Skip to content

G
gitlab-ce
Commit 80503089 authored by Rémy Coutable's avatar Rémy Coutable
Browse files
Options

Merge branch... 

Merge branch '217480-failure-in-qa-specs-features-ee-browser_ui-secure-create_merge_request_with_secure_spec-rb' into 'master'

Update the container scanning report to use the new format

Closes #217480

See merge request gitlab-org/gitlab!31848
parents bd784911 75620fd4
Hide whitespace changes
Inline Side-by-side
Showing with 257 additions and 73 deletions
qa/qa/ee/fixtures/secure_premade_reports/gl-container-scanning-report.json
View file @ 80503089
{ {
"image": "registry.gitlab.com/groulot/container-scanning-test/master:5f21de6956aee99ddb68ae49498662d9872f50ff", "version": "2.3",
"unapproved": [
"CVE-2017-18269",
"CVE-2017-16997",
"CVE-2018-1000001",
"CVE-2016-10228",
"CVE-2018-18520",
"CVE-2010-4052",
"CVE-2018-16869",
"CVE-2018-18311"
],
"vulnerabilities": [ "vulnerabilities": [
{ {
"featurename": "glibc", "category": "container_scanning",
"featureversion": "2.24-11+deb9u3", "message": "CVE-2017-18269 in glibc",
"vulnerability": "CVE-2017-18269", "description": "An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.",
"namespace": "debian:9", "cve": "debian:9:glibc:CVE-2017-18269",
"description": "SSE2-optimized memmove implementation problem.", "severity": "Critical",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-18269", "confidence": "Unknown",
"severity": "Defcon1", "solution": "Upgrade glibc from 2.24-11+deb9u3 to 2.24-11+deb9u4",
"fixedby": "2.24-11+deb9u4" "scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2017-18269",
"value": "CVE-2017-18269",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-18269"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2017-18269"
}
]
}, },
{ {
"featurename": "glibc", "category": "container_scanning",
"featureversion": "2.24-11+deb9u3", "message": "CVE-2017-16997 in glibc",
"vulnerability": "CVE-2017-16997",
"namespace": "debian:9",
"description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.", "description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-16997", "cve": "debian:9:glibc:CVE-2017-16997",
"severity": "Critical", "severity": "Critical",
"fixedby": "" "confidence": "Unknown",
"solution": "Upgrade glibc from 2.24-11+deb9u3 to 2.24-11+deb9u4",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2017-16997",
"value": "CVE-2017-16997",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-16997"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2017-16997"
}
]
}, },
{ {
"featurename": "glibc", "category": "container_scanning",
"featureversion": "2.24-11+deb9u3", "message": "CVE-2018-1000001 in glibc",
"vulnerability": "CVE-2018-1000001",
"namespace": "debian:9",
"description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1000001", "cve": "debian:9:glibc:CVE-2018-1000001",
"severity": "High", "severity": "High",
"fixedby": "" "confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-1000001",
"value": "CVE-2018-1000001",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
}
]
}, },
{ {
"featurename": "glibc", "category": "container_scanning",
"featureversion": "2.24-11+deb9u3", "message": "CVE-2016-10228 in glibc",
"vulnerability": "CVE-2016-10228",
"namespace": "debian:9",
"description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", "description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"link": "https://security-tracker.debian.org/tracker/CVE-2016-10228", "cve": "debian:9:glibc:CVE-2016-10228",
"severity": "Medium", "severity": "Medium",
"fixedby": "" "confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2016-10228",
"value": "CVE-2016-10228",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
}
]
}, },
{ {
"featurename": "elfutils", "category": "container_scanning",
"featureversion": "0.168-1", "message": "CVE-2018-18520 in elfutils",
"vulnerability": "CVE-2018-18520",
"namespace": "debian:9",
"description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", "description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-18520", "cve": "debian:9:elfutils:CVE-2018-18520",
"severity": "Low", "severity": "Low",
"fixedby": "" "confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "elfutils"
},
"version": "0.168-1"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-18520",
"value": "CVE-2018-18520",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18520"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18520"
}
]
}, },
{ {
"featurename": "glibc", "category": "container_scanning",
"featureversion": "2.24-11+deb9u3", "message": "CVE-2010-4052 in glibc",
"vulnerability": "CVE-2010-4052",
"namespace": "debian:9",
"description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", "description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
"link": "https://security-tracker.debian.org/tracker/CVE-2010-4052", "cve": "debian:9:glibc:CVE-2010-4052",
"severity": "Negligible", "severity": "Low",
"fixedby": "" "confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2010-4052",
"value": "CVE-2010-4052",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
}
]
}, },
{ {
"featurename": "nettle", "category": "container_scanning",
"featureversion": "3.3-1", "message": "CVE-2018-16869 in nettle",
"vulnerability": "CVE-2018-16869",
"namespace": "debian:9",
"description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.", "description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-16869", "cve": "debian:9:nettle:CVE-2018-16869",
"severity": "Unknown", "severity": "Unknown",
"fixedby": "" "confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "nettle"
},
"version": "3.3-1"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-16869",
"value": "CVE-2018-16869",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-16869"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-16869"
}
]
}, },
{ {
"featurename": "perl", "category": "container_scanning",
"featureversion": "5.24.1-3+deb9u4", "message": "CVE-2018-18311 in perl",
"vulnerability": "CVE-2018-18311",
"namespace": "debian:9",
"description": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.", "description": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-18311", "cve": "debian:9:perl:CVE-2018-18311",
"severity": "Unknown", "severity": "Unknown",
"fixedby": "5.24.1-3+deb9u5" "confidence": "Unknown",
}, "solution": "Upgrade perl from 5.24.1-3+deb9u3 to 5.24.1-3+deb9u5",
{ "scanner": {
"featurename": "foo", "id": "klar",
"featureversion": "1.3", "name": "klar"
"vulnerability": "CVE-2018-666", },
"namespace": "debian:9", "location": {
"description": "Foo has a vulnerability nobody cares about and whitelist.", "dependency": {
"link": "https://security-tracker.debian.org/tracker/CVE-2018-666", "package": {
"severity": "Unknown", "name": "perl"
"fixedby": "1.4" },
"version": "5.24.1-3+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-18311",
"value": "CVE-2018-18311",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18311"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18311"
}
]
} }
] ],
"remediations": []
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7