0-a8e9-fdc3567d7593", + "value": "28e2c4f0-bf52-4af0-a8e9-fdc3567d7593", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-10969.yml" + }, + { + "type": "cve", + "name": "CVE-2020-10969", + "value": "CVE-2020-10969", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10969" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "5c8b785360284a7c5a104a6795ff71b4d44581d0c69647197f909a45f2b766f0", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.proxy.provider.remoting.RmiProvider`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-4a3da353-89c5-47d3-92f9-93b989622c61", + "value": "4a3da353-89c5-47d3-92f9-93b989622c61", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-11112.yml" + }, + { + "type": "cve", + "name": "CVE-2020-11112", + "value": "CVE-2020-11112", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11112" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "df5d5e1a2db2d073c9d67020e3a2bf99e97b1a86ae04691f95f24421a47d4603", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.5 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-63345218-5b88-44c7-9e5e-26aefa7a18f9", + "value": "63345218-5b88-44c7-9e5e-26aefa7a18f9", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-14062.yml" + }, + { + "type": "cve", + "name": "CVE-2020-14062", + "value": "CVE-2020-14062", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14062" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "2fdaa5a8144490378181ccb964574984aafe506f19713761ad8f1cedaf050e13", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.activemq.*`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-636d3b5b-d5f9-4ece-9bc5-8eadc74c8580", + "value": "636d3b5b-d5f9-4ece-9bc5-8eadc74c8580", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-11111.yml" + }, + { + "type": "cve", + "name": "CVE-2020-11111", + "value": "CVE-2020-11111", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11111" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11111" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "39d462535ae45dd2611b1cdc03896313d87199d036258887f4d65e3cfb8f0398", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.5 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-6f69a1e2-94fd-4a8c-a6e3-1a14f01a5d70", + "value": "6f69a1e2-94fd-4a8c-a6e3-1a14f01a5d70", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-14060.yml" + }, + { + "type": "cve", + "name": "CVE-2020-14060", + "value": "CVE-2020-14060", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14060" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "8d284fc5d77c0b5a43d7aa9487fb07248d35d89c29675a0fe7f919330a7f9d9a", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.openjpa.ee.WASRegistryManagedRuntime`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-79bad4c2-5679-4a0f-a6fe-c7eab4c1fd24", + "value": "79bad4c2-5679-4a0f-a6fe-c7eab4c1fd24", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-11113.yml" + }, + { + "type": "cve", + "name": "CVE-2020-11113", + "value": "CVE-2020-11113", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11113" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "5eb234ab896218f78c9594a2dbbbae00a0dc5670bd930b48e775e0b8e021b9ee", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-8501d2c5-e2ae-4d35-b631-93a579bdab2f", + "value": "8501d2c5-e2ae-4d35-b631-93a579bdab2f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-10672.yml" + }, + { + "type": "cve", + "name": "CVE-2020-10672", + "value": "CVE-2020-10672", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10672" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "17e7c4c78c3c5aebb778dad71d93c21d700abb6f5a325339d45526034cb0d2c4", + "name": "Information Exposure", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.", + "severity": "High", + "solution": "Upgrade to versions 2.7.9.6, 2.8.11.4, 2.9.9 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-9df2bd87-497d-468f-8006-c980375634fa", + "value": "9df2bd87-497d-468f-8006-c980375634fa", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-12086.yml" + }, + { + "type": "cve", + "name": "CVE-2019-12086", + "value": "CVE-2019-12086", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/109227" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12086" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "eb529bc59cd70a68ab0d1edb2d3b8b8239e54fd4a1cf3a55cb06b1656e26782f", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.aoju.bus.proxy.provider.remoting.RmiProvider`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-badcdfa5-3a21-40a2-a3ca-37f0c4b58379", + "value": "badcdfa5-3a21-40a2-a3ca-37f0c4b58379", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-10968.yml" + }, + { + "type": "cve", + "name": "CVE-2020-10968", + "value": "CVE-2020-10968", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10968" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10968" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "7a7c35905c81f248c11e962dac6994d864809882dacb9bffe5760c44302a36d9", + "name": "Deserialization of Untrusted Data", + "description": "When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.", + "severity": "High", + "solution": "Upgrade to versions 2.7.9.4, 2.8.11.2, 2.9.6 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-d6e4e411-2dcb-4839-86c5-999c25b804b6", + "value": "d6e4e411-2dcb-4839-86c5-999c25b804b6", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-12023.yml" + }, + { + "type": "cve", + "name": "CVE-2018-12023", + "value": "CVE-2018-12023", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/105659" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "38891d51dc1b6091b97dcc06711be967a0e08bad3b60dabec1d5c428a5151513", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-d8afa3e4-c1fb-4623-bb7c-4bb627f350d0", + "value": "d8afa3e4-c1fb-4623-bb7c-4bb627f350d0", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-10673.yml" + }, + { + "type": "cve", + "name": "CVE-2020-10673", + "value": "CVE-2020-10673", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10673" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "7f3fa078dd06b1273f1b03a4898cad56dc708cac0b0bf3f9c360975fa5a1d6b7", + "name": "Information Exposure", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.", + "severity": "High", + "solution": "Upgrade to versions 2.7.9.6, 2.8.11.4, 2.9.9.2 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-ea403343-8d37-430d-9238-e27386f2843b", + "value": "ea403343-8d37-430d-9238-e27386f2843b", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-14439.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14439", + "value": "CVE-2019-14439", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14439" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "a636f4c446b4672ecc72fb04b7eb858dd5db0716d79096e4fa4e21032a3e0627", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, `oracle.jms.AQjmsXATopicConnectionFactory`, `oracle.jms.AQjmsTopicConnectionFactory`, `oracle.jms.AQjmsXAQueueConnectionFactory`, and `oracle.jms.AQjmsXAConnectionFactory`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.5 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-edc66951-7acf-464f-84a5-affbf58d98bf", + "value": "edc66951-7acf-464f-84a5-affbf58d98bf", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-14061.yml" + }, + { + "type": "cve", + "name": "CVE-2020-14061", + "value": "CVE-2020-14061", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14061" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "f5ae8a5a160e050ab98677b4fc24f924bc69374669013324dd55921f35822112", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.", + "severity": "High", + "solution": "Upgrade to version 2.9.10.5 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-f1295f10-304d-429f-b61b-bc01d40dee4c", + "value": "f1295f10-304d-429f-b61b-bc01d40dee4c", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-14195.yml" + }, + { + "type": "cve", + "name": "CVE-2020-14195", + "value": "CVE-2020-14195", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14195" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2765" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14195" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "bb24f8c0d957554b07257ba3c04ddc40a187643343c7b9283697e14ef087d04a", + "name": "Deserialization of Untrusted Data", + "description": "In Apache Commons Beanutils, a special `BeanIntrospector` class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.", + "severity": "High", + "solution": "Upgrade to version 1.9.4 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "commons-beanutils/commons-beanutils" + }, + "version": "1.8.3" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-b1794c16-e802-4be1-9778-372d79481103", + "value": "b1794c16-e802-4be1-9778-372d79481103", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/commons-beanutils/commons-beanutils/CVE-2019-10086.yml" + }, + { + "type": "cve", + "name": "CVE-2019-10086", + "value": "CVE-2019-10086", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e" + }, + { + "url": "https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "commons-beanutils/commons-beanutils:1.8.3" + } + } + }, + { + "id": "6b650b9739aa89d2433792c3a54a5317d8c96df6973e067c6917bb2a8d8acf1b", + "name": "Class Loader manipulation via request parameters", + "description": "This package does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the `ActionForm` object in Struts 1.", + "severity": "High", + "solution": "Upgrade to the latest version", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "commons-beanutils/commons-beanutils" + }, + "version": "1.8.3" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-dc5c6ffc-f1f7-494c-9c53-735bfc54215d", + "value": "dc5c6ffc-f1f7-494c-9c53-735bfc54215d", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/commons-beanutils/commons-beanutils/CVE-2014-0114.yml" + }, + { + "type": "cve", + "name": "CVE-2014-0114", + "value": "CVE-2014-0114", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro" + }, + { + "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "commons-beanutils/commons-beanutils:1.8.3" + } + } + }, + { + "id": "8f4cb5cf81980a721a1397e65f9165ac05f2cdcbb24d1cd69f4ad6818b8ed131", + "name": "Unsafe deserialization of application objects", + "description": "The Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. An user with `DATA:WRITE` access to the cluster may be able to cause remote code execution if certain classes are present on the classpath. ", + "severity": "High", + "solution": "Upgrade to version 1.4.0 or higher. In addition, users should set the flags validate-serializable-objects and serializable-object-filter.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-8caf475b-d9dc-456f-9d00-3ba468b928c6", + "value": "8caf475b-d9dc-456f-9d00-3ba468b928c6", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-15693.yml" + }, + { + "type": "cve", + "name": "CVE-2017-15693", + "value": "CVE-2017-15693", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15693" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://issues.apache.org/jira/browse/GEODE-3923" + }, + { + "url": "https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d@%3Cuser.geode.apache.org%3E" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "bab7dd3851a78a2781d31ecd418c212cc1cb87547593f967ba6a9005118ba850", + "name": "OQL method invocation vulnerability", + "description": "A malicious user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. In addition a user could invoke methods that allow remote code execution.", + "severity": "High", + "solution": "Upgrade to 1.3.0 or later", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-ba155080-976b-44d3-803d-2bc35c024a13", + "value": "ba155080-976b-44d3-803d-2bc35c024a13", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-9795.yml" + }, + { + "type": "cve", + "name": "CVE-2017-9795", + "value": "CVE-2017-9795", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9795" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://github.com/apache/geode/pull/837" + }, + { + "url": "https://issues.apache.org/jira/browse/GEODE-3247" + }, + { + "url": "https://lists.apache.org/thread.html/0fc5ea3c1ea06fe7058a0ab56d593914b05f728a6c93c5a6755956c7@%3Cuser.geode.apache.org%3E" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "e82fdd1780017d39abc25baf65bc697ddedfa6a9a7098d78ff839d05b5a60edc", + "name": "Authentication bypass", + "description": "The Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.", + "severity": "High", + "solution": "Upgrade to version 1.4.0 or higher", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-c0f8561a-9cf5-4dd0-ac17-3a3d612d5b6d", + "value": "c0f8561a-9cf5-4dd0-ac17-3a3d612d5b6d", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-15696.yml" + }, + { + "type": "cve", + "name": "CVE-2017-15696", + "value": "CVE-2017-15696", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15696" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N" + } + ], + "links": [ + { + "url": "https://issues.apache.org/jira/browse/GEODE-3962" + }, + { + "url": "https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f@%3Cdev.geode.apache.org%3E" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "e8b527aa461b6443bf2a8acf41af520797f1f6c84ac6684c830f415bd258ee40", + "name": "Permission Issues", + "description": "Apache Geode server is configured with a security manager, a user with `DATA:WRITE` privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with `DATA:MANAGE` privilege.", + "severity": "High", + "solution": "Upgrade to version 1.5.0 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-c435ceca-2287-4ec6-b588-b81d9a36b5c3", + "value": "c435ceca-2287-4ec6-b588-b81d9a36b5c3", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-15695.yml" + }, + { + "type": "cve", + "name": "CVE-2017-15695", + "value": "CVE-2017-15695", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15695" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/104465" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15695" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "541e72883967a4ca15188dea7d73e76f3817d56a4d88fadb16a57a199045f056", + "name": "gfsh authorization vulnerability", + "description": "When an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without `CLUSTER:MANAGE` privileges.", + "severity": "High", + "solution": "Upgrade to 1.3.0 or later", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-cb0ab93a-2149-4f2c-b260-26e802e6be9d", + "value": "cb0ab93a-2149-4f2c-b260-26e802e6be9d", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-12622.yml" + }, + { + "type": "cve", + "name": "CVE-2017-12622", + "value": "CVE-2017-12622", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12622" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N" + } + ], + "links": [ + { + "url": "https://github.com/apache/geode/commit/db4a493efc09600bf0a9778d5274c09b23b16644" + }, + { + "url": "https://issues.apache.org/jira/browse/GEODE-3685" + }, + { + "url": "https://lists.apache.org/thread.html/560578479dabbdc93d0ee8746b7c857549202ef82f43aa22496aa589@%3Cuser.geode.apache.org%3E" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "a13302b4358b56e123f29726de14e3e90a694dd22845952fb2ac8281d4bcb0c8", + "name": "Improper Input Validation", + "description": "Fasterxml Jackson does not properly validate user input leading to a DoS. Specifically, deserializing malicious input of very large values in the nanoseconds field of a time value.", + "severity": "Medium", + "solution": "Upgrade to version 2.9.8 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-226810e9-a181-4222-92b7-93752da65e19", + "value": "226810e9-a181-4222-92b7-93752da65e19", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2018-1000873.yml" + }, + { + "type": "cve", + "name": "CVE-2018-1000873", + "value": "CVE-2018-1000873", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1665601" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000873" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "0ee16befb449b8affb105aef3a3fb44c2a746d2a4ad25dafd32c332e01c6b2ca", + "name": "Information Disclosure", + "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.", + "severity": "Medium", + "solution": "Upgrade to versions 2.7.9.6, 2.8.11.4, 2.9.9.1 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-64a8d8c4-3e77-4d6b-a195-f4e2f93d95fe", + "value": "64a8d8c4-3e77-4d6b-a195-f4e2f93d95fe", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-12814.yml" + }, + { + "type": "cve", + "name": "CVE-2019-12814", + "value": "CVE-2019-12814", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N" + } + ], + "links": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2341" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12814" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "1ae6c9f2ce8f6478f525fb1362158d487661b2194bc0af550d311857a3c6c1f2", + "name": "Deserialization of Untrusted Data", + "description": "FasterXML jackson-databind might allow attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.", + "severity": "Medium", + "solution": "Upgrade to versions 2.7.9.6, 2.8.11.4, 2.9.9.1 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "com.fasterxml.jackson.core/jackson-databind" + }, + "version": "2.9.2" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-ee5e6999-23b2-476b-ab3b-819a4e06724a", + "value": "ee5e6999-23b2-476b-ab3b-819a4e06724a", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2019-12384.yml" + }, + { + "type": "cve", + "name": "CVE-2019-12384", + "value": "CVE-2019-12384", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "com.fasterxml.jackson.core/jackson-databind:2.9.2" + } + } + }, + { + "id": "01ee38be277da15d4812d473ce6cf2b6b52706bf636ecaf9ae2a478543ba1556", + "name": "DoS by CPU exhaustion when using malicious SSL packets", + "description": "The `SslHandler` in this package allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted `SSLv2Hello` message.", + "severity": "Medium", + "solution": "Upgrade to the latest version", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "io.netty/netty" + }, + "version": "3.9.1.Final" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-d1bf36d9-9f07-46cd-9cfc-8675338ada8f", + "value": "d1bf36d9-9f07-46cd-9cfc-8675338ada8f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/io.netty/netty/CVE-2014-3488.yml" + }, + { + "type": "cve", + "name": "CVE-2014-3488", + "value": "CVE-2014-3488", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "http://netty.io/news/2014/06/11/3.html" + }, + { + "url": "https://bugzilla.redhat.com/CVE-2014-3488" + }, + { + "url": "https://github.com/netty/netty/issues/2562" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "io.netty/netty:3.9.1.Final" + } + } + }, + { + "id": "d056fbb67de6d5b9d8ad0a00736a6fa0139215ac7febb30cfb275a1fd6ec54c0", + "name": "OQL bind parameter vulnerability", + "description": "A malicious user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions.", + "severity": "Medium", + "solution": "Upgrade to 1.3.0 or later", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-0932979e-c712-438e-9b9c-d6bf97f075a9", + "value": "0932979e-c712-438e-9b9c-d6bf97f075a9", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-9796.yml" + }, + { + "type": "cve", + "name": "CVE-2017-9796", + "value": "CVE-2017-9796", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9796" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N" + } + ], + "links": [ + { + "url": "https://issues.apache.org/jira/browse/GEODE-3248" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "b6999ba433bee8c103f943c6f99c0f236c7fc7668c77c6dcf73643e4dc271557", + "name": "Metadata modification vulnerability", + "description": "When an Apache Geode server is operating in secure mode, a user with write permissions for specific data regions can modify internal cluster metadata. A malicious user could modify this data in a way that affects the operation of the cluster.", + "severity": "Medium", + "solution": "Upgrade to fixed version", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-13fcc46f-85b8-479b-be4a-f01c9f97fac4", + "value": "13fcc46f-85b8-479b-be4a-f01c9f97fac4", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-15694.yml" + }, + { + "type": "cve", + "name": "CVE-2017-15694", + "value": "CVE-2017-15694", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15694" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/108870" + }, + { + "url": "https://issues.apache.org/jira/browse/GEODE-3981" + }, + { + "url": "https://lists.apache.org/thread.html/311505e7b7a045aaa246f0a1935703acacf41b954621b1363c40bf6f@%3Cuser.geode.apache.org%3E" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15694" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "821ef3d2a18e24faeb8bc3a108a688ed37c7eac33f7825e7a970fa86c44da75d", + "name": "Information Exposure", + "description": "When an Apache Geode cluster is operating in secure mode, an unauthenticated client can enter multi-user authentication mode and send metadata messages. These metadata operations could leak information about application data types. In addition, an attacker could perform a denial of service attack on the cluster.", + "severity": "Medium", + "solution": "Upgrade to version 1.2.1 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-cb52b151-b7bb-4353-a57e-47fcaa1ad25c", + "value": "cb52b151-b7bb-4353-a57e-47fcaa1ad25c", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-9797.yml" + }, + { + "type": "cve", + "name": "CVE-2017-9797", + "value": "CVE-2017-9797", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9797" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9797" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + }, + { + "id": "c36960db529147d8027073969312fb662073b9bd762cf01cc77f5fff91d9b0ab", + "name": "Information Exposure", + "description": "When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the `gfsh` command line utility to execute queries; the query results may contain data from another user's concurrently executing `gfsh` query, potentially revealing data that the user is not authorized to view.", + "severity": "Medium", + "solution": "Upgrade to version 1.2.1 or above.", + "location": { + "file": "pom.xml", + "dependency": { + "package": { + "name": "org.apache.geode/geode-core" + }, + "version": "1.1.1" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-e45efe77-b602-432d-a046-11164d0268a7", + "value": "e45efe77-b602-432d-a046-11164d0268a7", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/maven/org.apache.geode/geode-core/CVE-2017-9794.yml" + }, + { + "type": "cve", + "name": "CVE-2017-9794", + "value": "CVE-2017-9794", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9794" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N" + } + ], + "links": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9794" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "org.apache.geode/geode-core:1.1.1" + } + } + } + ], + "scan": { + "analyzer": { + "id": "gemnasium-maven", + "name": "gemnasium-maven", + "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium", + "vendor": { + "name": "GitLab" + }, + "version": "6.2.0" + }, + "scanner": { + "id": "gemnasium-maven", + "name": "gemnasium-maven", + "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium", + "vendor": { + "name": "GitLab" + }, + "version": "6.2.0" + }, + "type": "dependency_scanning", + "start_time": "2025-09-20T02:16:41", + "end_time": "2025-09-20T02:16:54", + "status": "success", + "observability": { + "events": [ + { + "event": "collect_gemnasium_maven_scan_metrics_from_pipeline", + "property": "077e707f-175c-4eed-a998-1be56780666d", + "label": "6.2.0", + "value": 59 + }, + { + "event": "collect_gemnasium_maven_scan_performance_metrics_from_pipeline", + "property": "077e707f-175c-4eed-a998-1be56780666d", + "value": 13 + }, + { + "event": "collect_gemnasium_maven_scan_sbom_metrics_from_pipeline", + "property": "077e707f-175c-4eed-a998-1be56780666d", + "label": "maven", + "value": 36, + "input_file_path": "pom.xml" + } + ] + } + } +} diff --git a/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-python-observability.json b/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-python-observability.json new file mode 100644 index 00000000000000..79b32b8fb822f5 --- /dev/null +++ b/ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report-gemnasium-python-observability.json @@ -0,0 +1,999 @@ +{ + "version": "15.1.4", + "vulnerabilities": [ + { + "id": "e91171040ffd6c7fcf4a99f23ecaca22b907cb8e86d1fd83d218025ef592f422", + "name": "SQL Injection", + "description": "Due to an error in shallow key transformation, key and index lookups for `django.contrib.postgres.fields.JSONField`, and key lookups for `django.contrib.postgres.fields.HStoreField`, were subject to SQL injection. This could, for example, be exploited via crafted use of `OR 1=1` in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to the `QuerySet.filter()` function.", + "severity": "Critical", + "solution": "Upgrade to versions 1.11.23, 2.1.11, 2.2.4 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-1c876f07-617f-4ba9-8ea3-a871d14bcde2", + "value": "1c876f07-617f-4ba9-8ea3-a871d14bcde2", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-14234.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14234", + "value": "CVE-2019-14234", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14234" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "8fed1901e6a339ee79c106f909ed9431e98f2c2fff58719b4cf9313644e79910", + "name": "Weak Password Recovery Mechanism for Forgotten Password", + "description": "Django allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)", + "severity": "Critical", + "solution": "Upgrade to versions 1.11.27, 2.2.9, 3.0.1 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-e1db52dc-7f84-4281-8b82-6a64da18a721", + "value": "e1db52dc-7f84-4281-8b82-6a64da18a721", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-19844.yml" + }, + { + "type": "cve", + "name": "CVE-2019-19844", + "value": "CVE-2019-19844", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "1338c7f2022f64efebe1251e08bb3bfc4cebba592d1451dc9a8c41108d5f28b5", + "name": "SQL Injection", + "description": "Django allows SQL Injection if untrusted data is used as a delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a `contrib.postgres.aggregates.StringAgg` instance, it was possible to break escaping and inject malicious SQL.", + "severity": "Critical", + "solution": "Upgrade to versions 1.11.28, 2.2.10, 3.0.3 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-ea400310-29db-4c48-8236-42d462d1de1c", + "value": "ea400310-29db-4c48-8236-42d462d1de1c", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2020-7471.yml" + }, + { + "type": "cve", + "name": "CVE-2020-7471", + "value": "CVE-2020-7471", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/3.0/releases/security/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7471" + }, + { + "url": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "f04fcdb9f41228e007f31dc5a7e4ddcd6bf1a678faec9b60701400c6c38ec986", + "name": "Improper Input Validation", + "description": "A call to the methods `chars()` or `words() in `django.utils.text.Truncator` with the argument `html=True` evaluates certain inputs extremely slowly due to a catastrophic backtracking vulnerability in a regular expression. The `chars()` and `words()` methods are used to implement the `truncatechars_html` and `truncatewords_html` template filters, which were thus vulnerable.", + "severity": "High", + "solution": "Upgrade to versions 1.11.23, 2.1.11, 2.2.4 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-3fee86b0-d8c1-4c65-9242-7607562190ae", + "value": "3fee86b0-d8c1-4c65-9242-7607562190ae", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-14232.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14232", + "value": "CVE-2019-14232", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14232" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "878ca2f563ddb3907db91c1949d4cc78250a60fc22113af7e34adc9170ef7c35", + "name": "Denial-of-service", + "description": "If passed certain inputs, `django.utils.encoding.uri_to_iri` could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", + "severity": "High", + "solution": "Upgrade to versions 1.11.23, 2.1.11, 2.2.4 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-49afe3f9-e7ab-4d52-ad25-6e04bfdd670d", + "value": "49afe3f9-e7ab-4d52-ad25-6e04bfdd670d", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-14235.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14235", + "value": "CVE-2019-14235", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14235" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "044d210bee399688c229093ad5c7720ad790501db4bb00c7c4d7cb08f596f89a", + "name": "Improper Input Validation", + "description": "Due to the behaviour of the underlying HTMLParser, `django.utils.html.strip_tags` would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", + "severity": "High", + "solution": "Upgrade to versions 1.11.23, 2.1.11, 2.2.4 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-4be2dbd8-301a-48cd-8ffd-db2edf367ac4", + "value": "4be2dbd8-301a-48cd-8ffd-db2edf367ac4", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-14233.yml" + }, + { + "type": "cve", + "name": "CVE-2019-14233", + "value": "CVE-2019-14233", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14233" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "3ae0aaddf20a715620265072db1ea87f090cab9db46a1ee0d4346b27c9447883", + "name": "SQL Injection", + "description": "Django allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.", + "severity": "High", + "solution": "Upgrade to versions 1.11.29, 2.2.11, 3.0.4 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-5295f830-9e63-4a53-a81c-c6a7745e7aa8", + "value": "5295f830-9e63-4a53-a81c-c6a7745e7aa8", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2020-9402.yml" + }, + { + "type": "cve", + "name": "CVE-2020-9402", + "value": "CVE-2020-9402", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/3.0/releases/security/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9402" + }, + { + "url": "https://www.djangoproject.com/weblog/2020/mar/04/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "d568403a75ab53eb7fa70d2a73fb991e596419cd2e1003a57260f1fd23d6ab31", + "name": "Uncontrolled Memory Consumption", + "description": "Django allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the `django.utils.numberformat.format()` function.", + "severity": "High", + "solution": "Upgrade to versions 1.11.20, 2.0.12, 2.1.7 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-aa6b0729-ecca-4f48-8ea0-b364044c09cc", + "value": "aa6b0729-ecca-4f48-8ea0-b364044c09cc", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-6975.yml" + }, + { + "type": "cve", + "name": "CVE-2019-6975", + "value": "CVE-2019-6975", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/106964" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975" + }, + { + "url": "https://cwe.mitre.org/data/definitions/789.html" + }, + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://groups.google.com/forum/#!topic/django-announce/WTwEAprR0IQ" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6975" + }, + { + "url": "https://usn.ubuntu.com/3890-1/" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases/" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2019/02/11/1" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "8dc3e9f26ca12556d9b7d9ea99dd6f4f06236df5a22f505771d6dab28b2223a3", + "name": "Cross-site Scripting", + "description": "An issue was discovered in Django. The `clickable` Current URL value displayed by the `AdminURLFieldWidget` displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in a clickable JavaScript link.", + "severity": "Medium", + "solution": "Upgrade to versions 1.11.21, 2.1.9, 2.2.2 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-149e1ab4-7152-4fa8-a40a-9a50a31d6d2f", + "value": "149e1ab4-7152-4fa8-a40a-9a50a31d6d2f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-12308.yml" + }, + { + "type": "cve", + "name": "CVE-2019-12308", + "value": "CVE-2019-12308", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/dev/releases/1.11.21/" + }, + { + "url": "https://docs.djangoproject.com/en/dev/releases/2.1.9/" + }, + { + "url": "https://docs.djangoproject.com/en/dev/releases/2.2.2/" + }, + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62" + }, + { + "url": "https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673" + }, + { + "url": "https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b" + }, + { + "url": "https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008" + }, + { + "url": "https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12308" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "74e77a3a8311e5ce854510a874fc9b21c95f853e7c20067a9368ac90cc9750d2", + "name": "Incorrect Regular Expression", + "description": "If `django.utils.text.Truncator`'s `chars()` and `words()` methods were passed the `html=True` argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The `chars()` and words()` methods are used to implement the `truncatechars_html` and `truncatewords_html` template filters, which were thus vulnerable.", + "severity": "Medium", + "solution": "Upgrade to versions 1.8.19, 1.11.11, 2.0.3 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-1f2c3ac1-b729-4ac9-8c64-1dcbff84250e", + "value": "1f2c3ac1-b729-4ac9-8c64-1dcbff84250e", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2018-7537.yml" + }, + { + "type": "cve", + "name": "CVE-2018-7537", + "value": "CVE-2018-7537", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7537" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/103357" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7537" + }, + { + "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "16c6b562d0305b2d8cdc10489908ec02250f3c1f7f7f90428e965ffce80ab0be", + "name": "URL Redirection to Untrusted Site (Open Redirect)", + "description": "`django.middleware.common.CommonMiddleware` has an Open Redirect.", + "severity": "Medium", + "solution": "Upgrade to versions 1.11.15, 2.0.8 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-25669e1a-dcaa-4722-adfc-0f089945c95c", + "value": "25669e1a-dcaa-4722-adfc-0f089945c95c", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2018-14574.yml" + }, + { + "type": "cve", + "name": "CVE-2018-14574", + "value": "CVE-2018-14574", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14574" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/104970" + }, + { + "url": "http://www.securitytracker.com/id/1041403" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14574" + }, + { + "url": "https://www.djangoproject.com/weblog/2018/aug/01/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "e167d51aa01b6133c39be20d408bd08d968f42e1c97d0ea4093ca9b283e27021", + "name": "Improper Input Validation", + "description": "An HTTP request is not redirected to HTTPS when the `SECURE_PROXY_SSL_HEADER` and `SECURE_SSL_REDIRECT` settings are used, and the proxy connects to Django via HTTPS. In other words, `django.http.HttpRequest.scheme` has incorrect behavior when a client uses HTTP.", + "severity": "Medium", + "solution": "Upgrade to versions 1.11.22, 2.1.10, 2.2.3 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-42367e41-2c04-4f04-bdaa-ea72d0957ef8", + "value": "42367e41-2c04-4f04-bdaa-ea72d0957ef8", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-12781.yml" + }, + { + "type": "cve", + "name": "CVE-2019-12781", + "value": "CVE-2019-12781", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12781" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N" + } + ], + "links": [ + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12781" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "114bbfe336bdc3ba96470216c1b46a28c00cf6e0b61362a8d97ab623c3a683b3", + "name": "Incorrect Regular Expression", + "description": "An issue was discovered in Django. The `django.utils.html.urlize()` function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions. The `urlize()` function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.", + "severity": "Medium", + "solution": "Upgrade to versions 1.8.19, 1.11.11, 2.0.3 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-483f1247-a680-44c4-b609-c7a3ac65bd82", + "value": "483f1247-a680-44c4-b609-c7a3ac65bd82", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2018-7536.yml" + }, + { + "type": "cve", + "name": "CVE-2018-7536", + "value": "CVE-2018-7536", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7536" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/103361" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7536" + }, + { + "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "14cadd4b55c3698da7c4b0e0fdcfcfc0545efea0a0ac12dbba6e8bb6195bc1d2", + "name": "Possible XSS in traceback section of technical 500 debug page", + "description": "HTML auto-escaping was disabled in a portion of the template for the technical debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with `DEBUG = True` (which makes this page accessible) in your production settings.", + "severity": "Medium", + "solution": "Upgrade to versions 1.10.8, 1.11.5 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-6162a015-8635-4a15-8d7c-dc9321db366f", + "value": "6162a015-8635-4a15-8d7c-dc9321db366f", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2017-12794.yml" + }, + { + "type": "cve", + "name": "CVE-2017-12794", + "value": "CVE-2017-12794", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12794" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/100643" + }, + { + "url": "http://www.securitytracker.com/id/1039264" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12794" + }, + { + "url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + }, + { + "id": "b8bbb6b4b4d6662d6c18d4586750a8f35801889ce3a73a040b30c8dbb978780d", + "name": "Content Spoofing", + "description": "Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in `django.views.defaults.page_not_found()`, leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.", + "severity": "Medium", + "solution": "Upgrade to versions 1.11.18, 2.0.10, 2.1.5 or above.", + "location": { + "file": "requirements.txt", + "dependency": { + "package": { + "name": "Django" + }, + "version": "1.11.4" + } + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-94f5e552-ad49-49c7-bd9f-8857bba2354b", + "value": "94f5e552-ad49-49c7-bd9f-8857bba2354b", + "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/v1.2.142/pypi/Django/CVE-2019-3498.yml" + }, + { + "type": "cve", + "name": "CVE-2019-3498", + "value": "CVE-2019-3498", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498" + } + ], + "cvss_vectors": [ + { + "vendor": "NVD", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + }, + { + "vendor": "NVD", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N" + } + ], + "links": [ + { + "url": "http://www.securityfocus.com/bid/106453" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498" + }, + { + "url": "https://cwe.mitre.org/data/definitions/148.html" + }, + { + "url": "https://docs.djangoproject.com/en/dev/releases/security/" + }, + { + "url": "https://groups.google.com/forum/#!topic/django-announce/VYU7xQQTEPQ" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3498" + }, + { + "url": "https://usn.ubuntu.com/3851-1/" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4363" + }, + { + "url": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases/" + } + ], + "details": { + "vulnerable_package": { + "type": "text", + "name": "Vulnerable Package", + "value": "Django:1.11.4" + } + } + } + ], + "scan": { + "analyzer": { + "id": "gemnasium-python", + "name": "gemnasium-python", + "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium", + "vendor": { + "name": "GitLab" + }, + "version": "6.2.0" + }, + "scanner": { + "id": "gemnasium-python", + "name": "gemnasium-python", + "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium", + "vendor": { + "name": "GitLab" + }, + "version": "6.2.0" + }, + "type": "dependency_scanning", + "start_time": "2025-09-20T02:04:23", + "end_time": "2025-09-20T02:04:52", + "status": "success", + "observability": { + "events": [ + { + "event": "collect_gemnasium_python_scan_metrics_from_pipeline", + "property": "eb0e47db-9d04-4557-ae8e-c3b9dffc601e", + "label": "6.2.0", + "value": 15 + }, + { + "event": "collect_gemnasium_python_scan_performance_metrics_from_pipeline", + "property": "eb0e47db-9d04-4557-ae8e-c3b9dffc601e", + "value": 28 + }, + { + "event": "collect_gemnasium_python_scan_sbom_metrics_from_pipeline", + "property": "eb0e47db-9d04-4557-ae8e-c3b9dffc601e", + "label": "pypi", + "value": 12, + "input_file_path": "requirements.txt" + } + ] + } + } +} diff --git a/ee/spec/services/security/process_scan_events_service_spec.rb b/ee/spec/services/security/process_scan_events_service_spec.rb index a9d3e4c1c4188c..c04c20fcd8d599 100644 --- a/ee/spec/services/security/process_scan_events_service_spec.rb +++ b/ee/spec/services/security/process_scan_events_service_spec.rb @@ -252,26 +252,67 @@ context 'with DS Gemnasium scan events' do using RSpec::Parameterized::TableSyntax - let(:ds_artifact) { create(:ee_ci_job_artifact, :dependency_scanning_gemnasium_observability) } + let(:ds_artifact) { create(:ee_ci_job_artifact, artifact) } let(:ds_pipeline) { ds_artifact.job.pipeline } let(:ds_service_object) { described_class.new(ds_pipeline) } - where(:event_name, :expected_properties) do - 'collect_gemnasium_scan_metrics_from_pipeline' | { - property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', - label: '6.1.9', - value: 100 - } - 'collect_gemnasium_scan_sbom_metrics_from_pipeline' | { - property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', - label: 'npm', - value: 352, - input_file_path: "package-lock.json" - } - 'collect_gemnasium_scan_performance_metrics_from_pipeline' | { - property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', - value: 40 - } + where(:artifact, :event_name, :expected_properties) do + [ + [:dependency_scanning_gemnasium_observability, + 'collect_gemnasium_scan_metrics_from_pipeline', { + property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', + label: '6.1.9', + value: 100 + }], + [:dependency_scanning_gemnasium_observability, + 'collect_gemnasium_scan_sbom_metrics_from_pipeline', { + property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', + label: 'npm', + value: 352, + input_file_path: "package-lock.json" + }], + [:dependency_scanning_gemnasium_observability, + 'collect_gemnasium_scan_performance_metrics_from_pipeline', { + property: 'e1552d18-eb8b-4e3e-bd15-a286ad1bc0f4', + value: 40 + }], + [:dependency_scanning_gemnasium_python_observability, + 'collect_gemnasium_python_scan_metrics_from_pipeline', { + property: 'eb0e47db-9d04-4557-ae8e-c3b9dffc601e', + label: '6.2.0', + value: 15 + }], + [:dependency_scanning_gemnasium_python_observability, + 'collect_gemnasium_python_scan_sbom_metrics_from_pipeline', { + property: 'eb0e47db-9d04-4557-ae8e-c3b9dffc601e', + label: 'pypi', + value: 12, + input_file_path: "requirements.txt" + }], + [:dependency_scanning_gemnasium_python_observability, + 'collect_gemnasium_python_scan_performance_metrics_from_pipeline', { + property: 'eb0e47db-9d04-4557-ae8e-c3b9dffc601e', + value: 28 + }], + [:dependency_scanning_gemnasium_maven_observability, + 'collect_gemnasium_maven_scan_metrics_from_pipeline', { + property: '077e707f-175c-4eed-a998-1be56780666d', + label: '6.2.0', + value: 59 + }], + [:dependency_scanning_gemnasium_maven_observability, + 'collect_gemnasium_maven_scan_sbom_metrics_from_pipeline', { + property: '077e707f-175c-4eed-a998-1be56780666d', + label: 'maven', + value: 36, + input_file_path: "pom.xml" + }], + [:dependency_scanning_gemnasium_maven_observability, + 'collect_gemnasium_maven_scan_performance_metrics_from_pipeline', { + property: '077e707f-175c-4eed-a998-1be56780666d', + value: 13 + }] + ] end with_them do -- GitLab