From 79b7a35c945bb36dd4d58ea2597aebbce4c60e3e Mon Sep 17 00:00:00 2001 From: Templum Date: Sat, 1 Apr 2023 12:32:15 +0000 Subject: [PATCH] :bento: Replaced static data with new format --- hack/found.json | 811 --------------------------------------------- hack/found.stream | 824 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 824 insertions(+), 811 deletions(-) delete mode 100644 hack/found.json create mode 100644 hack/found.stream diff --git a/hack/found.json b/hack/found.json deleted file mode 100644 index 4a7b6ae..0000000 --- a/hack/found.json +++ /dev/null @@ -1,811 +0,0 @@ -[ - { - "OSV": { - "id": "GO-2022-1059", - "published": "2022-10-11T18:16:24Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2022-32149", - "GHSA-69ch-w2m2-3vjp" - ], - "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "affected": [ - { - "package": { - "name": "golang.org/x/text", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.3.8" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-1059" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "golang.org/x/text/language", - "symbols": [ - "MatchStrings", - "ParseAcceptLanguage" - ] - } - ] - } - } - ], - "references": [ - { - "type": "REPORT", - "url": "https://go.dev/issue/56152" - }, - { - "type": "FIX", - "url": "https://go.dev/cl/442235" - }, - { - "type": "WEB", - "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" - } - ], - "credits": [ - { - "name": "Adam Korczynski (ADA Logics) and OSS-Fuzz" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "golang.org/x/text", - "FoundVersion": "v0.3.6", - "FixedVersion": "v0.3.8", - "Packages": [ - { - "Path": "golang.org/x/text/language", - "CallStacks": null - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2022-0957", - "published": "2022-08-25T06:28:20Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2020-36066", - "GHSA-wjm3-fq3r-5x46" - ], - "details": "A maliciously crafted JSON input can cause a denial of service attack.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.5" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0957" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/195" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "github.com/tidwall/gjson", - "FoundVersion": "v1.6.4", - "FixedVersion": "v1.6.5", - "Packages": [ - { - "Path": "github.com/tidwall/gjson", - "CallStacks": [ - { - "Symbol": "Get", - "Summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/seconds", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 257, - "Line": 15, - "Column": 18 - } - }, - { - "PkgPath": "github.com/tidwall/gjson", - "FuncName": "Get", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2022-0956", - "published": "2022-08-29T22:15:46Z", - "modified": "2023-02-08T18:46:18Z", - "aliases": [ - "CVE-2022-3064", - "GHSA-6q6q-88xp-6f2r" - ], - "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.4" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0956" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal", - "yaml_parser_increase_flow_level", - "yaml_parser_roll_indent" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" - }, - { - "type": "WEB", - "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "gopkg.in/yaml.v2", - "FoundVersion": "v2.2.0", - "FixedVersion": "v2.2.4", - "Packages": [ - { - "Path": "gopkg.in/yaml.v2", - "CallStacks": [ - { - "Symbol": "Unmarshal", - "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/yaml", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "PkgPath": "gopkg.in/yaml.v2", - "FuncName": "Unmarshal", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2021-0265", - "published": "2022-08-15T18:06:07Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2021-42248", - "CVE-2021-42836", - "GHSA-c9gm-7rfj-8w5h", - "GHSA-ppj4-34rq-v8j9" - ], - "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.9.3" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0265" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/237" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/236" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "github.com/tidwall/gjson", - "FoundVersion": "v1.6.4", - "FixedVersion": "v1.9.3", - "Packages": [ - { - "Path": "github.com/tidwall/gjson", - "CallStacks": [ - { - "Symbol": "Get", - "Summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/seconds", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 257, - "Line": 15, - "Column": 18 - } - }, - { - "PkgPath": "github.com/tidwall/gjson", - "FuncName": "Get", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2021-0113", - "published": "2021-10-06T17:51:21Z", - "modified": "2023-02-02T17:52:29Z", - "aliases": [ - "CVE-2021-38561", - "GHSA-ppp9-7jff-5vj2" - ], - "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", - "affected": [ - { - "package": { - "name": "golang.org/x/text", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.3.7" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0113" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "golang.org/x/text/language", - "symbols": [ - "MatchStrings", - "MustParse", - "Parse", - "ParseAcceptLanguage" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://go.dev/cl/340830" - }, - { - "type": "FIX", - "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" - } - ], - "credits": [ - { - "name": "Guido Vranken" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "golang.org/x/text", - "FoundVersion": "v0.3.6", - "FixedVersion": "v0.3.7", - "Packages": [ - { - "Path": "golang.org/x/text/language", - "CallStacks": [ - { - "Symbol": "MustParse", - "Summary": "pkg/seconds/mixer.go:12:29: github.com/Templum/playground/pkg/seconds.Testcase calls golang.org/x/text/language.MustParse", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/seconds", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 204, - "Line": 12, - "Column": 29 - } - }, - { - "PkgPath": "golang.org/x/text/language", - "FuncName": "MustParse", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2021-0061", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-02-08T18:46:18Z", - "aliases": [ - "CVE-2021-4235", - "GHSA-r88r-gmrh-7j83" - ], - "details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.3" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0061" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/pull/375" - }, - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" - } - ], - "credits": [ - { - "name": "@simonferquel" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "gopkg.in/yaml.v2", - "FoundVersion": "v2.2.0", - "FixedVersion": "v2.2.3", - "Packages": [ - { - "Path": "gopkg.in/yaml.v2", - "CallStacks": [ - { - "Symbol": "Unmarshal", - "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/yaml", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "PkgPath": "gopkg.in/yaml.v2", - "FuncName": "Unmarshal", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2021-0054", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-02-07T21:49:49Z", - "aliases": [ - "CVE-2020-36067", - "GHSA-p64j-r5f4-pwwx" - ], - "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.6" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0054" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Result.ForEach", - "unwrap" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/196" - } - ], - "credits": [ - { - "name": "@toptotu" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "github.com/tidwall/gjson", - "FoundVersion": "v1.6.4", - "FixedVersion": "v1.6.6", - "Packages": [ - { - "Path": "github.com/tidwall/gjson", - "CallStacks": null - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2020-0036", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-01-14T00:31:02Z", - "aliases": [ - "CVE-2019-11254", - "GHSA-wxc4-f4m6-wwqv" - ], - "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.8" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2020-0036" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "yaml_parser_decrease_flow_level", - "yaml_parser_fetch_more_tokens", - "yaml_parser_fetch_stream_start", - "yaml_parser_fetch_value", - "yaml_parser_remove_simple_key", - "yaml_parser_save_simple_key" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/pull/555" - }, - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" - }, - { - "type": "WEB", - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "gopkg.in/yaml.v2", - "FoundVersion": "v2.2.0", - "FixedVersion": "v2.2.8", - "Packages": [ - { - "Path": "gopkg.in/yaml.v2", - "CallStacks": [ - { - "Symbol": "Unmarshal", - "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/yaml", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "PkgPath": "gopkg.in/yaml.v2", - "FuncName": "Unmarshal", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - } -] \ No newline at end of file diff --git a/hack/found.stream b/hack/found.stream new file mode 100644 index 0000000..5425763 --- /dev/null +++ b/hack/found.stream @@ -0,0 +1,824 @@ +{ + "preamble": { + "go_version": "go1.19.6", + "tool_version": "govulncheck@v0.0.0", + "db": "https://vuln.go.dev", + "db_last_modified": "2023-03-31T20:58:11Z", + "query_kind": "Source", + "callstack_mode": "Compact" + } +} +{ + "progress": "Scanning your code and 58 packages across 6 dependent modules for known vulnerabilities..." +} +{ + "vulnerability": { + "osv": { + "id": "GO-2022-1059", + "published": "2022-10-11T18:16:24Z", + "modified": "2022-11-21T19:50:45Z", + "aliases": [ + "CVE-2022-32149", + "GHSA-69ch-w2m2-3vjp" + ], + "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1059" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56152" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/442235" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" + } + ], + "credits": [ + { + "name": "Adam Korczynski (ADA Logics) and OSS-Fuzz" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "golang.org/x/text", + "found_version": "v0.3.6", + "fixed_version": "v0.3.8", + "packages": [ + { + "path": "golang.org/x/text/language" + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2022-0957", + "published": "2022-08-25T06:28:20Z", + "modified": "2022-11-21T19:50:45Z", + "aliases": [ + "CVE-2020-36066", + "GHSA-wjm3-fq3r-5x46" + ], + "details": "A maliciously crafted JSON input can cause a denial of service attack.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0957" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/195" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "github.com/tidwall/gjson", + "found_version": "v1.6.4", + "fixed_version": "v1.6.5", + "packages": [ + { + "path": "github.com/tidwall/gjson", + "callstacks": [ + { + "symbol": "Get", + "summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 257, + "Line": 15, + "Column": 18 + } + }, + { + "package": "github.com/tidwall/gjson", + "function": "Get", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2022-0956", + "published": "2022-08-29T22:15:46Z", + "modified": "2023-02-08T18:46:18Z", + "aliases": [ + "CVE-2022-3064", + "GHSA-6q6q-88xp-6f2r" + ], + "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0956" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal", + "yaml_parser_increase_flow_level", + "yaml_parser_roll_indent" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" + }, + { + "type": "WEB", + "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "gopkg.in/yaml.v2", + "found_version": "v2.2.0", + "fixed_version": "v2.2.4", + "packages": [ + { + "path": "gopkg.in/yaml.v2", + "callstacks": [ + { + "symbol": "Unmarshal", + "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2021-0265", + "published": "2022-08-15T18:06:07Z", + "modified": "2022-11-21T19:50:45Z", + "aliases": [ + "CVE-2021-42248", + "CVE-2021-42836", + "GHSA-c9gm-7rfj-8w5h", + "GHSA-ppj4-34rq-v8j9" + ], + "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0265" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/237" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/236" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "github.com/tidwall/gjson", + "found_version": "v1.6.4", + "fixed_version": "v1.9.3", + "packages": [ + { + "path": "github.com/tidwall/gjson", + "callstacks": [ + { + "symbol": "Get", + "summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 257, + "Line": 15, + "Column": 18 + } + }, + { + "package": "github.com/tidwall/gjson", + "function": "Get", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2021-0113", + "published": "2021-10-06T17:51:21Z", + "modified": "2023-02-02T17:52:29Z", + "aliases": [ + "CVE-2021-38561", + "GHSA-ppp9-7jff-5vj2" + ], + "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0113" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "MustParse", + "Parse", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/340830" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "golang.org/x/text", + "found_version": "v0.3.6", + "fixed_version": "v0.3.7", + "packages": [ + { + "path": "golang.org/x/text/language", + "callstacks": [ + { + "symbol": "MustParse", + "summary": "pkg/seconds/mixer.go:12:29: github.com/Templum/playground/pkg/seconds.Testcase calls golang.org/x/text/language.MustParse", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 204, + "Line": 12, + "Column": 29 + } + }, + { + "package": "golang.org/x/text/language", + "function": "MustParse", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2021-0061", + "published": "2021-04-14T20:04:52Z", + "modified": "2023-02-08T18:46:18Z", + "aliases": [ + "CVE-2021-4235", + "GHSA-r88r-gmrh-7j83" + ], + "details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0061" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/375" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" + } + ], + "credits": [ + { + "name": "@simonferquel" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "gopkg.in/yaml.v2", + "found_version": "v2.2.0", + "fixed_version": "v2.2.3", + "packages": [ + { + "path": "gopkg.in/yaml.v2", + "callstacks": [ + { + "symbol": "Unmarshal", + "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2021-0054", + "published": "2021-04-14T20:04:52Z", + "modified": "2023-02-07T21:49:49Z", + "aliases": [ + "CVE-2020-36067", + "GHSA-p64j-r5f4-pwwx" + ], + "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.6" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0054" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Result.ForEach", + "unwrap" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/196" + } + ], + "credits": [ + { + "name": "@toptotu" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "github.com/tidwall/gjson", + "found_version": "v1.6.4", + "fixed_version": "v1.6.6", + "packages": [ + { + "path": "github.com/tidwall/gjson" + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2020-0036", + "published": "2021-04-14T20:04:52Z", + "modified": "2023-01-14T00:31:02Z", + "aliases": [ + "CVE-2019-11254", + "GHSA-wxc4-f4m6-wwqv" + ], + "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0036" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "yaml_parser_decrease_flow_level", + "yaml_parser_fetch_more_tokens", + "yaml_parser_fetch_stream_start", + "yaml_parser_fetch_value", + "yaml_parser_remove_simple_key", + "yaml_parser_save_simple_key" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/555" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" + }, + { + "type": "WEB", + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "gopkg.in/yaml.v2", + "found_version": "v2.2.0", + "fixed_version": "v2.2.8", + "packages": [ + { + "path": "gopkg.in/yaml.v2", + "callstacks": [ + { + "symbol": "Unmarshal", + "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +}