Skip to content

Commit

Permalink
chore(vex): add CVE-2024-34155, CVE-2024-34156 and CVE-2024-34158
Browse files Browse the repository at this point in the history
… in `trivy.openvex.json` (#7510)
  • Loading branch information
DmitriyLewen authored Sep 16, 2024
1 parent 701dbda commit 0efd202
Showing 1 changed file with 87 additions and 0 deletions.
87 changes: 87 additions & 0 deletions .vex/trivy.openvex.json
Original file line number Diff line number Diff line change
Expand Up @@ -453,6 +453,93 @@
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-3105",
"name": "GO-2024-3105",
"description": "Stack exhaustion in all Parse functions in go/parser",
"aliases": [
"CVE-2024-34155"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/stdlib",
"identifiers": {
"purl": "pkg:golang/stdlib"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-3106",
"name": "GO-2024-3106",
"description": "Stack exhaustion in Decoder.Decode in encoding/gob",
"aliases": [
"CVE-2024-34156"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/stdlib",
"identifiers": {
"purl": "pkg:golang/stdlib"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/aquasecurity/trivy/issues/7478"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-3107",
"name": "GO-2024-3107",
"description": "Stack exhaustion in Parse in go/build/constraint",
"aliases": [
"CVE-2024-34158"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/stdlib",
"identifiers": {
"purl": "pkg:golang/stdlib"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
}
]
}

0 comments on commit 0efd202

Please sign in to comment.