{ "vulnerabilities": [ { "category": "dependency_scanning", "name": "Vulnerability for remediation testing 1", "message": "This vulnerability should have ONE remediation", "description": "", "cve": "CVE-2137", "severity": "High", "solution": "Upgrade to latest version.", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "location": { "file": "some/kind/of/file.c", "dependency": { "package": { "name": "io.netty/netty" }, "version": "3.9.1.Final" } }, "identifiers": [ { "type": "GitLab", "name": "Foo vulnerability", "value": "foo" } ], "links": [ { "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2137" } ], "details": { "commit": { "name": "the commit", "description": "description", "type": "commit", "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" } } }, { "category": "dependency_scanning", "name": "Vulnerability for remediation testing 2", "message": "This vulnerability should have ONE remediation", "description": "", "cve": "CVE-2138", "severity": "High", "solution": "Upgrade to latest version.", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "location": { "file": "some/kind/of/file.c", "dependency": { "package": { "name": "io.netty/netty" }, "version": "3.9.1.Final" } }, "identifiers": [ { "type": "GitLab", "name": "Foo vulnerability", "value": "foo" } ], "links": [ { "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2138" } ], "details": { "commit": { "name": "the commit", "description": "description", "type": "commit", "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" } } }, { "category": "dependency_scanning", "name": "Vulnerability for remediation testing 3", "message": "Remediation for this vulnerability should remediate CVE-2140 as well", "description": "", "cve": "CVE-2139", "severity": "High", "solution": "Upgrade to latest version.", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "location": { "file": "some/kind/of/file.c", "dependency": { "package": { "name": "io.netty/netty" }, "version": "3.9.1.Final" } }, "identifiers": [ { "type": "GitLab", "name": "Foo vulnerability", "value": "foo" } ], "links": [ { "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2139" } ], "details": { "commit": { "name": "the commit", "description": "description", "type": "commit", "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" } } }, { "category": "dependency_scanning", "name": "Vulnerability for remediation testing 4", "message": "Remediation for this vulnerability should remediate CVE-2139 as well", "description": "", "cve": "CVE-2140", "severity": "High", "solution": "Upgrade to latest version.", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "location": { "file": "some/kind/of/file.c", "dependency": { "package": { "name": "io.netty/netty" }, "version": "3.9.1.Final" } }, "identifiers": [ { "type": "GitLab", "name": "Foo vulnerability", "value": "foo" } ], "links": [ { "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2140" } ], "details": { "commit": { "name": "the commit", "description": "description", "type": "commit", "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" } } }, { "category": "dependency_scanning", "name": "Vulnerabilities in libxml2", "message": "Vulnerabilities in libxml2 in nokogiri", "description": "", "cve": "CVE-1020", "severity": "High", "solution": "Upgrade to latest version.", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "evidence": { "source": { "id": "assert:CORS - Bad 'Origin' value", "name": "CORS - Bad 'Origin' value" }, "summary": "The Origin header was changed to an invalid value of http://peachapisecurity.com and the response contained an Access-Control-Allow-Origin header which included this invalid Origin, indicating that the CORS configuration on the server is overly permissive.\n\n\n", "request": { "headers": [ { "name": "Host", "value": "127.0.0.1:7777" } ], "method": "GET", "url": "http://127.0.0.1:7777/api/users", "body": "" }, "response": { "headers": [ { "name": "Server", "value": "TwistedWeb/20.3.0" } ], "reason_phrase": "OK", "status_code": 200, "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" }, "supporting_messages": [ { "name": "Origional", "request": { "headers": [ { "name": "Host", "value": "127.0.0.1:7777" } ], "method": "GET", "url": "http://127.0.0.1:7777/api/users", "body": "" } }, { "name": "Recorded", "request": { "headers": [ { "name": "Host", "value": "127.0.0.1:7777" } ], "method": "GET", "url": "http://127.0.0.1:7777/api/users", "body": "" }, "response": { "headers": [ { "name": "Server", "value": "TwistedWeb/20.3.0" } ], "reason_phrase": "OK", "status_code": 200, "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" } } ] }, "location": { "file": "some/kind/of/file.c", "dependency": { "package": { "name": "io.netty/netty" }, "version": "3.9.1.Final" } }, "identifiers": [ { "type": "GitLab", "name": "Foo vulnerability", "value": "foo" } ], "links": [ { "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020" } ], "details": { "commit": { "name": "the commit", "description": "description", "type": "commit", "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19" } } }, { "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3", "category": "dependency_scanning", "name": "Regular Expression Denial of Service", "message": "Regular Expression Denial of Service in debug", "description": "", "cve": "CVE-1030", "severity": "Unknown", "solution": "Upgrade to latest versions.", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "evidence": { "source": { "id": "assert:CORS - Bad 'Origin' value", "name": "CORS - Bad 'Origin' value" }, "summary": "The Origin header was changed to an invalid value of http://peachapisecurity.com and the response contained an Access-Control-Allow-Origin header which included this invalid Origin, indicating that the CORS configuration on the server is overly permissive.\n\n\n", "request": { "headers": [ { "name": "Host", "value": "127.0.0.1:7777" } ], "method": "GET", "url": "http://127.0.0.1:7777/api/users", "body": "" }, "response": { "headers": [ { "name": "Server", "value": "TwistedWeb/20.3.0" } ], "reason_phrase": "OK", "status_code": 200, "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" }, "supporting_messages": [ { "name": "Origional", "request": { "headers": [ { "name": "Host", "value": "127.0.0.1:7777" } ], "method": "GET", "url": "http://127.0.0.1:7777/api/users", "body": "" } }, { "name": "Recorded", "request": { "headers": [ { "name": "Host", "value": "127.0.0.1:7777" } ], "method": "GET", "url": "http://127.0.0.1:7777/api/users", "body": "" }, "response": { "headers": [ { "name": "Server", "value": "TwistedWeb/20.3.0" } ], "reason_phrase": "OK", "status_code": 200, "body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]" } } ] }, "location": { "file": "some/kind/of/file.c", "dependency": { "package": { "name": "io.netty/netty" }, "version": "3.9.1.Final" } }, "identifiers": [ { "type": "GitLab", "name": "Bar vulnerability", "value": "bar" } ], "links": [ { "name": "CVE-1030", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1030" } ] }, { "category": "dependency_scanning", "name": "Authentication bypass via incorrect DOM traversal and canonicalization", "message": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", "description": "", "cve": "yarn/yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98", "severity": "Unknown", "solution": "Upgrade to fixed version.\r\n", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "location": { "file": "some/kind/of/file.c", "dependency": { "package": { "name": "io.netty/netty" }, "version": "3.9.1.Final" } }, "identifiers": [ { "type": "GitLab", "name": "Foo vulnerability", "value": "foo" } ], "links": [] } ], "remediations": [ { "fixes": [ { "cve": "CVE-2137" } ], "summary": "this remediates CVE-2137", "diff": "dG90YWxseSBsZWdpdCBkaWZm" }, { "fixes": [ { "cve": "CVE-2138" } ], "summary": "this remediates CVE-2138", "diff": "dG90YWxseSBsZWdpdCBkaWZm" }, { "fixes": [ { "cve": "CVE-2139" }, { "cve": "CVE-2140" } ], "summary": "this remediates CVE-2139 and CVE-2140", "diff": "dG90YWxseSBsZWdpdGltYXRlIGRpZmYsIDEwLzEwIHdvdWxkIGFwcGx5" }, { "fixes": [ { "cve": "CVE-1020" } ], "summary": "this fixes CVE-1020", "diff": "dG90YWxseSBsZWdpdGltYXRlIGRpZmYsIDEwLzEwIHdvdWxkIGFwcGx5" }, { "fixes": [ { "cve": "CVE", "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3" } ], "summary": "this fixes CVE", "diff": "dG90YWxseSBsZWdpdGltYXRlIGRpZmYsIDEwLzEwIHdvdWxkIGFwcGx5" }, { "fixes": [ { "cve": "CVE", "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3" } ], "summary": "this fixed CVE", "diff": "dG90YWxseSBsZWdpdGltYXRlIGRpZmYsIDEwLzEwIHdvdWxkIGFwcGx5" }, { "fixes": [ { "id": "2134", "cve": "CVE-1" } ], "summary": "this fixes CVE-1", "diff": "dG90YWxseSBsZWdpdGltYXRlIGRpZmYsIDEwLzEwIHdvdWxkIGFwcGx5" } ], "dependency_files": [], "scan": { "analyzer": { "id": "common-analyzer", "name": "Common Analyzer", "url": "https://site.com/analyzer/common", "version": "2.0.1", "vendor": { "name": "Common" } }, "scanner": { "id": "gemnasium", "name": "Gemnasium top-level", "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven", "vendor": { "name": "GitLab" }, "version": "2.18.0" }, "type": "dependency_scanning", "start_time": "2022-08-10T21:37:00", "end_time": "2022-08-10T21:38:00", "status": "success" }, "version": "14.0.2" }