diff options
Diffstat (limited to 'spec/fixtures/security_reports/master/gl-common-scanning-report.json')
| -rw-r--r-- | spec/fixtures/security_reports/master/gl-common-scanning-report.json | 700 |
1 files changed, 411 insertions, 289 deletions
diff --git a/spec/fixtures/security_reports/master/gl-common-scanning-report.json b/spec/fixtures/security_reports/master/gl-common-scanning-report.json index 1fb00b2ff3a..787573301bb 100644 --- a/spec/fixtures/security_reports/master/gl-common-scanning-report.json +++ b/spec/fixtures/security_reports/master/gl-common-scanning-report.json @@ -1,300 +1,422 @@ { - "vulnerabilities": [ - { - "category": "dependency_scanning", - "name": "Vulnerabilities in libxml2", - "message": "Vulnerabilities in libxml2 in nokogiri", - "description": "", - "cve": "CVE-1020", - "severity": "High", - "solution": "Upgrade to latest version.", - "scanner": { - "id": "gemnasium", - "name": "Gemnasium" - }, - "evidence": { - "source": { - "id": "assert:CORS - Bad 'Origin' value", - "name": "CORS - Bad 'Origin' value" - }, - "summary": "The Origin header was changed to an invalid value of http://peachapisecurity.com and the response contained an Access-Control-Allow-Origin header which included this invalid Origin, indicating that the CORS configuration on the server is overly permissive.\n\n\n", - "request": { - "headers": [ - { - "name": "Host", - "value": "127.0.0.1:7777" - } - ], - "method": "GET", - "url": "http://127.0.0.1:7777/api/users", - "body": "" - }, - "response": { - "headers": [ - { - "name": "Server", - "value": "TwistedWeb/20.3.0" - } - ], - "reason_phrase": "OK", - "status_code": 200, - "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" - }, - "supporting_messages": [ - { - "name": "Origional", - "request": { - "headers": [ - { - "name": "Host", - "value": "127.0.0.1:7777" - } - ], - "method": "GET", - "url": "http://127.0.0.1:7777/api/users", - "body": "" - } - }, - { - "name": "Recorded", - "request": { - "headers": [ - { - "name": "Host", - "value": "127.0.0.1:7777" - } - ], - "method": "GET", - "url": "http://127.0.0.1:7777/api/users", - "body": "" - }, - "response": { - "headers": [ - { - "name": "Server", - "value": "TwistedWeb/20.3.0" - } - ], - "reason_phrase": "OK", - "status_code": 200, - "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" - } - } - ] - }, - "location": {}, - "identifiers": [ - { - "type": "GitLab", - "name": "Foo vulnerability", - "value": "foo" - } - ], - "links": [ - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020" - } - ], - "details": { - "commit": { - "name": [ - { - "lang": "en", - "value": "The Commit" - } - ], - "description": [ - { - "lang": "en", - "value": "Commit where the vulnerability was identified" - } - ], - "type": "commit", - "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" - } - } + "vulnerabilities": [{ + "category": "dependency_scanning", + "name": "Vulnerability for remediation testing 1", + "message": "This vulnerability should have ONE remediation", + "description": "", + "cve": "CVE-2137", + "severity": "High", + "solution": "Upgrade to latest version.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": {}, + "identifiers": [{ + "type": "GitLab", + "name": "Foo vulnerability", + "value": "foo" + }], + "links": [{ + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2137" + }], + "details": { + "commit": { + "name": [{ + "lang": "en", + "value": "The Commit" + }], + "description": [{ + "lang": "en", + "value": "Commit where the vulnerability was identified" + }], + "type": "commit", + "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" + } + } + }, + { + "category": "dependency_scanning", + "name": "Vulnerability for remediation testing 2", + "message": "This vulnerability should have ONE remediation", + "description": "", + "cve": "CVE-2138", + "severity": "High", + "solution": "Upgrade to latest version.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": {}, + "identifiers": [{ + "type": "GitLab", + "name": "Foo vulnerability", + "value": "foo" + }], + "links": [{ + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2138" + }], + "details": { + "commit": { + "name": [{ + "lang": "en", + "value": "The Commit" + }], + "description": [{ + "lang": "en", + "value": "Commit where the vulnerability was identified" + }], + "type": "commit", + "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" + } + } + }, + { + "category": "dependency_scanning", + "name": "Vulnerability for remediation testing 3", + "message": "Remediation for this vulnerability should remediate CVE-2140 as well", + "description": "", + "cve": "CVE-2139", + "severity": "High", + "solution": "Upgrade to latest version.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": {}, + "identifiers": [{ + "type": "GitLab", + "name": "Foo vulnerability", + "value": "foo" + }], + "links": [{ + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2139" + }], + "details": { + "commit": { + "name": [{ + "lang": "en", + "value": "The Commit" + }], + "description": [{ + "lang": "en", + "value": "Commit where the vulnerability was identified" + }], + "type": "commit", + "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" + } + } + }, + { + "category": "dependency_scanning", + "name": "Vulnerability for remediation testing 4", + "message": "Remediation for this vulnerability should remediate CVE-2139 as well", + "description": "", + "cve": "CVE-2140", + "severity": "High", + "solution": "Upgrade to latest version.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": {}, + "identifiers": [{ + "type": "GitLab", + "name": "Foo vulnerability", + "value": "foo" + }], + "links": [{ + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2140" + }], + "details": { + "commit": { + "name": [{ + "lang": "en", + "value": "The Commit" + }], + "description": [{ + "lang": "en", + "value": "Commit where the vulnerability was identified" + }], + "type": "commit", + "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" + } + } + }, + { + "category": "dependency_scanning", + "name": "Vulnerabilities in libxml2", + "message": "Vulnerabilities in libxml2 in nokogiri", + "description": "", + "cve": "CVE-1020", + "severity": "High", + "solution": "Upgrade to latest version.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "evidence": { + "source": { + "id": "assert:CORS - Bad 'Origin' value", + "name": "CORS - Bad 'Origin' value" }, - { - "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3", - "category": "dependency_scanning", - "name": "Regular Expression Denial of Service", - "message": "Regular Expression Denial of Service in debug", - "description": "", - "cve": "CVE-1030", - "severity": "Unknown", - "solution": "Upgrade to latest versions.", - "scanner": { - "id": "gemnasium", - "name": "Gemnasium" - }, - "evidence": { - "source": { - "id": "assert:CORS - Bad 'Origin' value", - "name": "CORS - Bad 'Origin' value" - }, - "summary": "The Origin header was changed to an invalid value of http://peachapisecurity.com and the response contained an Access-Control-Allow-Origin header which included this invalid Origin, indicating that the CORS configuration on the server is overly permissive.\n\n\n", - "request": { - "headers": [ - { - "name": "Host", - "value": "127.0.0.1:7777" - } - ], - "method": "GET", - "url": "http://127.0.0.1:7777/api/users", - "body": "" - }, - "response": { - "headers": [ - { - "name": "Server", - "value": "TwistedWeb/20.3.0" - } - ], - "reason_phrase": "OK", - "status_code": 200, - "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" - }, - "supporting_messages": [ - { - "name": "Origional", - "request": { - "headers": [ - { - "name": "Host", - "value": "127.0.0.1:7777" - } - ], - "method": "GET", - "url": "http://127.0.0.1:7777/api/users", - "body": "" - } - }, - { - "name": "Recorded", - "request": { - "headers": [ - { - "name": "Host", - "value": "127.0.0.1:7777" - } - ], - "method": "GET", - "url": "http://127.0.0.1:7777/api/users", - "body": "" - }, - "response": { - "headers": [ - { - "name": "Server", - "value": "TwistedWeb/20.3.0" - } - ], - "reason_phrase": "OK", - "status_code": 200, - "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" - } - } - ] - }, - "location": {}, - "identifiers": [ - { - "type": "GitLab", - "name": "Bar vulnerability", - "value": "bar" - } - ], - "links": [ - { - "name": "CVE-1030", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1030" - } - ] + "summary": "The Origin header was changed to an invalid value of http://peachapisecurity.com and the response contained an Access-Control-Allow-Origin header which included this invalid Origin, indicating that the CORS configuration on the server is overly permissive.\n\n\n", + "request": { + "headers": [{ + "name": "Host", + "value": "127.0.0.1:7777" + }], + "method": "GET", + "url": "http://127.0.0.1:7777/api/users", + "body": "" }, - { - "category": "dependency_scanning", - "name": "Authentication bypass via incorrect DOM traversal and canonicalization", - "message": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", - "description": "", - "cve": "yarn/yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98", - "severity": "Unknown", - "solution": "Upgrade to fixed version.\r\n", - "scanner": { - "id": "gemnasium", - "name": "Gemnasium" + "response": { + "headers": [{ + "name": "Server", + "value": "TwistedWeb/20.3.0" + }], + "reason_phrase": "OK", + "status_code": 200, + "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" + }, + "supporting_messages": [{ + "name": "Origional", + "request": { + "headers": [{ + "name": "Host", + "value": "127.0.0.1:7777" + }], + "method": "GET", + "url": "http://127.0.0.1:7777/api/users", + "body": "" + } + }, + { + "name": "Recorded", + "request": { + "headers": [{ + "name": "Host", + "value": "127.0.0.1:7777" + }], + "method": "GET", + "url": "http://127.0.0.1:7777/api/users", + "body": "" }, - "location": {}, - "identifiers": [], - "links": [ - ] + "response": { + "headers": [{ + "name": "Server", + "value": "TwistedWeb/20.3.0" + }], + "reason_phrase": "OK", + "status_code": 200, + "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" + } + } + ] + }, + "location": {}, + "identifiers": [{ + "type": "GitLab", + "name": "Foo vulnerability", + "value": "foo" + }], + "links": [{ + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020" + }], + "details": { + "commit": { + "name": [{ + "lang": "en", + "value": "The Commit" + }], + "description": [{ + "lang": "en", + "value": "Commit where the vulnerability was identified" + }], + "type": "commit", + "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" } - ], - "remediations": [ - { - "fixes": [ - { - "cve": "CVE-1020" - } - ], - "summary": "", - "diff": "" - }, - { - "fixes": [ - { - "cve": "CVE", - "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3" - } - ], - "summary": "", - "diff": "" + } + }, + { + "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3", + "category": "dependency_scanning", + "name": "Regular Expression Denial of Service", + "message": "Regular Expression Denial of Service in debug", + "description": "", + "cve": "CVE-1030", + "severity": "Unknown", + "solution": "Upgrade to latest versions.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "evidence": { + "source": { + "id": "assert:CORS - Bad 'Origin' value", + "name": "CORS - Bad 'Origin' value" }, - { - "fixes": [ - { - "cve": "CVE", - "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3" - } - ], - "summary": "", - "diff": "" + "summary": "The Origin header was changed to an invalid value of http://peachapisecurity.com and the response contained an Access-Control-Allow-Origin header which included this invalid Origin, indicating that the CORS configuration on the server is overly permissive.\n\n\n", + "request": { + "headers": [{ + "name": "Host", + "value": "127.0.0.1:7777" + }], + "method": "GET", + "url": "http://127.0.0.1:7777/api/users", + "body": "" }, - { - "fixes": [ - { - "id": "2134", - "cve": "CVE-1" - } - ], - "summary": "", - "diff": "" - } - ], - "dependency_files": [], - "scan": { - "analyzer": { - "id": "common-analyzer", - "name": "Common Analyzer", - "url": "https://site.com/analyzer/common", - "version": "2.0.1", - "vendor": { - "name": "Common" - } + "response": { + "headers": [{ + "name": "Server", + "value": "TwistedWeb/20.3.0" + }], + "reason_phrase": "OK", + "status_code": 200, + "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" }, - "scanner": { - "id": "gemnasium", - "name": "Gemnasium", - "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven", - "vendor": { - "name": "GitLab" + "supporting_messages": [{ + "name": "Origional", + "request": { + "headers": [{ + "name": "Host", + "value": "127.0.0.1:7777" + }], + "method": "GET", + "url": "http://127.0.0.1:7777/api/users", + "body": "" + } + }, + { + "name": "Recorded", + "request": { + "headers": [{ + "name": "Host", + "value": "127.0.0.1:7777" + }], + "method": "GET", + "url": "http://127.0.0.1:7777/api/users", + "body": "" }, - "version": "2.18.0" - }, - "type": "dependency_scanning", - "start_time": "placeholder-value", - "end_time": "placeholder-value", - "status": "success" + "response": { + "headers": [{ + "name": "Server", + "value": "TwistedWeb/20.3.0" + }], + "reason_phrase": "OK", + "status_code": 200, + "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" + } + } + ] + }, + "location": {}, + "identifiers": [{ + "type": "GitLab", + "name": "Bar vulnerability", + "value": "bar" + }], + "links": [{ + "name": "CVE-1030", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1030" + }] + }, + { + "category": "dependency_scanning", + "name": "Authentication bypass via incorrect DOM traversal and canonicalization", + "message": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", + "description": "", + "cve": "yarn/yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98", + "severity": "Unknown", + "solution": "Upgrade to fixed version.\r\n", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": {}, + "identifiers": [], + "links": [] + } + ], + "remediations": [{ + "fixes": [{ + "cve": "CVE-2137" + }], + "summary": "this remediates CVE-2137", + "diff": "dG90YWxseSBsZWdpdCBkaWZm" + }, + { + "fixes": [{ + "cve": "CVE-2138" + }], + "summary": "this remediates CVE-2138", + "diff": "dG90YWxseSBsZWdpdCBkaWZm" + }, + { + "fixes": [{ + "cve": "CVE-2139" + }, { + "cve": "CVE-2140" + }], + "summary": "this remediates CVE-2139 and CVE-2140", + "diff": "dG90YWxseSBsZWdpdGltYXRlIGRpZmYsIDEwLzEwIHdvdWxkIGFwcGx5" + }, + { + "fixes": [{ + "cve": "CVE-1020" + }], + "summary": "", + "diff": "" + }, + { + "fixes": [{ + "cve": "CVE", + "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3" + }], + "summary": "", + "diff": "" + }, + { + "fixes": [{ + "cve": "CVE", + "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3" + }], + "summary": "", + "diff": "" + }, + { + "fixes": [{ + "id": "2134", + "cve": "CVE-1" + }], + "summary": "", + "diff": "" + } + ], + "dependency_files": [], + "scan": { + "analyzer": { + "id": "common-analyzer", + "name": "Common Analyzer", + "url": "https://site.com/analyzer/common", + "version": "2.0.1", + "vendor": { + "name": "Common" + } + }, + "scanner": { + "id": "gemnasium", + "name": "Gemnasium", + "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven", + "vendor": { + "name": "GitLab" + }, + "version": "2.18.0" }, - "version": "14.0.2" + "type": "dependency_scanning", + "start_time": "placeholder-value", + "end_time": "placeholder-value", + "status": "success" + }, + "version": "14.0.2" } |