feat(report): add CVSS vectors in sarif report #9157
Conversation
|
|
axidex
changed the title
pkg/report/sarif_test.go
Outdated
| }, | ||
| "precision": "very-high", | ||
| "security-severity": "8.0", | ||
| "cvss-vector": nil, |
There was a problem hiding this comment.
nit: It makes no sense to add the value nil here.
Same for the other lines below.
There was a problem hiding this comment.
tests aren't passing without nil failing here
--- Expected
+++ Actual
@@ -73,3 +73,4 @@
MessageStrings: (*sarif.MessageStrings)(<nil>),
- Properties: (sarif.Properties) (len=3) {
+ Properties: (sarif.Properties) (len=4) {
+ (string) (len=11) "cvss-vector": (interface {}) <nil>,
There was a problem hiding this comment.
pkg/report/sarif.go
Outdated
| }, | ||
| "precision": "very-high", | ||
| "security-severity": data.cvssScore, | ||
| "cvss-vector": data.cvssVector, |
There was a problem hiding this comment.
Do you have documentation about this field or official examples?
We need to make sure we are using the correct names/structure for this property.
There was a problem hiding this comment.
It is called cvss in json output, @axidex you can follow that naming, I guess
There was a problem hiding this comment.
renamed field from cvss-vector to cvss
JSON ref
There was a problem hiding this comment.
This is our (Trivy) field name.
But I told about sarif schema.
Does sarif use similar fields?
There was a problem hiding this comment.
This is our (Trivy) field name. But I told about
sarifschema. Doessarifuse similar fields?
I didn't see anything like that in semgrep, codeql or any other tools
There was a problem hiding this comment.
Created a structure for this:
type CVSSData struct {
CVSSV2Vector string `json:"cvssv2_vector,omitempty"`
CVSSV2Score float64 `json:"cvssv2_score,omitempty"`
CVSSV3Vector string `json:"cvssv3_vector,omitempty"`
CVSSV3Score float64 `json:"cvssv3_score,omitempty"`
CVSSV40Vector string `json:"cvssv40_vector,omitempty"`
CVSSV40Score float64 `json:"cvssv40_score,omitempty"`
}There was a problem hiding this comment.
No need to create struct for this.
cvssv2_score is property. (same for other fields)
So should be (example):
"properties": {
"cvssv2_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvssv2_score": 5,
"cvssv3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"cvssv3_score": 5.3
"precision": "very-high",
There was a problem hiding this comment.
No need to create struct for this.
cvssv2_scoreis property. (same for other fields) So should be (example):"properties": { "cvssv2_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "cvssv2_score": 5, "cvssv3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "cvssv3_score": 5.3 "precision": "very-high",
Changed this in the new version
There was a problem hiding this comment.
LGTM.
I created small refactoring, can you take a look:
diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go
index 2e2268450..ee7f2b87b 100644
--- a/pkg/report/sarif.go
+++ b/pkg/report/sarif.go
@@ -43,17 +43,6 @@ var (
pathRegex = regexp.MustCompile(`(?P<path>.+?)(?:\s*\((?:.*?)\).*?)?$`)
)
-type CVSSData struct {
- CVSSV2Vector string
- CVSSV2Score float64
-
- CVSSV3Vector string
- CVSSV3Score float64
-
- CVSSV40Vector string
- CVSSV40Score float64
-}
-
// SarifWriter implements result Writer
type SarifWriter struct {
Output io.Writer
@@ -78,7 +67,7 @@ type sarifData struct {
locationMessage string
message string
cvssScore string
- cvssData CVSSData
+ cvssData map[string]any
locations []location
}
@@ -100,7 +89,7 @@ func (sw *SarifWriter) addSarifRule(data *sarifData) {
WithDefaultConfiguration(&sarif.ReportingConfiguration{
Level: toSarifErrorLevel(data.severity),
}).
- WithProperties(MakeProperties(data.title, data.severity, data.cvssScore, data.cvssData))
+ WithProperties(toProperties(data.title, data.severity, data.cvssScore, data.cvssData))
if data.url != nil && data.url.String() != "" {
r.WithHelpURI(data.url.String())
}
@@ -162,12 +151,13 @@ func (sw *SarifWriter) Write(_ context.Context, report types.Report) error {
if vuln.PkgPath != "" {
path = ToPathUri(vuln.PkgPath, res.Class)
}
+ cvssData, cvssScore := toCVSSData(vuln)
sw.addSarifResult(&sarifData{
title: "vulnerability",
vulnerabilityId: vuln.VulnerabilityID,
severity: vuln.Severity,
- cvssScore: getCVSSScore(vuln),
- cvssData: getCVSSData(vuln),
+ cvssScore: cvssScore,
+ cvssData: cvssData,
url: toUri(vuln.PrimaryURL),
resourceClass: res.Class,
artifactLocation: toUri(path),
@@ -419,29 +409,25 @@ func (sw *SarifWriter) getLocations(name, version, path string, pkgs []ftypes.Pa
return locs
}
-func getCVSSScore(vuln types.DetectedVulnerability) string {
- // Take the vendor score
- if cvss, ok := vuln.CVSS[vuln.SeveritySource]; ok {
- return fmt.Sprintf("%.1f", cvss.V3Score)
- }
-
- // Converts severity to score
- return severityToScore(vuln.Severity)
-}
-
-func getCVSSData(vuln types.DetectedVulnerability) CVSSData {
+// toCVSSData extracts CVSS data from the vulnerability and returns it along with the score.
+// If CVSS V3 Score is not available, it returns an empty CVSSData struct and a score based on severity.
+func toCVSSData(vuln types.DetectedVulnerability) (map[string]any, string) {
+ score := severityToScore(vuln.Severity)
+ var data = make(map[string]any)
if cvss, ok := vuln.CVSS[vuln.SeveritySource]; ok {
- return CVSSData{
- CVSSV2Score: cvss.V2Score,
- CVSSV2Vector: cvss.V2Vector,
- CVSSV3Score: cvss.V3Score,
- CVSSV3Vector: cvss.V3Vector,
- CVSSV40Score: cvss.V40Score,
- CVSSV40Vector: cvss.V40Vector,
+ data["cvssv2_vector"] = cvss.V2Vector
+ data["cvssv2_score"] = cvss.V2Score
+ data["cvssv3_vector"] = cvss.V3Vector
+ data["cvssv3_score"] = cvss.V3Score
+ data["cvssv40_vector"] = cvss.V40Vector
+ data["cvssv40_score"] = cvss.V40Score
+
+ if cvss.V3Score != 0 {
+ score = fmt.Sprintf("%.1f", cvss.V3Score)
}
}
- return CVSSData{}
+ return data, score
}
func severityToScore(severity string) string {
@@ -459,7 +445,7 @@ func severityToScore(severity string) string {
}
}
-func MakeProperties(title, severity, cvssScore string, cvssData CVSSData) sarif.Properties {
+func toProperties(title, severity, cvssScore string, cvssData map[string]any) sarif.Properties {
properties := sarif.Properties{
"tags": []string{
title,
@@ -470,28 +456,18 @@ func MakeProperties(title, severity, cvssScore string, cvssData CVSSData) sarif.
"security-severity": cvssScore,
}
- // Add CVSS v2
- if cvssData.CVSSV2Vector != "" {
- properties["cvssv2_vector"] = cvssData.CVSSV2Vector
- }
- if cvssData.CVSSV2Score != 0 {
- properties["cvssv2_score"] = cvssData.CVSSV2Score
- }
-
- // Add CVSS v3
- if cvssData.CVSSV3Vector != "" {
- properties["cvssv3_vector"] = cvssData.CVSSV3Vector
- }
- if cvssData.CVSSV3Score != 0 {
- properties["cvssv3_score"] = cvssData.CVSSV3Score
- }
-
- // Add CVSS v4
- if cvssData.CVSSV40Vector != "" {
- properties["cvssv40_vector"] = cvssData.CVSSV40Vector
- }
- if cvssData.CVSSV40Score != 0 {
- properties["cvssv40_score"] = cvssData.CVSSV40Score
+ for key, value := range cvssData {
+ switch v := value.(type) {
+ case string:
+ if v == "" {
+ continue
+ }
+ case float64:
+ if v == 0 {
+ continue
+ }
+ }
+ properties[key] = value
}
return properties
There was a problem hiding this comment.
Thank you for the refactoring! I have made changes based on your suggestions.
|
@axidex Thanks for your work! One quick question: where do you plan to use these files (with the new fields). |
I used it in the orchestration of security testing tools. The unified entry point for completing scans is the parsing of SARIF reports. I have a unified structure for SARIF, but it is not compatible with JSON. This fields will be used to create combined report about whole system(based on SCA, SS, SAST, DAST/MDAST e.t.c.). |
DmitriyLewen
left a comment
DmitriyLewen
left a comment
There was a problem hiding this comment.
LGTM.
Left 1 small comment.
@knqyf263, can you take a look too?
aws doesn't use all the fields you add, but the changes preserve their logic.
pkg/report/sarif.go
Outdated
| data["cvssv3_vector"] = cvss.V3Vector | ||
| data["cvssv3_score"] = cvss.V3Score | ||
| data["cvssv40_vector"] = cvss.V40Vector | ||
| data["cvssv40_score"] = cvss.V40Score |
There was a problem hiding this comment.
I copied the keys incorrectly.
aws uses cvssv3_baseScore.
Can you update these fields?
There was a problem hiding this comment.
wdyt about cvssv40_score.
aws used another name for v3 (score -> baseScore)
perhaps make sense use "new" format for v40?
i mean cvssv40_baseScore
There was a problem hiding this comment.
wdyt about
cvssv40_score. aws used another name for v3 (score -> baseScore) perhaps make sense use "new" format for v40? i meancvssv40_baseScore
If u mean to make changes like this:
cvssv40_score -> cvssv40_baseScore
and
cvssv3_baseScore -> cvssv3_score
I think it's good. But we should migrate this too:
if cvss.V3Score != 0 {
score = fmt.Sprintf("%.1f", cvss.V3Score)
}
There was a problem hiding this comment.
My suggest:
cvssv2_vector
cvssv2_score
cvssv3_vector
cvssv3_baseScore
cvssv40_vector
cvssv40_baseScore
There was a problem hiding this comment.
Changed from cvssv40_score to cvssv40_baseScore
DmitriyLewen
left a comment
DmitriyLewen
left a comment
There was a problem hiding this comment.
Thanks for your contribution!
LGTM
@knqyf263 can you quick a look?
| data["cvssv2_vector"] = cvss.V2Vector | ||
| data["cvssv2_score"] = cvss.V2Score | ||
| data["cvssv3_vector"] = cvss.V3Vector | ||
| data["cvssv3_baseScore"] = cvss.V3Score |
There was a problem hiding this comment.
Could you add a comment on why we chose cvssv3_baseScore with a mix of camel and snake cases? I guess you referenced https://docs.aws.amazon.com/codecatalyst/latest/userguide/test.sarif.html, but I would like to clarify it for future reference.
There was a problem hiding this comment.
Could you add a comment on why we chose
cvssv3_baseScorewith a mix of camel and snake cases? I guess you referenced https://docs.aws.amazon.com/codecatalyst/latest/userguide/test.sarif.html, but I would like to clarify it for future reference.
Added comments in a073a27
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.64.1` -> `0.65.0` | --- ### Release Notes <details> <summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary> ### [`v0.65.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0650-2025-07-30) [Compare Source](aquasecurity/trivy@v0.64.1...v0.65.0) ##### Features - add graceful shutdown with signal handling ([#​9242](aquasecurity/trivy#9242)) ([2c05882](aquasecurity/trivy@2c05882)) - add HTTP request/response tracing support ([#​9125](aquasecurity/trivy#9125)) ([aa5b32a](aquasecurity/trivy@aa5b32a)) - **alma:** add AlmaLinux 10 support ([#​9207](aquasecurity/trivy#9207)) ([861d51e](aquasecurity/trivy@861d51e)) - **flag:** add schema validation for `--server` flag ([#​9270](aquasecurity/trivy#9270)) ([ed4640e](aquasecurity/trivy@ed4640e)) - **image:** add Docker context resolution ([#​9166](aquasecurity/trivy#9166)) ([99cd4e7](aquasecurity/trivy@99cd4e7)) - **license:** observe pkg types option in license scanner ([#​9091](aquasecurity/trivy#9091)) ([d44af8c](aquasecurity/trivy@d44af8c)) - **misconf:** add private ip google access attribute to subnetwork ([#​9199](aquasecurity/trivy#9199)) ([263845c](aquasecurity/trivy@263845c)) - **misconf:** added logging and versioning to the gcp storage bucket ([#​9226](aquasecurity/trivy#9226)) ([110f80e](aquasecurity/trivy@110f80e)) - **repo:** add git repository metadata to reports ([#​9252](aquasecurity/trivy#9252)) ([f4b2cf1](aquasecurity/trivy@f4b2cf1)) - **report:** add CVSS vectors in sarif report ([#​9157](aquasecurity/trivy#9157)) ([60723e6](aquasecurity/trivy@60723e6)) - **sbom:** add SHA-512 hash support for CycloneDX SBOM ([#​9126](aquasecurity/trivy#9126)) ([12d6706](aquasecurity/trivy@12d6706)) ##### Bug Fixes - **alma:** parse epochs from rpmqa file ([#​9101](aquasecurity/trivy#9101)) ([82db2fc](aquasecurity/trivy@82db2fc)) - also check `filepath` when removing duplicate packages ([#​9142](aquasecurity/trivy#9142)) ([4d10a81](aquasecurity/trivy@4d10a81)) - **aws:** update amazon linux 2 EOL date ([#​9176](aquasecurity/trivy#9176)) ([0ecfed6](aquasecurity/trivy@0ecfed6)) - **cli:** Add more non-sensitive flags to telemetry ([#​9110](aquasecurity/trivy#9110)) ([7041a39](aquasecurity/trivy@7041a39)) - **cli:** ensure correct command is picked by telemetry ([#​9260](aquasecurity/trivy#9260)) ([b4ad00f](aquasecurity/trivy@b4ad00f)) - **cli:** panic: attempt to get os.Args\[1] when len(os.Args) < 2 ([#​9206](aquasecurity/trivy#9206)) ([adfa879](aquasecurity/trivy@adfa879)) - **license:** add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping ([#​9116](aquasecurity/trivy#9116)) ([a692f29](aquasecurity/trivy@a692f29)) - **license:** handle WITH operator for `LaxSplitLicenses` ([#​9232](aquasecurity/trivy#9232)) ([b4193d0](aquasecurity/trivy@b4193d0)) - migrate from `*.list` to `*.md5sums` files for `dpkg` ([#​9131](aquasecurity/trivy#9131)) ([f224de3](aquasecurity/trivy@f224de3)) - **misconf:** correctly adapt azure storage account ([#​9138](aquasecurity/trivy#9138)) ([51aa022](aquasecurity/trivy@51aa022)) - **misconf:** correctly parse empty port ranges in google\_compute\_firewall ([#​9237](aquasecurity/trivy#9237)) ([77bab7b](aquasecurity/trivy@77bab7b)) - **misconf:** fix log bucket in schema ([#​9235](aquasecurity/trivy#9235)) ([7ebc129](aquasecurity/trivy@7ebc129)) - **misconf:** skip rewriting expr if attr is nil ([#​9113](aquasecurity/trivy#9113)) ([42ccd3d](aquasecurity/trivy@42ccd3d)) - **nodejs:** don't use prerelease logic for compare npm constraints ([#​9208](aquasecurity/trivy#9208)) ([fe96436](aquasecurity/trivy@fe96436)) - prevent graceful shutdown message on normal exit ([#​9244](aquasecurity/trivy#9244)) ([6095984](aquasecurity/trivy@6095984)) - **rootio:** check full version to detect `root.io` packages ([#​9117](aquasecurity/trivy#9117)) ([c2ddd44](aquasecurity/trivy@c2ddd44)) - **rootio:** fix severity selection ([#​9181](aquasecurity/trivy#9181)) ([6fafbeb](aquasecurity/trivy@6fafbeb)) - **sbom:** merge in-graph and out-of-graph OS packages in scan results ([#​9194](aquasecurity/trivy#9194)) ([aa944cc](aquasecurity/trivy@aa944cc)) - **sbom:** use correct field for licenses in CycloneDX reports ([#​9057](aquasecurity/trivy#9057)) ([143da88](aquasecurity/trivy@143da88)) - **secret:** add UTF-8 validation in secret scanner to prevent protobuf marshalling errors ([#​9253](aquasecurity/trivy#9253)) ([54832a7](aquasecurity/trivy@54832a7)) - **secret:** fix line numbers for multiple-line secrets ([#​9104](aquasecurity/trivy#9104)) ([e579746](aquasecurity/trivy@e579746)) - **server:** add HTTP transport setup to server mode ([#​9217](aquasecurity/trivy#9217)) ([1163b04](aquasecurity/trivy@1163b04)) - supporting .egg-info/METADATA in python.Packaging analyzer ([#​9151](aquasecurity/trivy#9151)) ([e306e2d](aquasecurity/trivy@e306e2d)) - **terraform:** `for_each` on a map returns a resource for every key ([#​9156](aquasecurity/trivy#9156)) ([153318f](aquasecurity/trivy@153318f)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xLjMiLCJ1cGRhdGVkSW5WZXIiOiI0MS4xLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1073 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
5 participants
Description
Adding CVSS vector information to Rule.Properties. This was previously added to the JSON output in PR #484.
Output
Before
{ "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "runs": [ { "tool": { "driver": { "fullName": "Trivy Vulnerability Scanner", "informationUri": "https://github.com/aquasecurity/trivy", "name": "Trivy", "rules": [ { "id": "CVE-2019-1549", "name": "OsPackageVulnerability", "shortDescription": { "text": "openssl: information disclosure in fork()" }, "fullDescription": { "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)." }, "defaultConfiguration": { "level": "warning" }, "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549", "help": { "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)." }, "properties": { "precision": "very-high", "security-severity": "5.3", "tags": [ "vulnerability", "security", "MEDIUM" ] } } ], "version": "dev" } }, "results": [...], "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": { "uri": "file:///" } }, "properties": { "imageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4", "imageName": "testdata/fixtures/images/alpine-310.tar.gz", "repoDigests": null, "repoTags": null } } ] }After
{ "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "runs": [ { "tool": { "driver": { "fullName": "Trivy Vulnerability Scanner", "informationUri": "https://github.com/aquasecurity/trivy", "name": "Trivy", "rules": [ { "id": "CVE-2019-1549", "name": "OsPackageVulnerability", "shortDescription": { "text": "openssl: information disclosure in fork()" }, "fullDescription": { "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)." }, "defaultConfiguration": { "level": "warning" }, "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549", "help": { "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)." }, "properties": { "cvss": { "cvssv2_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "cvssv3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "cvssv2_score": 5, "cvssv3_baseScore": 5.3 }, "precision": "very-high", "security-severity": "5.3", "tags": [ "vulnerability", "security", "MEDIUM" ] } } ], "version": "dev" } }, "results": [...], "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": { "uri": "file:///" } }, "properties": { "imageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4", "imageName": "testdata/fixtures/images/alpine-310.tar.gz", "repoDigests": null, "repoTags": null } } ] }Properties in rules before
Properties in rules after
Related PRs
Checklist