From ff59e9f1fffe575bed6bf0a3e58a178d11f34ffd Mon Sep 17 00:00:00 2001 From: NeilHanlon Date: Wed, 28 Dec 2022 13:04:35 +0000 Subject: [PATCH] deploy: 8ccce7fd31973e438889a894e0b29e70f8459500 --- index.html | 32 ++++++++++++++++++++++-- trivy-results.sarif | 60 +++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 88 insertions(+), 4 deletions(-) diff --git a/index.html b/index.html index 379a978..eaefad3 100644 --- a/index.html +++ b/index.html @@ -51,7 +51,7 @@ } a.toggle-more-links { cursor: pointer; } - docker.io/rockylinux/rockylinux:8 (rocky 8.7) - Trivy Report - 2022-12-27 13:04:52.006531364 +0000 UTC m=+1.358517910 + docker.io/rockylinux/rockylinux:8 (rocky 8.7) - Trivy Report - 2022-12-28 13:04:34.796318349 +0000 UTC m=+1.045279135 -

docker.io/rockylinux/rockylinux:8 (rocky 8.7) - Trivy Report - 2022-12-27 13:04:52.006561564 +0000 UTC m=+1.358548110

+

docker.io/rockylinux/rockylinux:8 (rocky 8.7) - Trivy Report - 2022-12-28 13:04:34.79634655 +0000 UTC m=+1.045307336

+ + + + + + + + + + + + + + + + + +
rocky
No Vulnerabilities found
No Misconfigurations found
python-pkg
PackageVulnerability IDSeverityInstalled VersionFixed VersionLinks
setuptoolsCVE-2022-40897HIGH39.2.065.5.1
No Misconfigurations found
diff --git a/trivy-results.sarif b/trivy-results.sarif index 73b78f2..2b0795a 100644 --- a/trivy-results.sarif +++ b/trivy-results.sarif @@ -8,11 +8,67 @@ "fullName": "Trivy Vulnerability Scanner", "informationUri": "https://github.com/aquasecurity/trivy", "name": "Trivy", - "rules": [], + "rules": [ + { + "id": "CVE-2022-40897", + "name": "LanguageSpecificPackageVulnerability", + "shortDescription": { + "text": "pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)" + }, + "fullDescription": { + "text": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-40897", + "help": { + "text": "Vulnerability CVE-2022-40897\nSeverity: HIGH\nPackage: setuptools\nFixed Version: 65.5.1\nLink: [CVE-2022-40897](https://avd.aquasec.com/nvd/cve-2022-40897)\nPython Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", + "markdown": "**Vulnerability CVE-2022-40897**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|setuptools|65.5.1|[CVE-2022-40897](https://avd.aquasec.com/nvd/cve-2022-40897)|\n\nPython Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py." + }, + "properties": { + "precision": "very-high", + "security-severity": "7.5", + "tags": [ + "vulnerability", + "security", + "HIGH" + ] + } + } + ], "version": "0.34.0" } }, - "results": [], + "results": [ + { + "ruleId": "CVE-2022-40897", + "ruleIndex": 0, + "level": "error", + "message": { + "text": "Package: setuptools\nInstalled Version: 39.2.0\nVulnerability CVE-2022-40897\nSeverity: HIGH\nFixed Version: 65.5.1\nLink: [CVE-2022-40897](https://avd.aquasec.com/nvd/cve-2022-40897)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "usr/lib/python3.6/site-packages/setuptools-39.2.0.dist-info/METADATA", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "usr/lib/python3.6/site-packages/setuptools-39.2.0.dist-info/METADATA: setuptools@39.2.0" + } + } + ] + } + ], "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": {