diff --git a/README.md b/README.md index 094dea44..806005f9 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ ## Required parameters -- `api.osvnvd.host` The host where the [ONGuard](https://github.com/RHEcosystemAppEng/onguard) service is deployed +- `api.onguard.host` The host where the [ONGuard](https://github.com/RHEcosystemAppEng/onguard) service is deployed - `api.snyk.token` Snyk API token for default authentication when the Snyk integration is enabled ## OpenAPI and SwaggerUI diff --git a/dashboards/grafana-dashboard-exhort.configmap.yaml b/dashboards/grafana-dashboard-exhort.configmap.yaml index 465713d8..fbbe9207 100644 --- a/dashboards/grafana-dashboard-exhort.configmap.yaml +++ b/dashboards/grafana-dashboard-exhort.configmap.yaml @@ -1021,7 +1021,7 @@ data: "uid": "${datasource}" }, "editorMode": "code", - "expr": "histogram_quantile(0.90, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvNvdRequest\"}[2m])))", + "expr": "histogram_quantile(0.90, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvRequest\"}[2m])))", "legendFormat": "0.90", "range": true, "refId": "A" @@ -1032,7 +1032,7 @@ data: "uid": "${datasource}" }, "editorMode": "code", - "expr": "histogram_quantile(0.95, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvNvdRequest\"}[2m])))", + "expr": "histogram_quantile(0.95, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvRequest\"}[2m])))", "hide": false, "legendFormat": "0.95", "range": true, @@ -1044,7 +1044,7 @@ data: "uid": "${datasource}" }, "editorMode": "code", - "expr": "histogram_quantile(0.99, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvNvdRequest\"}[2m])))", + "expr": "histogram_quantile(0.99, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvRequest\"}[2m])))", "hide": false, "legendFormat": "0.99", "range": true, diff --git a/src/main/java/com/redhat/exhort/config/metrics/CustomMetrics.java b/src/main/java/com/redhat/exhort/config/metrics/CustomMetrics.java index 7fa50550..9691530d 100644 --- a/src/main/java/com/redhat/exhort/config/metrics/CustomMetrics.java +++ b/src/main/java/com/redhat/exhort/config/metrics/CustomMetrics.java @@ -42,7 +42,7 @@ public class CustomMetrics { "snykValidateToken", "snykRequest", "getTrustedContent", - "osvNvdRequest", + "osvRequest", "ossValidateCredentials", "ossSplitReq", "ossIndexRequest", diff --git a/src/main/java/com/redhat/exhort/integration/Constants.java b/src/main/java/com/redhat/exhort/integration/Constants.java index 88e62812..d17e3e28 100644 --- a/src/main/java/com/redhat/exhort/integration/Constants.java +++ b/src/main/java/com/redhat/exhort/integration/Constants.java @@ -60,7 +60,7 @@ private Constants() {} public static final String SNYK_PROVIDER = "snyk"; public static final String OSS_INDEX_PROVIDER = "oss-index"; public static final String TRUSTED_CONTENT_PROVIDER = "trusted-content"; - public static final String OSV_NVD_PROVIDER = "osv-nvd"; + public static final String OSV_PROVIDER = "osv"; public static final String UNKNOWN_PROVIDER = "unknown"; public static final String HTTP_UNAUTHENTICATED = "Unauthenticated"; @@ -117,7 +117,7 @@ private Constants() {} { add(SNYK_PROVIDER); add(OSS_INDEX_PROVIDER); - add(OSV_NVD_PROVIDER); + add(OSV_PROVIDER); } }); diff --git a/src/main/java/com/redhat/exhort/integration/providers/ProviderHealthCheck.java b/src/main/java/com/redhat/exhort/integration/providers/ProviderHealthCheck.java index b480d99d..bfc310ac 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/ProviderHealthCheck.java +++ b/src/main/java/com/redhat/exhort/integration/providers/ProviderHealthCheck.java @@ -30,7 +30,7 @@ public class ProviderHealthCheck extends AbstractHealthCheck { private static final List ALL_PROVIDERS_HEALTH_CHECKS = - List.of("direct:snykHealthCheck", "direct:osvNvdHealthCheck", "direct:ossIndexHealthCheck"); + List.of("direct:snykHealthCheck", "direct:osvHealthCheck", "direct:ossIndexHealthCheck"); public ProviderHealthCheck() { super("External Providers Readiness Check"); diff --git a/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java b/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java index cd64a3c0..93f6abd6 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java +++ b/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java @@ -51,8 +51,8 @@ public class VulnerabilityProvider { @ConfigProperty(name = "api.ossindex.disabled", defaultValue = "false") boolean ossIndexDisabled; - @ConfigProperty(name = "api.osvnvd.disabled", defaultValue = "false") - boolean osvNvdDisabled; + @ConfigProperty(name = "api.onguard.disabled", defaultValue = "false") + boolean osvDisabled; private List providers; @@ -63,7 +63,7 @@ public void initProviders() { Constants.PROVIDERS.stream() .filter(p -> !(Constants.SNYK_PROVIDER.equals(p) && snykDisabled)) .filter(p -> !(Constants.OSS_INDEX_PROVIDER.equals(p) && ossIndexDisabled)) - .filter(p -> !(Constants.OSV_NVD_PROVIDER.equals(p) && osvNvdDisabled)) + .filter(p -> !(Constants.OSV_PROVIDER.equals(p) && osvDisabled)) .toList()); } @@ -79,7 +79,7 @@ public List getProviderEndpoints( switch (p) { case Constants.SNYK_PROVIDER -> "direct:snykScan"; case Constants.OSS_INDEX_PROVIDER -> "direct:ossIndexScan"; - case Constants.OSV_NVD_PROVIDER -> "direct:osvNvdScan"; + case Constants.OSV_PROVIDER -> "direct:osvScan"; default -> throw new UnexpectedProviderException(new RuntimeException(p)); }) .collect(Collectors.toList()); diff --git a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdIntegration.java b/src/main/java/com/redhat/exhort/integration/providers/osv/OsvIntegration.java similarity index 78% rename from src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdIntegration.java rename to src/main/java/com/redhat/exhort/integration/providers/osv/OsvIntegration.java index 6ab336c3..d31b0968 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdIntegration.java +++ b/src/main/java/com/redhat/exhort/integration/providers/osv/OsvIntegration.java @@ -16,7 +16,7 @@ * limitations under the License. */ -package com.redhat.exhort.integration.providers.osvnvd; +package com.redhat.exhort.integration.providers.osv; import org.apache.camel.Exchange; import org.apache.camel.builder.endpoint.EndpointRouteBuilder; @@ -32,59 +32,59 @@ import jakarta.ws.rs.core.Response; @ApplicationScoped -public class OsvNvdIntegration extends EndpointRouteBuilder { +public class OsvIntegration extends EndpointRouteBuilder { - @ConfigProperty(name = "api.osvnvd.timeout", defaultValue = "30s") + @ConfigProperty(name = "api.onguard.timeout", defaultValue = "30s") String timeout; @Inject VulnerabilityProvider vulnerabilityProvider; - @Inject OsvNvdResponseHandler responseHandler; + @Inject OsvResponseHandler responseHandler; @Override public void configure() throws Exception { // fmt:off - from(direct("osvNvdScan")) - .routeId("osvNvdScan") + from(direct("osvScan")) + .routeId("osvScan") .circuitBreaker() .faultToleranceConfiguration() .timeoutEnabled(true) .timeoutDuration(timeout) .end() - .transform(method(OsvNvdRequestBuilder.class, "buildRequest")) - .to(direct("osvNvdRequest")) + .transform(method(OsvRequestBuilder.class, "buildRequest")) + .to(direct("osvRequest")) .onFallback() .process(responseHandler::processResponseError) .end() .transform().method(responseHandler, "buildReport"); - from(direct("osvNvdRequest")) - .routeId("osvNvdRequest") + from(direct("osvRequest")) + .routeId("osvRequest") .process(this::processRequest) - .to(vertxHttp("{{api.osvnvd.host}}")) + .to(vertxHttp("{{api.onguard.host}}")) .transform().method(responseHandler, "responseToIssues"); - from(direct("osvNvdHealthCheck")) - .routeId("osvNvdHealthCheck") - .setProperty(Constants.PROVIDER_NAME, constant(Constants.OSV_NVD_PROVIDER)) + from(direct("osvHealthCheck")) + .routeId("osvHealthCheck") + .setProperty(Constants.PROVIDER_NAME, constant(Constants.OSV_PROVIDER)) .choice() - .when(method(vulnerabilityProvider, "getEnabled").contains(Constants.OSV_NVD_PROVIDER)) - .to(direct("osvNvdHealthCheckEndpoint")) + .when(method(vulnerabilityProvider, "getEnabled").contains(Constants.OSV_PROVIDER)) + .to(direct("osvHealthCheckEndpoint")) .otherwise() .to(direct("healthCheckProviderDisabled")); - from(direct("osvNvdHealthCheckEndpoint")) - .routeId("osvNvdHealthCheckEndpoint") + from(direct("osvHealthCheckEndpoint")) + .routeId("osvHealthCheckEndpoint") .process(this::processHealthRequest) .circuitBreaker() .faultToleranceConfiguration() .timeoutEnabled(true) .timeoutDuration(timeout) .end() - .to(vertxHttp("{{api.osvnvd.management.host}}")) + .to(vertxHttp("{{api.onguard.management.host}}")) .setHeader(Exchange.HTTP_RESPONSE_TEXT,constant("Service is up and running")) .setBody(constant("Service is up and running")) .onFallback() - .setBody(constant(Constants.OSV_NVD_PROVIDER + "Service is down")) + .setBody(constant(Constants.OSV_PROVIDER + "Service is down")) .setHeader(Exchange.HTTP_RESPONSE_CODE,constant(Response.Status.SERVICE_UNAVAILABLE)) .end(); // fmt:on diff --git a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdRequestBuilder.java b/src/main/java/com/redhat/exhort/integration/providers/osv/OsvRequestBuilder.java similarity index 93% rename from src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdRequestBuilder.java rename to src/main/java/com/redhat/exhort/integration/providers/osv/OsvRequestBuilder.java index a41fed89..54835f4c 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdRequestBuilder.java +++ b/src/main/java/com/redhat/exhort/integration/providers/osv/OsvRequestBuilder.java @@ -16,7 +16,7 @@ * limitations under the License. */ -package com.redhat.exhort.integration.providers.osvnvd; +package com.redhat.exhort.integration.providers.osv; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; @@ -26,7 +26,7 @@ import io.quarkus.runtime.annotations.RegisterForReflection; @RegisterForReflection -public class OsvNvdRequestBuilder { +public class OsvRequestBuilder { private ObjectMapper mapper = ObjectMapperProducer.newInstance(); diff --git a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/osv/OsvResponseHandler.java similarity index 94% rename from src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java rename to src/main/java/com/redhat/exhort/integration/providers/osv/OsvResponseHandler.java index 0709811d..60625446 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java +++ b/src/main/java/com/redhat/exhort/integration/providers/osv/OsvResponseHandler.java @@ -16,7 +16,7 @@ * limitations under the License. */ -package com.redhat.exhort.integration.providers.osvnvd; +package com.redhat.exhort.integration.providers.osv; import java.io.IOException; import java.util.ArrayList; @@ -51,13 +51,13 @@ @ApplicationScoped @RegisterForReflection -public class OsvNvdResponseHandler extends ProviderResponseHandler { +public class OsvResponseHandler extends ProviderResponseHandler { @Inject ObjectMapper mapper; @Override protected String getProviderName() { - return Constants.OSV_NVD_PROVIDER; + return Constants.OSV_PROVIDER; } @Override @@ -84,9 +84,9 @@ private List toIssues(String ref, ArrayNode response) { List issues = new ArrayList<>(); response.forEach( data -> { - var issue = new Issue().source(Constants.OSV_NVD_PROVIDER); + var issue = new Issue().source(Constants.OSV_PROVIDER); - String cve = getTextValue(data, "cveId"); + String cve = getTextValue(data, "id"); if (cve == null) { return; } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 98dd7c6a..3a6035c7 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -12,8 +12,8 @@ api.snyk.host=https://app.snyk.io/api/v1 # api.snyk.disabled=true api.trustedcontent.host=https://exhort.trust.rhcloud.com/api/v1/ -api.osvnvd.host=http://onguard:8080/ -api.osvnvd.management.host=http://onguard:9000/ +api.onguard.host=http://onguard:8080/ +api.onguard.management.host=http://onguard:9000/ api.ossindex.host=https://ossindex.sonatype.org/api/v3 diff --git a/src/main/resources/freemarker/templates/generated/main.js b/src/main/resources/freemarker/templates/generated/main.js index d074844c..dc271fc6 100644 --- a/src/main/resources/freemarker/templates/generated/main.js +++ b/src/main/resources/freemarker/templates/generated/main.js @@ -1 +1 @@ -!function(){"use strict";var e={31958:function(e,n,r){var i=r(68963),t=r(63609),a=(r(13218),r(19559)),s=r(39714),o=r(34187),c=r(15671),l=r(43144),d="maven",u="https://pkg.go.dev/",h="https://www.npmjs.com/package/",g="https://pypi.org/project/",v="__ISSUE_ID__",p="pkg:",x=["oss-index"],j="https://maven.repository.redhat.com/ga/",f=/%[0-9A-Fa-f]{2}/,m=function(e){return"oss-index"===e?"https://ossindex.sonatype.org/user/register":""},y=function(e,n){var r=N.fromString(e),i=function(e){var n="";return e.namespace&&(n=e.type===d?"".concat(e.namespace,":"):"".concat(e.namespace,"/")),n+"".concat(e.name)}(r);return n?i+"@".concat(r.version):i},I=function(e){var n=N.fromString(e),r=j;if(n.namespace){var i,t=null===(i=n.namespace)||void 0===i?void 0:i.replace(/\./g,"/");return"".concat(j).concat(t,"/").concat(n.name,"/").concat(n.version)}return r},b=function(e){var n=N.fromString(e);switch(n.type){case d:var r=n.version;if(null!==r&&void 0!==r&&r.includes("redhat")){var i,t=null===(i=n.namespace)||void 0===i?void 0:i.replace(/\./g,"/");return"".concat(j).concat(t,"/").concat(n.name,"/").concat(n.version)}return"".concat("https://central.sonatype.com/artifact/").concat(n.namespace,"/").concat(n.name,"/").concat(n.version);case"golang":var a=n.version;return null!==a&&void 0!==a&&a.match(/v\d\.\d.\d-\d{14}-\w{12}/)?"".concat(u).concat(n.namespace,"/").concat(n.name):"".concat(u).concat(n.namespace,"/").concat(n.name,"@").concat(n.version);case"npm":return n.namespace?"".concat(h).concat(n.namespace,"/").concat(n.name,"/v/").concat(n.version):"".concat(h).concat(n.name,"/v/").concat(n.version);case"pypi":return n.namespace?"".concat(g).concat(n.namespace,"/").concat(n.name,"/").concat(n.version):"".concat(g).concat(n.name,"/").concat(n.version);default:return n.toString()}},C=function(e){var n=N.fromString(e).version;return n||""},M=function(e,n,r){switch(e){case"snyk":return r.snykIssueTemplate.replace(v,n);case"oss-index":return r.ossIssueTemplate.replace(v,n);case"osv-nvd":return r.nvdIssueTemplate.replace(v,n)}},T=function(e){return e.toLowerCase().replace(/./,(function(e){return e.toUpperCase()}))},A=function(e){var n=S(e),r="";if(n.repository_url){var i=n.repository_url.indexOf("/");r+=-1!==i?n.repository_url.substring(i+1):""}else r+="".concat(n.short_name);return n.tag&&(r+=":".concat(n.tag)),r},S=function(e){var n=e.split("?"),r=n[0],i=n[1],t=new URLSearchParams(i),a=t.get("repository_url")||"",s=t.get("tag")||"",o=t.get("arch")||"",c=r.split("@");return{repository_url:a,tag:s,short_name:c[0].substring(c[0].indexOf("/")+1),version:r.substring(r.lastIndexOf("@")).replace("%3A",":"),arch:o}},w=function(e,n,r){var i=P(n);for(var t in i){var a=i[t].report.dependencies;if(a){var s=Object.values(a).find((function(n){var r,i=n.ref,t=decodeURIComponent(i),a=(r=e,f.test(r)?decodeURIComponent(e):e);return N.fromString(t).toString()===N.fromString(a).toString()}));if(s&&s.recommendation){var o=decodeURIComponent(s.recommendation),c=D(o,r);if(void 0!==c)return c}}}return"https://catalog.redhat.com/software/containers/search"},D=function(e,n){var r=JSON.parse(n).find((function(n){return N.fromString(n.purl).toString()===N.fromString(e).toString()}));return null===r||void 0===r?void 0:r.catalogUrl},N=function(){function e(n,r,i,t){(0,c.Z)(this,e),this.type=void 0,this.namespace=void 0,this.name=void 0,this.version=void 0,this.type=n,this.namespace=r,this.name=i,this.version=t}return(0,l.Z)(e,[{key:"toString",value:function(){var e=this.name;return this.version&&(e+="@".concat(this.version)),this.namespace?"".concat(p).concat(this.type,"/").concat(this.namespace,"/").concat(e):"".concat(p).concat(this.type,"/").concat(e)}}],[{key:"fromString",value:function(n){var r=n.replace(p,""),i=r.indexOf("?");-1!==i&&(r=r.substring(0,i));var t,a,s=r.substring(0,r.indexOf("/")),o=r.split("/");o.length>2&&(t=o.slice(1,o.length-1).join("/")),-1!==r.indexOf("@")&&(a=r.substring(r.indexOf("@")+1));var c=o[o.length-1];return a&&(c=c.substring(0,c.indexOf("@"))),new e(s,t,c,a)}}]),e}();function P(e){var n=[];return Object.keys(e.providers).forEach((function(r){var i=e.providers[r].sources;void 0!==i&&Object.keys(i).length>0?Object.keys(i).forEach((function(e){n.push({provider:r,source:e,report:i[e]})})):"trusted-content"!==r&&n.push({provider:r,source:r,report:{}})})),n.sort((function(e,n){return 0===Object.keys(e.report).length&&0===Object.keys(n.report).length?""===m(e.provider)?""===m(n.provider)?0:-1:1:Object.keys(n.report).length-Object.keys(e.report).length}))}function k(e){return void 0===e?"unknown":e.provider!==e.source?"$item.provider/$item.source":e.provider}function O(e){var n;return!(!e.remediation||!(e.remediation.fixedIn||null!==(n=e.remediation)&&void 0!==n&&n.trustedContent))}function Z(e){var n=[];return e.map((function(e){return{dependencyRef:e.ref,vulnerabilities:e.issues||[]}})).forEach((function(e){var r;null===(r=e.vulnerabilities)||void 0===r||r.forEach((function(r){r.cves&&r.cves.length>0?r.cves.forEach((function(i){n.push({id:i,dependencyRef:e.dependencyRef,vulnerability:r})})):n.push({id:r.id,dependencyRef:e.dependencyRef,vulnerability:r})}))})),n.sort((function(e,n){return n.vulnerability.cvssScore-e.vulnerability.cvssScore}))}var L=r(43442),z=r(73324),E=r(96363),B=r(78437),R=r(26798),F=r(62996),_=r(73020),U=r(34223),H=r(11858),G=r(90493),V=r(47065),Y=r(17941),J=r(82355),W=r(38485),Q=r(29090),K=r(2570),q=r(22124),X=r(75859),$=["#800000","#FF0000","#FFA500","#5BA352"],ee=function(e){var n,r,i,t,a,s=e.summary,o=null!==(n=null===s||void 0===s?void 0:s.critical)&&void 0!==n?n:0,c=null!==(r=null===s||void 0===s?void 0:s.high)&&void 0!==r?r:0,l=null!==(i=null===s||void 0===s?void 0:s.medium)&&void 0!==i?i:0,d=null!==(t=null===s||void 0===s?void 0:s.low)&&void 0!==t?t:0,u=null!==(a=null===s||void 0===s?void 0:s.total)&&void 0!==a?a:0,h=o+c+l+d>0,g=h?$:["#D5F5E3"],v=[{name:"Critical: ".concat(o),symbol:{type:"square",fill:$[0]}},{name:"High: ".concat(c),symbol:{type:"square",fill:$[1]}},{name:"Medium: ".concat(l),symbol:{type:"square",fill:$[2]}},{name:"Low: ".concat(d),symbol:{type:"square",fill:$[3]}}];return(0,X.jsx)("div",{children:(0,X.jsx)(U.e,{style:{paddingBottom:"inherit",padding:"0"},children:(0,X.jsx)(K.b,{children:(0,X.jsx)("div",{style:{height:"230px",width:"350px"},children:(0,X.jsx)(q.H,{constrainToVisibleArea:!0,data:h?[{x:"Critical",y:o},{x:"High",y:c},{x:"Medium",y:l},{x:"Low",y:d}]:[{x:"Empty",y:1e-10}],labels:function(e){var n=e.datum;return"".concat(n.x,": ").concat(n.y)},legendData:v,legendOrientation:"vertical",legendPosition:"right",padding:{left:20,right:140},subTitle:"Unique vulnerabilities",title:"".concat(u),width:350,colorScale:g})})})})})},ne=r(66155),re="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iMTJweCIgaGVpZ2h0PSIxM3B4IiB2aWV3Qm94PSIwIDAgMTIgMTMiIGlkPSJTZWN1cml0eUNoZWNrSWNvbiIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KICAgIDx0aXRsZT5Db21iaW5lZCBTaGFwZTwvdGl0bGU+CiAgICA8ZyBpZD0iTXVsdGktdmVuZG9yIiBzdHJva2U9Im5vbmUiIHN0cm9rZS13aWR0aD0iMSIgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgICA8ZyBpZD0iT3ZlcnZpZXctQ29weSIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTEyMDcsIC05OTMpIiBmaWxsPSIjM0U4NjM1Ij4KICAgICAgICAgICAgPGcgaWQ9IkRldGFpbHMtb2YtZGVwZW5kZW5jeS1jb20uZ2l0aHViIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSg0MjcsIDgxOSkiPgogICAgICAgICAgICAgICAgPGcgaWQ9IkRlcGVuZGVuY3ktMSIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwgMTQ0KSI+CiAgICAgICAgICAgICAgICAgICAgPGcgaWQ9Ikdyb3VwLTkiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDc4MC4xNzI4LCAyNCkiPgogICAgICAgICAgICAgICAgICAgICAgICA8ZyBpZD0iR3JvdXAtNCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwgMy4yKSI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZyBpZD0iSWNvbnMvMi4tU2l6ZS1zbS9BY3Rpb25zL2NoZWNrIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwLCAyLjgpIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGF0aCBkPSJNMTAuNTU2NTc4OSwwIEMxMC43OTA2MjQ5LDAgMTAuOTc5MzMyMiwwLjE4MTU0Mjk2OSAxMC45NzkzMzIyLDAuNDA2MjUgTDEwLjk3OTMzMjIsNS43NDA4MjAzMSBDMTAuOTc5MzMyMiw5Ljc1IDYuMjQwODE5MDcsMTMgNS40OTU3OTI5NiwxMyBDNC43NTA3NjY4NCwxMyAwLDkuNzUgMCw1LjczOTU1MDc4IEwwLDAuNDA2MjUgQzAsMC4xODE1NDI5NjkgMC4xODg3MDcyNzIsMCAwLjQyMjc1MzMwNCwwIFogTTguNTQyNzc4ODMsMy4xMTc4MjY2NyBMNC43OTEyOTYxLDYuODkwODczNTMgTDMuMDM5ODEzMzgsNS4xMjkzMjQ0IEMyLjg4MzYwOSw0Ljk3MjIwNjgzIDIuNjMwMzI4MTIsNC45NzIyMDY4MyAyLjQ3NDEyMzc1LDUuMTI5MzI0NCBMMS45MDg0NDkzOCw1LjY5ODI2NTU2IEMxLjc1MjI0NTAxLDUuODU1MzgzMTIgMS43NTIyNDUwMSw2LjExMDEwNDQ5IDEuOTA4NDQ5MzgsNi4yNjcyMDY3MSBMNC41MDg0NTc5Nyw4Ljg4MjE1OTkxIEM0LjY2NDY0NzA4LDkuMDM5Mjc3NDcgNC45MTc5MTI3LDkuMDM5Mjc3NDcgNS4wNzQxMzIzMyw4Ljg4MjE3NTI1IEw5LjY3NDE0MjgyLDQuMjU1NzA4OTggQzkuODMwMzQ3Miw0LjA5ODU5MTQxIDkuODMwMzQ3MiwzLjg0Mzg3MDA0IDkuNjc0MTQyODIsMy42ODY3Njc4MiBMOS4xMDg0Njg0NiwzLjExNzgyNjY3IEM4Ljk1MjI2NDA4LDIuOTYwNzI0NDQgOC42OTg5ODMyLDIuOTYwNzI0NDQgOC41NDI3Nzg4MywzLjExNzgyNjY3IFoiIGlkPSJDb21iaW5lZC1TaGFwZSI+PC9wYXRoPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9nPgogICAgICAgICAgICAgICAgICAgICAgICA8L2c+CiAgICAgICAgICAgICAgICAgICAgPC9nPgogICAgICAgICAgICAgICAgPC9nPgogICAgICAgICAgICA8L2c+CiAgICAgICAgPC9nPgogICAgPC9nPgo8L3N2Zz4=",ie=function(e){var n=e.report,r=e.isReportMap,i=e.purl,t=fn(),a="trustification"!==t.rhdaSource?6:void 0;return(0,X.jsxs)(s.r,{hasGutter:!0,children:[(0,X.jsxs)(L.D,{headingLevel:"h3",size:L.H["2xl"],style:{paddingLeft:"15px"},children:[(0,X.jsx)(z.J,{isInline:!0,status:"info",children:(0,X.jsx)(Q.ZP,{style:{fill:"#f0ab00"}})}),"\xa0Red Hat Overview of security Issues"]}),(0,X.jsx)(E.i,{}),(0,X.jsx)(o.P,{children:(0,X.jsxs)(B.Z,{isFlat:!0,isFullHeight:!0,children:[(0,X.jsx)(R.O,{children:(0,X.jsx)(F.l,{children:(0,X.jsx)(_.M,{style:{fontSize:"large"},children:r?(0,X.jsxs)(X.Fragment,{children:[i?A(i):"No Image name"," - Vendor Issues"]}):(0,X.jsx)(X.Fragment,{children:"Vendor Issues"})})})}),(0,X.jsxs)(U.e,{children:[(0,X.jsx)(H.g,{children:(0,X.jsx)(G.b,{children:(0,X.jsx)(_.M,{children:"Below is a list of dependencies affected with CVE."})})}),(0,X.jsx)(V.o,{isAutoFit:!0,style:{paddingTop:"10px"},children:P(n).map((function(e,n){return(0,X.jsxs)(H.g,{style:{display:"flex",flexDirection:"column",alignItems:"center"},children:[(0,X.jsx)(X.Fragment,{children:(0,X.jsx)(_.M,{style:{fontSize:"large"},children:k(e)})}),(0,X.jsx)(G.b,{children:(0,X.jsx)(ee,{summary:e.report.summary})})]},n)}))})]}),(0,X.jsx)(E.i,{})]})}),(0,X.jsxs)(o.P,{md:a,children:[(0,X.jsx)(B.Z,{isFlat:!0,children:(0,X.jsxs)(H.g,{children:[(0,X.jsx)(F.l,{component:"h4",children:(0,X.jsxs)(_.M,{style:{fontSize:"large"},children:[(0,X.jsx)(z.J,{isInline:!0,status:"info",children:(0,X.jsx)(ne.ZP,{style:{fill:"#cc0000"}})}),"\xa0 Red Hat Remediations"]})}),(0,X.jsx)(U.e,{children:(0,X.jsx)(G.b,{children:r?(0,X.jsxs)(Y.aV,{isPlain:!0,children:[(0,X.jsx)(J.H,{children:"Switch to UBI 9 for enhanced security and enterprise-grade stability in your containerized applications, backed by Red Hat's support and compatibility assurance."}),(0,X.jsx)(J.H,{children:(0,X.jsx)("a",{href:i?w(i,n,t.imageMapping):"###",target:"_blank",rel:"noreferrer",children:(0,X.jsx)(W.zx,{variant:"primary",size:"sm",children:"Take me there"})})})]}):(0,X.jsx)(Y.aV,{isPlain:!0,children:P(n).map((function(e,n){return Object.keys(e.report).length>0?(0,X.jsxs)(J.H,{children:[(0,X.jsx)(z.J,{isInline:!0,status:"success",children:(0,X.jsx)("img",{src:re,alt:"Security Check Icon"})}),"\xa0",e.report.summary.remediations," remediations are available from Red Hat for ",e.provider]}):(0,X.jsxs)(J.H,{children:[(0,X.jsx)(z.J,{isInline:!0,status:"success",children:(0,X.jsx)("img",{src:re,alt:"Security Check Icon"})}),"\xa0 There are no available Red Hat remediations for your SBOM at this time for ",e.provider]})}))})})})]})}),"\xa0"]}),"trustification"!==t.rhdaSource&&(0,X.jsxs)(o.P,{md:6,children:[(0,X.jsx)(B.Z,{isFlat:!0,children:(0,X.jsxs)(H.g,{children:[(0,X.jsx)(F.l,{component:"h4",children:(0,X.jsx)(_.M,{style:{fontSize:"large"},children:"Join to explore Red Hat TPA"})}),(0,X.jsx)(U.e,{children:(0,X.jsx)(G.b,{children:(0,X.jsxs)(Y.aV,{isPlain:!0,children:[(0,X.jsx)(J.H,{children:"Check out our new Trusted Profile Analyzer to get visibility and insight into your software risk profile, for instance by exploring vulnerabilites or analyzing SBOMs."}),(0,X.jsx)(J.H,{children:(0,X.jsx)("a",{href:"https://console.redhat.com/application-services/trusted-content",target:"_blank",rel:"noopener noreferrer",children:(0,X.jsx)(W.zx,{variant:"primary",size:"sm",children:"Take me there"})})})]})})})]})}),"\xa0"]})]})},te=r(2933),ae=function(e){var n=e.report,r=Object.keys(n.providers).map((function(e){return n.providers[e].status})).filter((function(e){return!e.ok&&!(!(n=e).ok&&401===n.code&&"Unauthenticated"===n.message&&x.includes(n.name));var n}));return(0,X.jsx)(X.Fragment,{children:r.map((function(e,n){return(0,X.jsx)(te.b,{variant:e.code>=500?te.U.danger:e.code>=400?te.U.warning:void 0,title:"".concat(T(e.name),": ").concat(e.message)},n)}))})},se=r(74165),oe=r(15861),ce=r(70885),le=r(66081),de=r(74817),ue=r(86467),he=r(1413),ge=r(19809),ve=r(80382),pe=r(88521),xe=r(82e3),je=r(76989),fe=r(52401),me=r(96496),ye=r(38987),Ie=r(69623),be=r(29626),Ce=r(30205),Me=r(73610),Te=r(27990),Ae=r(75091),Se=r(46056),we=r(31915),De=r(71178),Ne=r(7102),Pe=r(42982),ke=r(41917),Oe=function(e){return e[e.SET_PAGE=0]="SET_PAGE",e[e.SET_SORT_BY=1]="SET_SORT_BY",e}(Oe||{}),Ze={changed:!1,currentPage:{page:1,perPage:10},sortBy:void 0},Le=function(e,n){switch(n.type){case Oe.SET_PAGE:var r=n.payload;return(0,he.Z)((0,he.Z)({},e),{},{changed:!0,currentPage:{page:r.page,perPage:r.perPage}});case Oe.SET_SORT_BY:var i=n.payload;return(0,he.Z)((0,he.Z)({},e),{},{changed:!0,sortBy:{index:i.index,direction:i.direction}});default:return e}},ze=r(99960),Ee=r(50500),Be=function(e){var n,r=e.count,i=e.params,t=e.isTop,a=(e.isCompact,e.perPageOptions),s=e.onChange,o=function(){return i.perPage||10};return(0,X.jsx)(ze.t,{itemCount:r,page:i.page||1,perPage:o(),onPageInput:function(e,n){s({page:n,perPage:o()})},onSetPage:function(e,n){s({page:n,perPage:o()})},onPerPageSelect:function(e,n){s({page:1,perPage:n})},widgetId:"pagination-options-menu",variant:t?ze.a.top:ze.a.bottom,perPageOptions:(n=a||[10,20,50,100],n.map((function(e){return{title:String(e),value:e}}))),toggleTemplate:function(e){return(0,X.jsx)(Ee.v,(0,he.Z)({},e))}})},Re=function(e){var n=e.name,r=e.showVersion,i=void 0!==r&&r;return(0,X.jsx)(X.Fragment,{children:(0,X.jsx)("a",{href:b(n),target:"_blank",rel:"noreferrer",children:y(n,i)})})},Fe=r(70164),_e=r(35020),Ue=r(98649),He=r(37514),Ge=function(e){var n=e.numRenderedColumns,r=e.isLoading,i=void 0!==r&&r,t=e.isError,a=void 0!==t&&t,s=e.isNoData,o=void 0!==s&&s,c=e.errorEmptyState,l=void 0===c?null:c,d=e.noDataEmptyState,u=void 0===d?null:d,h=e.children,g=(0,X.jsxs)(ge.u,{variant:ge.I.sm,children:[(0,X.jsx)(pe.k,{icon:Ue.ZP,color:He.a.value}),(0,X.jsx)(L.D,{headingLevel:"h2",size:"lg",children:"Unable to connect"}),(0,X.jsx)(xe.B,{children:"There was an error retrieving data. Check your connection and try again."})]}),v=(0,X.jsxs)(ge.u,{variant:ge.I.sm,children:[(0,X.jsx)(pe.k,{icon:_e.ZP}),(0,X.jsx)(L.D,{headingLevel:"h2",size:"lg",children:"No data available"}),(0,X.jsx)(xe.B,{children:"No data available to be shown here."})]});return(0,X.jsx)(X.Fragment,{children:i?(0,X.jsx)(Se.p,{children:(0,X.jsx)(Te.Tr,{children:(0,X.jsx)(we.Td,{colSpan:n,children:(0,X.jsx)(K.b,{children:(0,X.jsx)(Fe.$,{size:"xl"})})})})}):a?(0,X.jsx)(Se.p,{"aria-label":"Table error",children:(0,X.jsx)(Te.Tr,{children:(0,X.jsx)(we.Td,{colSpan:n,children:(0,X.jsx)(K.b,{children:l||g})})})}):o?(0,X.jsx)(Se.p,{"aria-label":"Table no data",children:(0,X.jsx)(Te.Tr,{children:(0,X.jsx)(we.Td,{colSpan:n,children:(0,X.jsx)(K.b,{children:u||v})})})}):h})},Ve=function(e){var n=e.packageName;e.cves;return(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,status:"success",children:(0,X.jsx)("img",{src:re,alt:"Security Check Icon"})}),"\xa0",(0,X.jsx)("a",{href:I(n),target:"_blank",rel:"noreferrer",children:C(n)})]})},Ye=function(){var e=fn().providerPrivateData;return{hideIssue:function(n,r){return!(!e||-1===e.indexOf(n))&&r}}},Je=function(e){var n,r,i,t=e.sourceName,a=e.vulnerability,s=Ye(),o=fn();return(0,X.jsx)(X.Fragment,{children:s.hideIssue(t,a.unique)?(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)("a",{href:o.snykSignup,target:"_blank",rel:"noreferrer",children:"Sign up for a Snyk account"})," ","to learn about the vulnerabilities found"]}):"snyk"!==t||null!==(null===(n=a.remediation)||void 0===n?void 0:n.fixedIn)&&0!==(null===(r=a.remediation)||void 0===r||null===(i=r.fixedIn)||void 0===i?void 0:i.length)?(0,X.jsx)("a",{href:M(t,a.id,o),target:"_blank",rel:"noreferrer",children:a.id}):(0,X.jsx)("p",{})})},We=r(75351),Qe=r(30975),Ke=r(6647),qe=r(30736),Xe=function(e){var n,r=e.vulnerability;switch(r.severity){case"CRITICAL":n="bar-critical";break;case"HIGH":n="bar-high";break;case"MEDIUM":n="bar-medium";break;case"LOW":n="bar-low";break;default:n="bar-default"}return(0,X.jsx)(X.Fragment,{children:(0,X.jsx)(We.P,{hasGutter:!0,children:(0,X.jsx)(Qe.J,{isFilled:!0,children:(0,X.jsx)(Ke.E,{title:"".concat(r.cvssScore,"/10"),"aria-label":"cvss-score",value:r.cvssScore,min:0,max:10,size:Ke.L.sm,measureLocation:qe.nK.none,className:"".concat(n)})})})})},$e=r(30313),en=function(e){var n,r=e.vulnerability;switch(r.severity){case"CRITICAL":n="#800000";break;case"HIGH":n="#FF0000";break;case"MEDIUM":n="#FFA500";break;case"LOW":n="#5BA352";break;default:n="grey"}return(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:n,height:"13px"}})}),"\xa0",T(r.severity)]})},nn=function(e){var n,r,i=e.id,t=fn();return(0,X.jsx)("a",{href:(n=i,r=t,r.cveIssueTemplate.replace(v,n)),target:"_blank",rel:"noreferrer",children:i})},rn=r(84150),tn=function(e){var n=e.title,r=i.useState(!1),t=(0,ce.Z)(r,2),a=t[0],s=t[1];return(0,X.jsx)(rn.L,{variant:rn.S.truncate,toggleText:a?"Show less":"Show more",onToggle:function(e,n){s(n)},isExpanded:a,children:n})},an=function(e){var n,r,i,t,a,s=e.item,o=e.providerName,c=e.rowIndex;a=s.vulnerability.cves&&s.vulnerability.cves.length>0?s.vulnerability.cves:[s.vulnerability.id];var l=Ye().hideIssue(o,s.vulnerability.unique),d=fn();return(0,X.jsxs)(Te.Tr,{children:[l?(0,X.jsx)(X.Fragment,{children:(0,X.jsx)(we.Td,{colSpan:3,children:(0,X.jsx)("a",{href:d.snykSignup,target:"_blank",rel:"noreferrer",children:"Sign up for a Snyk account to learn about the vulnerabilities found"})})}):(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(we.Td,{children:a.map((function(e,n){return(0,X.jsx)("p",{children:(0,X.jsx)(nn,{id:e})},n)}))}),(0,X.jsx)(we.Td,{children:(0,X.jsx)(tn,{title:s.vulnerability.title})}),(0,X.jsx)(we.Td,{noPadding:!0,children:(0,X.jsx)(en,{vulnerability:s.vulnerability})})]}),(0,X.jsx)(we.Td,{children:(0,X.jsx)(Xe,{vulnerability:s.vulnerability})}),(0,X.jsx)(we.Td,{children:(0,X.jsx)(Re,{name:s.dependencyRef,showVersion:!0})}),(0,X.jsx)(we.Td,{children:null!==(n=s.vulnerability.remediation)&&void 0!==n&&n.trustedContent?(0,X.jsx)(Ve,{cves:s.vulnerability.cves||[],packageName:null===(r=s.vulnerability.remediation)||void 0===r||null===(i=r.trustedContent)||void 0===i?void 0:i.ref},c):null!==(t=s.vulnerability.remediation)&&void 0!==t&&t.fixedIn?(0,X.jsx)(Je,{sourceName:o,vulnerability:s.vulnerability}):O(s.vulnerability)?null:(0,X.jsx)("span",{})})]},c)},sn=function(e){var n=e.providerName,r=e.transitiveDependencies;return(0,X.jsx)(B.Z,{style:{backgroundColor:"var(--pf-v5-global--BackgroundColor--100)"},children:(0,X.jsxs)(be.i,{variant:Ce.B.compact,children:[(0,X.jsx)(Me.h,{children:(0,X.jsxs)(Te.Tr,{children:[(0,X.jsx)(Ae.Th,{width:15,children:"Vulnerability ID"}),(0,X.jsx)(Ae.Th,{width:20,children:"Description"}),(0,X.jsx)(Ae.Th,{width:10,children:"Severity"}),(0,X.jsx)(Ae.Th,{width:15,children:"CVSS Score"}),(0,X.jsx)(Ae.Th,{width:20,children:"Transitive Dependency"}),(0,X.jsx)(Ae.Th,{width:20,children:"Remediation"})]})}),(0,X.jsx)(Ge,{isNoData:0===r.length,numRenderedColumns:7,children:Z(r).map((function(e,r){return(0,X.jsx)(Se.p,{children:(0,X.jsx)(an,{item:e,providerName:n,rowIndex:r})},r)}))})]})})},on=function(e){var n=e.providerName,r=e.dependency,i=e.vulnerabilities;return(0,X.jsx)(B.Z,{style:{backgroundColor:"var(--pf-v5-global--BackgroundColor--100)"},children:(0,X.jsxs)(be.i,{variant:Ce.B.compact,children:[(0,X.jsx)(Me.h,{children:(0,X.jsxs)(Te.Tr,{children:[(0,X.jsx)(Ae.Th,{width:15,children:"Vulnerability ID"}),(0,X.jsx)(Ae.Th,{width:20,children:"Description"}),(0,X.jsx)(Ae.Th,{width:10,children:"Severity"}),(0,X.jsx)(Ae.Th,{width:15,children:"CVSS Score"}),(0,X.jsx)(Ae.Th,{width:20,children:"Direct Dependency"}),(0,X.jsx)(Ae.Th,{width:20,children:"Remediation"})]})}),(0,X.jsx)(Ge,{isNoData:0===i.length,numRenderedColumns:6,children:null===i||void 0===i?void 0:i.map((function(e,i){var t=[];return e.cves&&e.cves.length>0?e.cves.forEach((function(e){return t.push(e)})):e.unique&&t.push(e.id),(0,X.jsx)(Se.p,{children:t.map((function(t,a){return(0,X.jsx)(an,{item:{id:e.id,dependencyRef:r.ref,vulnerability:e},providerName:n,rowIndex:i},"".concat(i,"-").concat(a))}))},i)}))})]})})},cn=r(63566),ln=function(e){var n=e.vulnerabilities,r=void 0===n?[]:n,i=e.transitiveDependencies,t=void 0===i?[]:i,a={CRITICAL:0,HIGH:0,MEDIUM:0,LOW:0};return r.length>0?r.forEach((function(e){var n=e.severity;a.hasOwnProperty(n)&&a[n]++})):null===t||void 0===t||t.forEach((function(e){var n;null===(n=e.issues)||void 0===n||n.forEach((function(e){var n=e.severity;a.hasOwnProperty(n)&&a[n]++}))})),(0,X.jsxs)(cn.B,{children:[a.CRITICAL>0&&(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:"#800000",height:"13px"}})}),"\xa0",a.CRITICAL,"\xa0"]}),a.HIGH>0&&(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:"#FF0000",height:"13px"}})}),"\xa0",a.HIGH,"\xa0"]}),a.MEDIUM>0&&(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:"#FFA500",height:"13px"}})}),"\xa0",a.MEDIUM,"\xa0"]}),a.LOW>0&&(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:"#5BA352",height:"13px"}})}),"\xa0",a.LOW]})]})},dn=r(56934),un=function(e){var n,r,i=e.dependency,t=null===(n=i.issues)||void 0===n?void 0:n.some((function(e){return O(e)})),a=(null===(r=i.transitive)||void 0===r?void 0:r.some((function(e){var n;return null===(n=e.issues)||void 0===n?void 0:n.some((function(e){return O(e)}))})))||!1;return(0,X.jsx)(X.Fragment,{children:t||a?"Yes":"No"})},hn=function(e){var n=e.name,r=e.dependencies,t=(0,i.useState)(""),a=(0,ce.Z)(t,2),s=a[0],o=a[1],c=function(e){var n=(0,i.useReducer)(Le,(0,he.Z)((0,he.Z)({},Ze),{},{currentPage:e&&e.page?(0,he.Z)({},e.page):(0,he.Z)({},Ze.currentPage),sortBy:e&&e.sortBy?(0,he.Z)({},e.sortBy):Ze.sortBy})),r=(0,ce.Z)(n,2),t=r[0],a=r[1],s=(0,i.useCallback)((function(e){var n;a({type:Oe.SET_PAGE,payload:{page:e.page>=1?e.page:1,perPage:null!==(n=e.perPage)&&void 0!==n?n:Ze.currentPage.perPage}})}),[]),o=(0,i.useCallback)((function(e,n,r,i){a({type:Oe.SET_SORT_BY,payload:{index:n,direction:r}})}),[]);return{page:t.currentPage,sortBy:t.sortBy,changePage:s,changeSortBy:o}}(),l=c.page,d=c.sortBy,u=c.changePage,h=c.changeSortBy,g=function(e){var n=e.items,r=e.currentSortBy,t=e.currentPage,a=e.filterItem,s=e.compareToByColumn;return(0,i.useMemo)((function(){var e,i=(0,Pe.Z)(n||[]).filter(a),o=!1;return e=(0,Pe.Z)(i).sort((function(e,n){var i=s(e,n,null===r||void 0===r?void 0:r.index);return 0!==i&&(o=!0),i})),o&&(null===r||void 0===r?void 0:r.direction)===ke.B.desc&&(e=e.reverse()),{pageItems:e.slice((t.page-1)*t.perPage,t.page*t.perPage),filteredItems:i}}),[n,t,r,s,a])}({items:r,currentPage:l,currentSortBy:d,compareToByColumn:function(e,n,r){return 1===r?e.ref.localeCompare(n.ref):0},filterItem:function(e){var n=!0;return s&&s.trim().length>0&&(n=-1!==e.ref.toLowerCase().indexOf(s.toLowerCase())),n}}),v=g.pageItems,p=g.filteredItems,x={name:"Dependency Name",version:"Current Version",direct:"Direct Vulnerabilities",transitive:"Transitive Vulnerabilities",rhRemediation:"Remediation available"},j=i.useState({"siemur/test-space":"name"}),f=(0,ce.Z)(j,2),y=f[0],I=f[1],b=function(e,n,r,i){return{isExpanded:y[e.ref]===n,onToggle:function(){return function(e,n){var r=!(arguments.length>2&&void 0!==arguments[2])||arguments[2],i=(0,he.Z)({},y);r?i[e.ref]=n:delete i[e.ref],I(i)}(e,n,y[e.ref]!==n)},expandId:"compound-expandable-example",rowIndex:r,columnIndex:i}};return(0,X.jsx)(B.Z,{children:(0,X.jsx)(U.e,{children:(0,X.jsx)("div",{style:{backgroundColor:"var(--pf-v5-global--BackgroundColor--100)"},children:""!==m(n)&&void 0===r?(0,X.jsx)("div",{children:(0,X.jsxs)(ge.u,{variant:ge.I.sm,children:[(0,X.jsx)(ve.t,{icon:(0,X.jsx)(pe.k,{icon:_e.ZP}),titleText:"Set up "+n,headingLevel:"h2"}),(0,X.jsxs)(xe.B,{children:["You need to provide a valid credentials to see ",n," data. You can use the button below to sing-up for ",n,". If you have already signed up, enter your credentials in your extension settings and then regenerate the Dependency Analytics report."]}),(0,X.jsx)("br",{}),(0,X.jsx)("br",{}),(0,X.jsx)("a",{href:m(n),target:"_blank",rel:"noopener noreferrer",children:(0,X.jsxs)(W.zx,{variant:"primary",size:"sm",children:["Sign up for ",n]})})]})}):(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(je.o,{children:(0,X.jsxs)(fe.c,{children:[(0,X.jsx)(me.R,{toggleIcon:(0,X.jsx)(Ne.ZP,{}),breakpoint:"xl",children:(0,X.jsx)(ye.E,{variant:"search-filter",children:(0,X.jsx)(Ie.M,{style:{width:"250px"},placeholder:"Filter by Dependency name",value:s,onChange:function(e,n){return o(n)},onClear:function(){return o("")}})})}),(0,X.jsx)(ye.E,{variant:ye.A.pagination,align:{default:"alignRight"},children:(0,X.jsx)(Be,{isTop:!0,count:p.length,params:l,onChange:u})})]})}),(0,X.jsxs)(be.i,{"aria-label":"Compound expandable table",variant:Ce.B.compact,children:[(0,X.jsx)(Me.h,{children:(0,X.jsxs)(Te.Tr,{children:[(0,X.jsx)(Ae.Th,{width:25,sort:{columnIndex:1,sortBy:(0,he.Z)({},d),onSort:h},children:x.name}),(0,X.jsx)(Ae.Th,{children:x.version}),(0,X.jsx)(Ae.Th,{children:x.direct}),(0,X.jsx)(Ae.Th,{children:x.transitive}),(0,X.jsx)(Ae.Th,{children:x.rhRemediation})]})}),(0,X.jsx)(Ge,{isNoData:0===p.length,numRenderedColumns:8,noDataEmptyState:(0,X.jsxs)(ge.u,{variant:ge.I.sm,children:[(0,X.jsx)(ve.t,{icon:(0,X.jsx)(pe.k,{icon:dn.ZP}),titleText:"No results found",headingLevel:"h2"}),(0,X.jsx)(xe.B,{children:"Clear all filters and try again."})]}),children:null===v||void 0===v?void 0:v.map((function(e,r){var i,t,a,s,o,c=y[e.ref],l=!!c;return null!==(i=e.issues)&&void 0!==i&&i.length||null!==(t=e.transitive)&&void 0!==t&&t.length?(0,X.jsxs)(Se.p,{isExpanded:l,children:[(0,X.jsxs)(Te.Tr,{children:[(0,X.jsx)(we.Td,{width:30,dataLabel:x.name,component:"th",children:(0,X.jsx)(Re,{name:e.ref})}),(0,X.jsx)(we.Td,{width:15,dataLabel:x.version,children:C(e.ref)}),(0,X.jsx)(we.Td,{width:15,dataLabel:x.direct,compoundExpand:b(e,"direct",r,2),children:null!==(a=e.issues)&&void 0!==a&&a.length?(0,X.jsxs)("div",{style:{display:"flex",alignItems:"center"},children:[(0,X.jsx)("div",{style:{width:"25px"},children:null===(s=e.issues)||void 0===s?void 0:s.length}),(0,X.jsx)(E.i,{orientation:{default:"vertical"},style:{paddingRight:"10px"}}),(0,X.jsx)(ln,{vulnerabilities:e.issues})]}):0}),(0,X.jsx)(we.Td,{width:15,dataLabel:x.transitive,compoundExpand:b(e,"transitive",r,3),children:null!==(o=e.transitive)&&void 0!==o&&o.length?(0,X.jsxs)("div",{style:{display:"flex",alignItems:"center"},children:[(0,X.jsx)("div",{style:{width:"25px"},children:e.transitive.map((function(e){var n;return null===(n=e.issues)||void 0===n?void 0:n.length})).reduce((function(){return(arguments.length>0&&void 0!==arguments[0]?arguments[0]:0)+(arguments.length>1&&void 0!==arguments[1]?arguments[1]:0)}))}),(0,X.jsx)(E.i,{orientation:{default:"vertical"},style:{paddingRight:"10px"}}),(0,X.jsx)(ln,{transitiveDependencies:e.transitive})]}):0}),(0,X.jsx)(we.Td,{width:15,dataLabel:x.rhRemediation,children:(0,X.jsx)(un,{dependency:e})})]}),l?(0,X.jsx)(Te.Tr,{isExpanded:l,children:(0,X.jsx)(we.Td,{dataLabel:x[c],noPadding:!0,colSpan:6,children:(0,X.jsx)(De.G,{children:(0,X.jsx)("div",{className:"pf-v5-u-m-md",children:"direct"===c&&e.issues&&e.issues.length>0?(0,X.jsx)(on,{providerName:n,dependency:e,vulnerabilities:e.issues}):"transitive"===c&&e.transitive&&e.transitive.length>0?(0,X.jsx)(sn,{providerName:n,transitiveDependencies:e.transitive}):null})})})}):null]},e.ref):null}))})]}),(0,X.jsx)(Be,{isTop:!1,count:p.length,params:l,onChange:u}),"osv-nvd"===n&&(0,X.jsx)("div",{children:(0,X.jsx)("p",{children:"Disclaimer:This Product uses data from the NVD API but is not endorsed or certified by the NVD"})})]})})})})},gn=r(61602),vn=function(e){var n=e.report,r=fn(),t=P(n),s=i.useState(k(t[0])),o=(0,ce.Z)(s,2),c=o[0],l=o[1],d=i.useState(!0),u=(0,ce.Z)(d,1)[0],h=r.writeKey&&""!==r.writeKey.trim()?gn.b.load({writeKey:r.writeKey}):null,g=(0,i.useRef)(""),v=(0,i.useRef)(!1);(0,i.useEffect)((function(){h&&!v.current&&(null!=r.userId?h.identify(r.userId):null!=r.anonymousId&&h.setAnonymousId(r.anonymousId),v.current=!0)}),[]),(0,i.useEffect)((function(){if(h){var e=function(){var e=(0,oe.Z)((0,se.Z)().mark((function e(n){return(0,se.Z)().wrap((function(e){for(;;)switch(e.prev=e.next){case 0:n!==g.current&&(h.track("rhda.exhort.tab",{tabName:n}),g.current=n);case 1:case"end":return e.stop()}}),e)})));return function(n){return e.apply(this,arguments)}}();e(c)}}),[c,h]);var p=t.map((function(e){var n,r=k(e),i=null===(n=e.report.dependencies)||void 0===n?void 0:n.filter((function(e){return e.highestVulnerability}));return(0,X.jsx)(le.O,{eventKey:r,title:(0,X.jsx)(de.T,{children:r}),"aria-label":"".concat(r," source"),children:(0,X.jsx)(a.NP,{variant:a.Dk.default,children:(0,X.jsx)(hn,{name:r,dependencies:i})})})}));return(0,X.jsx)("div",{children:(0,X.jsx)(ue.m,{activeKey:c,onSelect:function(e,n){l(n)},"aria-label":"Providers",role:"region",variant:u?"light300":"default",isBox:!0,children:p})})},pn=function(e){var n=e.report,r=i.useState(Object.keys(n)[0]||""),t=(0,ce.Z)(r,2),c=t[0],l=t[1],d=i.useState(!0),u=(0,ce.Z)(d,1)[0],h=Object.entries(n).map((function(e){var n=(0,ce.Z)(e,2),r=n[0],i=n[1];return(0,X.jsxs)(le.O,{eventKey:r,title:(0,X.jsx)(de.T,{children:A(r)}),"aria-label":"".concat(r," source"),children:[(0,X.jsx)(ae,{report:i}),(0,X.jsx)(a.NP,{variant:a.Dk.light,children:(0,X.jsx)(s.r,{hasGutter:!0,children:(0,X.jsx)(o.P,{children:(0,X.jsx)(ie,{report:i,isReportMap:!0,purl:r})})})}),(0,X.jsx)(a.NP,{variant:a.Dk.default,children:(0,X.jsx)(vn,{report:i})})]})}));return(0,X.jsx)("div",{children:(0,X.jsx)(ue.m,{activeKey:c,onSelect:function(e,n){l(n)},"aria-label":"Providers",role:"region",variant:u?"light300":"default",isBox:!0,children:h})})},xn=window.appData,jn=(0,i.createContext)(xn),fn=function(){return(0,i.useContext)(jn)};var mn=function(){return(0,X.jsx)(jn.Provider,{value:xn,children:(e=xn.report,"object"===typeof e&&null!==e&&Object.keys(e).every((function(n){return"scanned"in e[n]&&"providers"in e[n]&&"object"===typeof e[n].scanned&&"object"===typeof e[n].providers}))?(0,X.jsx)(a.NP,{variant:a.Dk.default,children:(0,X.jsx)(pn,{report:xn.report})}):(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(ae,{report:xn.report}),(0,X.jsx)(a.NP,{variant:a.Dk.light,children:(0,X.jsx)(s.r,{hasGutter:!0,children:(0,X.jsx)(o.P,{children:(0,X.jsx)(ie,{report:xn.report})})})}),(0,X.jsx)(a.NP,{variant:a.Dk.default,children:(0,X.jsx)(vn,{report:xn.report})})]}))});var e},yn=function(e){e&&e instanceof Function&&r.e(736).then(r.bind(r,40599)).then((function(n){var r=n.getCLS,i=n.getFID,t=n.getFCP,a=n.getLCP,s=n.getTTFB;r(e),i(e),t(e),a(e),s(e)}))};t.createRoot(document.getElementById("root")).render((0,X.jsx)(i.StrictMode,{children:(0,X.jsx)(mn,{})})),yn()}},n={};function r(i){var t=n[i];if(void 0!==t)return t.exports;var a=n[i]={id:i,loaded:!1,exports:{}};return e[i].call(a.exports,a,a.exports,r),a.loaded=!0,a.exports}r.m=e,function(){var e=[];r.O=function(n,i,t,a){if(!i){var s=1/0;for(d=0;d=a)&&Object.keys(r.O).every((function(e){return r.O[e](i[c])}))?i.splice(c--,1):(o=!1,a0&&e[d-1][2]>a;d--)e[d]=e[d-1];e[d]=[i,t,a]}}(),r.n=function(e){var n=e&&e.__esModule?function(){return e.default}:function(){return e};return r.d(n,{a:n}),n},function(){var e,n=Object.getPrototypeOf?function(e){return Object.getPrototypeOf(e)}:function(e){return e.__proto__};r.t=function(i,t){if(1&t&&(i=this(i)),8&t)return i;if("object"===typeof i&&i){if(4&t&&i.__esModule)return i;if(16&t&&"function"===typeof i.then)return i}var a=Object.create(null);r.r(a);var s={};e=e||[null,n({}),n([]),n(n)];for(var o=2&t&&i;"object"==typeof o&&!~e.indexOf(o);o=n(o))Object.getOwnPropertyNames(o).forEach((function(e){s[e]=function(){return i[e]}}));return s.default=function(){return i},r.d(a,s),a}}(),r.d=function(e,n){for(var i in n)r.o(n,i)&&!r.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:n[i]})},r.e=function(){return Promise.resolve()},r.g=function(){if("object"===typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"===typeof window)return window}}(),r.o=function(e,n){return Object.prototype.hasOwnProperty.call(e,n)},r.r=function(e){"undefined"!==typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.nmd=function(e){return e.paths=[],e.children||(e.children=[]),e},function(){var e={179:0};r.O.j=function(n){return 0===e[n]};var n=function(n,i){var t,a,s=i[0],o=i[1],c=i[2],l=0;if(s.some((function(n){return 0!==e[n]}))){for(t in o)r.o(o,t)&&(r.m[t]=o[t]);if(c)var d=c(r)}for(n&&n(i);l2&&(t=o.slice(1,o.length-1).join("/")),-1!==r.indexOf("@")&&(a=r.substring(r.indexOf("@")+1));var c=o[o.length-1];return a&&(c=c.substring(0,c.indexOf("@"))),new e(s,t,c,a)}}]),e}();function P(e){var n=[];return Object.keys(e.providers).forEach((function(r){var i=e.providers[r].sources;void 0!==i&&Object.keys(i).length>0?Object.keys(i).forEach((function(e){n.push({provider:r,source:e,report:i[e]})})):"trusted-content"!==r&&n.push({provider:r,source:r,report:{}})})),n.sort((function(e,n){return 0===Object.keys(e.report).length&&0===Object.keys(n.report).length?""===m(e.provider)?""===m(n.provider)?0:-1:1:Object.keys(n.report).length-Object.keys(e.report).length}))}function k(e){return void 0===e?"unknown":e.provider!==e.source?"$item.provider/$item.source":e.provider}function O(e){var n;return!(!e.remediation||!(e.remediation.fixedIn||null!==(n=e.remediation)&&void 0!==n&&n.trustedContent))}function Z(e){var n=[];return e.map((function(e){return{dependencyRef:e.ref,vulnerabilities:e.issues||[]}})).forEach((function(e){var r;null===(r=e.vulnerabilities)||void 0===r||r.forEach((function(r){r.cves&&r.cves.length>0?r.cves.forEach((function(i){n.push({id:i,dependencyRef:e.dependencyRef,vulnerability:r})})):n.push({id:r.id,dependencyRef:e.dependencyRef,vulnerability:r})}))})),n.sort((function(e,n){return n.vulnerability.cvssScore-e.vulnerability.cvssScore}))}var L=r(43442),z=r(73324),E=r(96363),B=r(78437),R=r(26798),F=r(62996),_=r(73020),U=r(34223),H=r(11858),G=r(90493),V=r(47065),Y=r(17941),J=r(82355),W=r(38485),Q=r(29090),K=r(2570),q=r(22124),X=r(75859),$=["#800000","#FF0000","#FFA500","#5BA352"],ee=function(e){var n,r,i,t,a,s=e.summary,o=null!==(n=null===s||void 0===s?void 0:s.critical)&&void 0!==n?n:0,c=null!==(r=null===s||void 0===s?void 0:s.high)&&void 0!==r?r:0,l=null!==(i=null===s||void 0===s?void 0:s.medium)&&void 0!==i?i:0,d=null!==(t=null===s||void 0===s?void 0:s.low)&&void 0!==t?t:0,u=null!==(a=null===s||void 0===s?void 0:s.total)&&void 0!==a?a:0,h=o+c+l+d>0,g=h?$:["#D5F5E3"],v=[{name:"Critical: ".concat(o),symbol:{type:"square",fill:$[0]}},{name:"High: ".concat(c),symbol:{type:"square",fill:$[1]}},{name:"Medium: ".concat(l),symbol:{type:"square",fill:$[2]}},{name:"Low: ".concat(d),symbol:{type:"square",fill:$[3]}}];return(0,X.jsx)("div",{children:(0,X.jsx)(U.e,{style:{paddingBottom:"inherit",padding:"0"},children:(0,X.jsx)(K.b,{children:(0,X.jsx)("div",{style:{height:"230px",width:"350px"},children:(0,X.jsx)(q.H,{constrainToVisibleArea:!0,data:h?[{x:"Critical",y:o},{x:"High",y:c},{x:"Medium",y:l},{x:"Low",y:d}]:[{x:"Empty",y:1e-10}],labels:function(e){var n=e.datum;return"".concat(n.x,": ").concat(n.y)},legendData:v,legendOrientation:"vertical",legendPosition:"right",padding:{left:20,right:140},subTitle:"Unique vulnerabilities",title:"".concat(u),width:350,colorScale:g})})})})})},ne=r(66155),re="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iMTJweCIgaGVpZ2h0PSIxM3B4IiB2aWV3Qm94PSIwIDAgMTIgMTMiIGlkPSJTZWN1cml0eUNoZWNrSWNvbiIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KICAgIDx0aXRsZT5Db21iaW5lZCBTaGFwZTwvdGl0bGU+CiAgICA8ZyBpZD0iTXVsdGktdmVuZG9yIiBzdHJva2U9Im5vbmUiIHN0cm9rZS13aWR0aD0iMSIgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgICA8ZyBpZD0iT3ZlcnZpZXctQ29weSIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTEyMDcsIC05OTMpIiBmaWxsPSIjM0U4NjM1Ij4KICAgICAgICAgICAgPGcgaWQ9IkRldGFpbHMtb2YtZGVwZW5kZW5jeS1jb20uZ2l0aHViIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSg0MjcsIDgxOSkiPgogICAgICAgICAgICAgICAgPGcgaWQ9IkRlcGVuZGVuY3ktMSIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwgMTQ0KSI+CiAgICAgICAgICAgICAgICAgICAgPGcgaWQ9Ikdyb3VwLTkiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDc4MC4xNzI4LCAyNCkiPgogICAgICAgICAgICAgICAgICAgICAgICA8ZyBpZD0iR3JvdXAtNCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwgMy4yKSI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZyBpZD0iSWNvbnMvMi4tU2l6ZS1zbS9BY3Rpb25zL2NoZWNrIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwLCAyLjgpIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGF0aCBkPSJNMTAuNTU2NTc4OSwwIEMxMC43OTA2MjQ5LDAgMTAuOTc5MzMyMiwwLjE4MTU0Mjk2OSAxMC45NzkzMzIyLDAuNDA2MjUgTDEwLjk3OTMzMjIsNS43NDA4MjAzMSBDMTAuOTc5MzMyMiw5Ljc1IDYuMjQwODE5MDcsMTMgNS40OTU3OTI5NiwxMyBDNC43NTA3NjY4NCwxMyAwLDkuNzUgMCw1LjczOTU1MDc4IEwwLDAuNDA2MjUgQzAsMC4xODE1NDI5NjkgMC4xODg3MDcyNzIsMCAwLjQyMjc1MzMwNCwwIFogTTguNTQyNzc4ODMsMy4xMTc4MjY2NyBMNC43OTEyOTYxLDYuODkwODczNTMgTDMuMDM5ODEzMzgsNS4xMjkzMjQ0IEMyLjg4MzYwOSw0Ljk3MjIwNjgzIDIuNjMwMzI4MTIsNC45NzIyMDY4MyAyLjQ3NDEyMzc1LDUuMTI5MzI0NCBMMS45MDg0NDkzOCw1LjY5ODI2NTU2IEMxLjc1MjI0NTAxLDUuODU1MzgzMTIgMS43NTIyNDUwMSw2LjExMDEwNDQ5IDEuOTA4NDQ5MzgsNi4yNjcyMDY3MSBMNC41MDg0NTc5Nyw4Ljg4MjE1OTkxIEM0LjY2NDY0NzA4LDkuMDM5Mjc3NDcgNC45MTc5MTI3LDkuMDM5Mjc3NDcgNS4wNzQxMzIzMyw4Ljg4MjE3NTI1IEw5LjY3NDE0MjgyLDQuMjU1NzA4OTggQzkuODMwMzQ3Miw0LjA5ODU5MTQxIDkuODMwMzQ3MiwzLjg0Mzg3MDA0IDkuNjc0MTQyODIsMy42ODY3Njc4MiBMOS4xMDg0Njg0NiwzLjExNzgyNjY3IEM4Ljk1MjI2NDA4LDIuOTYwNzI0NDQgOC42OTg5ODMyLDIuOTYwNzI0NDQgOC41NDI3Nzg4MywzLjExNzgyNjY3IFoiIGlkPSJDb21iaW5lZC1TaGFwZSI+PC9wYXRoPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9nPgogICAgICAgICAgICAgICAgICAgICAgICA8L2c+CiAgICAgICAgICAgICAgICAgICAgPC9nPgogICAgICAgICAgICAgICAgPC9nPgogICAgICAgICAgICA8L2c+CiAgICAgICAgPC9nPgogICAgPC9nPgo8L3N2Zz4=",ie=function(e){var n=e.report,r=e.isReportMap,i=e.purl,t=fn(),a="trustification"!==t.rhdaSource?6:void 0;return(0,X.jsxs)(s.r,{hasGutter:!0,children:[(0,X.jsxs)(L.D,{headingLevel:"h3",size:L.H["2xl"],style:{paddingLeft:"15px"},children:[(0,X.jsx)(z.J,{isInline:!0,status:"info",children:(0,X.jsx)(Q.ZP,{style:{fill:"#f0ab00"}})}),"\xa0Red Hat Overview of security Issues"]}),(0,X.jsx)(E.i,{}),(0,X.jsx)(o.P,{children:(0,X.jsxs)(B.Z,{isFlat:!0,isFullHeight:!0,children:[(0,X.jsx)(R.O,{children:(0,X.jsx)(F.l,{children:(0,X.jsx)(_.M,{style:{fontSize:"large"},children:r?(0,X.jsxs)(X.Fragment,{children:[i?A(i):"No Image name"," - Vendor Issues"]}):(0,X.jsx)(X.Fragment,{children:"Vendor Issues"})})})}),(0,X.jsxs)(U.e,{children:[(0,X.jsx)(H.g,{children:(0,X.jsx)(G.b,{children:(0,X.jsx)(_.M,{children:"Below is a list of dependencies affected with CVE."})})}),(0,X.jsx)(V.o,{isAutoFit:!0,style:{paddingTop:"10px"},children:P(n).map((function(e,n){return(0,X.jsxs)(H.g,{style:{display:"flex",flexDirection:"column",alignItems:"center"},children:[(0,X.jsx)(X.Fragment,{children:(0,X.jsx)(_.M,{style:{fontSize:"large"},children:k(e)})}),(0,X.jsx)(G.b,{children:(0,X.jsx)(ee,{summary:e.report.summary})})]},n)}))})]}),(0,X.jsx)(E.i,{})]})}),(0,X.jsxs)(o.P,{md:a,children:[(0,X.jsx)(B.Z,{isFlat:!0,children:(0,X.jsxs)(H.g,{children:[(0,X.jsx)(F.l,{component:"h4",children:(0,X.jsxs)(_.M,{style:{fontSize:"large"},children:[(0,X.jsx)(z.J,{isInline:!0,status:"info",children:(0,X.jsx)(ne.ZP,{style:{fill:"#cc0000"}})}),"\xa0 Red Hat Remediations"]})}),(0,X.jsx)(U.e,{children:(0,X.jsx)(G.b,{children:r?(0,X.jsxs)(Y.aV,{isPlain:!0,children:[(0,X.jsx)(J.H,{children:"Switch to UBI 9 for enhanced security and enterprise-grade stability in your containerized applications, backed by Red Hat's support and compatibility assurance."}),(0,X.jsx)(J.H,{children:(0,X.jsx)("a",{href:i?w(i,n,t.imageMapping):"###",target:"_blank",rel:"noreferrer",children:(0,X.jsx)(W.zx,{variant:"primary",size:"sm",children:"Take me there"})})})]}):(0,X.jsx)(Y.aV,{isPlain:!0,children:P(n).map((function(e,n){return Object.keys(e.report).length>0?(0,X.jsxs)(J.H,{children:[(0,X.jsx)(z.J,{isInline:!0,status:"success",children:(0,X.jsx)("img",{src:re,alt:"Security Check Icon"})}),"\xa0",e.report.summary.remediations," remediations are available from Red Hat for ",e.provider]}):(0,X.jsxs)(J.H,{children:[(0,X.jsx)(z.J,{isInline:!0,status:"success",children:(0,X.jsx)("img",{src:re,alt:"Security Check Icon"})}),"\xa0 There are no available Red Hat remediations for your SBOM at this time for ",e.provider]})}))})})})]})}),"\xa0"]}),"trustification"!==t.rhdaSource&&(0,X.jsxs)(o.P,{md:6,children:[(0,X.jsx)(B.Z,{isFlat:!0,children:(0,X.jsxs)(H.g,{children:[(0,X.jsx)(F.l,{component:"h4",children:(0,X.jsx)(_.M,{style:{fontSize:"large"},children:"Join to explore Red Hat TPA"})}),(0,X.jsx)(U.e,{children:(0,X.jsx)(G.b,{children:(0,X.jsxs)(Y.aV,{isPlain:!0,children:[(0,X.jsx)(J.H,{children:"Check out our new Trusted Profile Analyzer to get visibility and insight into your software risk profile, for instance by exploring vulnerabilites or analyzing SBOMs."}),(0,X.jsx)(J.H,{children:(0,X.jsx)("a",{href:"https://console.redhat.com/application-services/trusted-content",target:"_blank",rel:"noopener noreferrer",children:(0,X.jsx)(W.zx,{variant:"primary",size:"sm",children:"Take me there"})})})]})})})]})}),"\xa0"]})]})},te=r(2933),ae=function(e){var n=e.report,r=Object.keys(n.providers).map((function(e){return n.providers[e].status})).filter((function(e){return!e.ok&&!(!(n=e).ok&&401===n.code&&"Unauthenticated"===n.message&&x.includes(n.name));var n}));return(0,X.jsx)(X.Fragment,{children:r.map((function(e,n){return(0,X.jsx)(te.b,{variant:e.code>=500?te.U.danger:e.code>=400?te.U.warning:void 0,title:"".concat(T(e.name),": ").concat(e.message)},n)}))})},se=r(74165),oe=r(15861),ce=r(70885),le=r(66081),de=r(74817),ue=r(86467),he=r(1413),ge=r(19809),ve=r(80382),pe=r(88521),xe=r(82e3),je=r(76989),fe=r(52401),me=r(96496),ye=r(38987),Ie=r(69623),be=r(29626),Ce=r(30205),Me=r(73610),Te=r(27990),Ae=r(75091),Se=r(46056),we=r(31915),De=r(71178),Ne=r(7102),Pe=r(42982),ke=r(41917),Oe=function(e){return e[e.SET_PAGE=0]="SET_PAGE",e[e.SET_SORT_BY=1]="SET_SORT_BY",e}(Oe||{}),Ze={changed:!1,currentPage:{page:1,perPage:10},sortBy:void 0},Le=function(e,n){switch(n.type){case Oe.SET_PAGE:var r=n.payload;return(0,he.Z)((0,he.Z)({},e),{},{changed:!0,currentPage:{page:r.page,perPage:r.perPage}});case Oe.SET_SORT_BY:var i=n.payload;return(0,he.Z)((0,he.Z)({},e),{},{changed:!0,sortBy:{index:i.index,direction:i.direction}});default:return e}},ze=r(99960),Ee=r(50500),Be=function(e){var n,r=e.count,i=e.params,t=e.isTop,a=(e.isCompact,e.perPageOptions),s=e.onChange,o=function(){return i.perPage||10};return(0,X.jsx)(ze.t,{itemCount:r,page:i.page||1,perPage:o(),onPageInput:function(e,n){s({page:n,perPage:o()})},onSetPage:function(e,n){s({page:n,perPage:o()})},onPerPageSelect:function(e,n){s({page:1,perPage:n})},widgetId:"pagination-options-menu",variant:t?ze.a.top:ze.a.bottom,perPageOptions:(n=a||[10,20,50,100],n.map((function(e){return{title:String(e),value:e}}))),toggleTemplate:function(e){return(0,X.jsx)(Ee.v,(0,he.Z)({},e))}})},Re=function(e){var n=e.name,r=e.showVersion,i=void 0!==r&&r;return(0,X.jsx)(X.Fragment,{children:(0,X.jsx)("a",{href:b(n),target:"_blank",rel:"noreferrer",children:y(n,i)})})},Fe=r(70164),_e=r(35020),Ue=r(98649),He=r(37514),Ge=function(e){var n=e.numRenderedColumns,r=e.isLoading,i=void 0!==r&&r,t=e.isError,a=void 0!==t&&t,s=e.isNoData,o=void 0!==s&&s,c=e.errorEmptyState,l=void 0===c?null:c,d=e.noDataEmptyState,u=void 0===d?null:d,h=e.children,g=(0,X.jsxs)(ge.u,{variant:ge.I.sm,children:[(0,X.jsx)(pe.k,{icon:Ue.ZP,color:He.a.value}),(0,X.jsx)(L.D,{headingLevel:"h2",size:"lg",children:"Unable to connect"}),(0,X.jsx)(xe.B,{children:"There was an error retrieving data. Check your connection and try again."})]}),v=(0,X.jsxs)(ge.u,{variant:ge.I.sm,children:[(0,X.jsx)(pe.k,{icon:_e.ZP}),(0,X.jsx)(L.D,{headingLevel:"h2",size:"lg",children:"No data available"}),(0,X.jsx)(xe.B,{children:"No data available to be shown here."})]});return(0,X.jsx)(X.Fragment,{children:i?(0,X.jsx)(Se.p,{children:(0,X.jsx)(Te.Tr,{children:(0,X.jsx)(we.Td,{colSpan:n,children:(0,X.jsx)(K.b,{children:(0,X.jsx)(Fe.$,{size:"xl"})})})})}):a?(0,X.jsx)(Se.p,{"aria-label":"Table error",children:(0,X.jsx)(Te.Tr,{children:(0,X.jsx)(we.Td,{colSpan:n,children:(0,X.jsx)(K.b,{children:l||g})})})}):o?(0,X.jsx)(Se.p,{"aria-label":"Table no data",children:(0,X.jsx)(Te.Tr,{children:(0,X.jsx)(we.Td,{colSpan:n,children:(0,X.jsx)(K.b,{children:u||v})})})}):h})},Ve=function(e){var n=e.packageName;e.cves;return(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,status:"success",children:(0,X.jsx)("img",{src:re,alt:"Security Check Icon"})}),"\xa0",(0,X.jsx)("a",{href:I(n),target:"_blank",rel:"noreferrer",children:C(n)})]})},Ye=function(){var e=fn().providerPrivateData;return{hideIssue:function(n,r){return!(!e||-1===e.indexOf(n))&&r}}},Je=function(e){var n,r,i,t=e.sourceName,a=e.vulnerability,s=Ye(),o=fn();return(0,X.jsx)(X.Fragment,{children:s.hideIssue(t,a.unique)?(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)("a",{href:o.snykSignup,target:"_blank",rel:"noreferrer",children:"Sign up for a Snyk account"})," ","to learn about the vulnerabilities found"]}):"snyk"!==t||null!==(null===(n=a.remediation)||void 0===n?void 0:n.fixedIn)&&0!==(null===(r=a.remediation)||void 0===r||null===(i=r.fixedIn)||void 0===i?void 0:i.length)?(0,X.jsx)("a",{href:M(t,a.id,o),target:"_blank",rel:"noreferrer",children:a.id}):(0,X.jsx)("p",{})})},We=r(75351),Qe=r(30975),Ke=r(6647),qe=r(30736),Xe=function(e){var n,r=e.vulnerability;switch(r.severity){case"CRITICAL":n="bar-critical";break;case"HIGH":n="bar-high";break;case"MEDIUM":n="bar-medium";break;case"LOW":n="bar-low";break;default:n="bar-default"}return(0,X.jsx)(X.Fragment,{children:(0,X.jsx)(We.P,{hasGutter:!0,children:(0,X.jsx)(Qe.J,{isFilled:!0,children:(0,X.jsx)(Ke.E,{title:"".concat(r.cvssScore,"/10"),"aria-label":"cvss-score",value:r.cvssScore,min:0,max:10,size:Ke.L.sm,measureLocation:qe.nK.none,className:"".concat(n)})})})})},$e=r(30313),en=function(e){var n,r=e.vulnerability;switch(r.severity){case"CRITICAL":n="#800000";break;case"HIGH":n="#FF0000";break;case"MEDIUM":n="#FFA500";break;case"LOW":n="#5BA352";break;default:n="grey"}return(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:n,height:"13px"}})}),"\xa0",T(r.severity)]})},nn=function(e){var n,r,i=e.id,t=fn();return(0,X.jsx)("a",{href:(n=i,r=t,r.cveIssueTemplate.replace(v,n)),target:"_blank",rel:"noreferrer",children:i})},rn=r(84150),tn=function(e){var n=e.title,r=i.useState(!1),t=(0,ce.Z)(r,2),a=t[0],s=t[1];return(0,X.jsx)(rn.L,{variant:rn.S.truncate,toggleText:a?"Show less":"Show more",onToggle:function(e,n){s(n)},isExpanded:a,children:n})},an=function(e){var n,r,i,t,a,s=e.item,o=e.providerName,c=e.rowIndex;a=s.vulnerability.cves&&s.vulnerability.cves.length>0?s.vulnerability.cves:[s.vulnerability.id];var l=Ye().hideIssue(o,s.vulnerability.unique),d=fn();return(0,X.jsxs)(Te.Tr,{children:[l?(0,X.jsx)(X.Fragment,{children:(0,X.jsx)(we.Td,{colSpan:3,children:(0,X.jsx)("a",{href:d.snykSignup,target:"_blank",rel:"noreferrer",children:"Sign up for a Snyk account to learn about the vulnerabilities found"})})}):(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(we.Td,{children:a.map((function(e,n){return(0,X.jsx)("p",{children:(0,X.jsx)(nn,{id:e})},n)}))}),(0,X.jsx)(we.Td,{children:(0,X.jsx)(tn,{title:s.vulnerability.title})}),(0,X.jsx)(we.Td,{noPadding:!0,children:(0,X.jsx)(en,{vulnerability:s.vulnerability})})]}),(0,X.jsx)(we.Td,{children:(0,X.jsx)(Xe,{vulnerability:s.vulnerability})}),(0,X.jsx)(we.Td,{children:(0,X.jsx)(Re,{name:s.dependencyRef,showVersion:!0})}),(0,X.jsx)(we.Td,{children:null!==(n=s.vulnerability.remediation)&&void 0!==n&&n.trustedContent?(0,X.jsx)(Ve,{cves:s.vulnerability.cves||[],packageName:null===(r=s.vulnerability.remediation)||void 0===r||null===(i=r.trustedContent)||void 0===i?void 0:i.ref},c):null!==(t=s.vulnerability.remediation)&&void 0!==t&&t.fixedIn?(0,X.jsx)(Je,{sourceName:o,vulnerability:s.vulnerability}):O(s.vulnerability)?null:(0,X.jsx)("span",{})})]},c)},sn=function(e){var n=e.providerName,r=e.transitiveDependencies;return(0,X.jsx)(B.Z,{style:{backgroundColor:"var(--pf-v5-global--BackgroundColor--100)"},children:(0,X.jsxs)(be.i,{variant:Ce.B.compact,children:[(0,X.jsx)(Me.h,{children:(0,X.jsxs)(Te.Tr,{children:[(0,X.jsx)(Ae.Th,{width:15,children:"Vulnerability ID"}),(0,X.jsx)(Ae.Th,{width:20,children:"Description"}),(0,X.jsx)(Ae.Th,{width:10,children:"Severity"}),(0,X.jsx)(Ae.Th,{width:15,children:"CVSS Score"}),(0,X.jsx)(Ae.Th,{width:20,children:"Transitive Dependency"}),(0,X.jsx)(Ae.Th,{width:20,children:"Remediation"})]})}),(0,X.jsx)(Ge,{isNoData:0===r.length,numRenderedColumns:7,children:Z(r).map((function(e,r){return(0,X.jsx)(Se.p,{children:(0,X.jsx)(an,{item:e,providerName:n,rowIndex:r})},r)}))})]})})},on=function(e){var n=e.providerName,r=e.dependency,i=e.vulnerabilities;return(0,X.jsx)(B.Z,{style:{backgroundColor:"var(--pf-v5-global--BackgroundColor--100)"},children:(0,X.jsxs)(be.i,{variant:Ce.B.compact,children:[(0,X.jsx)(Me.h,{children:(0,X.jsxs)(Te.Tr,{children:[(0,X.jsx)(Ae.Th,{width:15,children:"Vulnerability ID"}),(0,X.jsx)(Ae.Th,{width:20,children:"Description"}),(0,X.jsx)(Ae.Th,{width:10,children:"Severity"}),(0,X.jsx)(Ae.Th,{width:15,children:"CVSS Score"}),(0,X.jsx)(Ae.Th,{width:20,children:"Direct Dependency"}),(0,X.jsx)(Ae.Th,{width:20,children:"Remediation"})]})}),(0,X.jsx)(Ge,{isNoData:0===i.length,numRenderedColumns:6,children:null===i||void 0===i?void 0:i.map((function(e,i){var t=[];return e.cves&&e.cves.length>0?e.cves.forEach((function(e){return t.push(e)})):e.unique&&t.push(e.id),(0,X.jsx)(Se.p,{children:t.map((function(t,a){return(0,X.jsx)(an,{item:{id:e.id,dependencyRef:r.ref,vulnerability:e},providerName:n,rowIndex:i},"".concat(i,"-").concat(a))}))},i)}))})]})})},cn=r(63566),ln=function(e){var n=e.vulnerabilities,r=void 0===n?[]:n,i=e.transitiveDependencies,t=void 0===i?[]:i,a={CRITICAL:0,HIGH:0,MEDIUM:0,LOW:0};return r.length>0?r.forEach((function(e){var n=e.severity;a.hasOwnProperty(n)&&a[n]++})):null===t||void 0===t||t.forEach((function(e){var n;null===(n=e.issues)||void 0===n||n.forEach((function(e){var n=e.severity;a.hasOwnProperty(n)&&a[n]++}))})),(0,X.jsxs)(cn.B,{children:[a.CRITICAL>0&&(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:"#800000",height:"13px"}})}),"\xa0",a.CRITICAL,"\xa0"]}),a.HIGH>0&&(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:"#FF0000",height:"13px"}})}),"\xa0",a.HIGH,"\xa0"]}),a.MEDIUM>0&&(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:"#FFA500",height:"13px"}})}),"\xa0",a.MEDIUM,"\xa0"]}),a.LOW>0&&(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(z.J,{isInline:!0,children:(0,X.jsx)($e.ZP,{style:{fill:"#5BA352",height:"13px"}})}),"\xa0",a.LOW]})]})},dn=r(56934),un=function(e){var n,r,i=e.dependency,t=null===(n=i.issues)||void 0===n?void 0:n.some((function(e){return O(e)})),a=(null===(r=i.transitive)||void 0===r?void 0:r.some((function(e){var n;return null===(n=e.issues)||void 0===n?void 0:n.some((function(e){return O(e)}))})))||!1;return(0,X.jsx)(X.Fragment,{children:t||a?"Yes":"No"})},hn=function(e){var n=e.name,r=e.dependencies,t=(0,i.useState)(""),a=(0,ce.Z)(t,2),s=a[0],o=a[1],c=function(e){var n=(0,i.useReducer)(Le,(0,he.Z)((0,he.Z)({},Ze),{},{currentPage:e&&e.page?(0,he.Z)({},e.page):(0,he.Z)({},Ze.currentPage),sortBy:e&&e.sortBy?(0,he.Z)({},e.sortBy):Ze.sortBy})),r=(0,ce.Z)(n,2),t=r[0],a=r[1],s=(0,i.useCallback)((function(e){var n;a({type:Oe.SET_PAGE,payload:{page:e.page>=1?e.page:1,perPage:null!==(n=e.perPage)&&void 0!==n?n:Ze.currentPage.perPage}})}),[]),o=(0,i.useCallback)((function(e,n,r,i){a({type:Oe.SET_SORT_BY,payload:{index:n,direction:r}})}),[]);return{page:t.currentPage,sortBy:t.sortBy,changePage:s,changeSortBy:o}}(),l=c.page,d=c.sortBy,u=c.changePage,h=c.changeSortBy,g=function(e){var n=e.items,r=e.currentSortBy,t=e.currentPage,a=e.filterItem,s=e.compareToByColumn;return(0,i.useMemo)((function(){var e,i=(0,Pe.Z)(n||[]).filter(a),o=!1;return e=(0,Pe.Z)(i).sort((function(e,n){var i=s(e,n,null===r||void 0===r?void 0:r.index);return 0!==i&&(o=!0),i})),o&&(null===r||void 0===r?void 0:r.direction)===ke.B.desc&&(e=e.reverse()),{pageItems:e.slice((t.page-1)*t.perPage,t.page*t.perPage),filteredItems:i}}),[n,t,r,s,a])}({items:r,currentPage:l,currentSortBy:d,compareToByColumn:function(e,n,r){return 1===r?e.ref.localeCompare(n.ref):0},filterItem:function(e){var n=!0;return s&&s.trim().length>0&&(n=-1!==e.ref.toLowerCase().indexOf(s.toLowerCase())),n}}),v=g.pageItems,p=g.filteredItems,x={name:"Dependency Name",version:"Current Version",direct:"Direct Vulnerabilities",transitive:"Transitive Vulnerabilities",rhRemediation:"Remediation available"},j=i.useState({"siemur/test-space":"name"}),f=(0,ce.Z)(j,2),y=f[0],I=f[1],b=function(e,n,r,i){return{isExpanded:y[e.ref]===n,onToggle:function(){return function(e,n){var r=!(arguments.length>2&&void 0!==arguments[2])||arguments[2],i=(0,he.Z)({},y);r?i[e.ref]=n:delete i[e.ref],I(i)}(e,n,y[e.ref]!==n)},expandId:"compound-expandable-example",rowIndex:r,columnIndex:i}};return(0,X.jsx)(B.Z,{children:(0,X.jsx)(U.e,{children:(0,X.jsx)("div",{style:{backgroundColor:"var(--pf-v5-global--BackgroundColor--100)"},children:""!==m(n)&&void 0===r?(0,X.jsx)("div",{children:(0,X.jsxs)(ge.u,{variant:ge.I.sm,children:[(0,X.jsx)(ve.t,{icon:(0,X.jsx)(pe.k,{icon:_e.ZP}),titleText:"Set up "+n,headingLevel:"h2"}),(0,X.jsxs)(xe.B,{children:["You need to provide a valid credentials to see ",n," data. You can use the button below to sing-up for ",n,". If you have already signed up, enter your credentials in your extension settings and then regenerate the Dependency Analytics report."]}),(0,X.jsx)("br",{}),(0,X.jsx)("br",{}),(0,X.jsx)("a",{href:m(n),target:"_blank",rel:"noopener noreferrer",children:(0,X.jsxs)(W.zx,{variant:"primary",size:"sm",children:["Sign up for ",n]})})]})}):(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(je.o,{children:(0,X.jsxs)(fe.c,{children:[(0,X.jsx)(me.R,{toggleIcon:(0,X.jsx)(Ne.ZP,{}),breakpoint:"xl",children:(0,X.jsx)(ye.E,{variant:"search-filter",children:(0,X.jsx)(Ie.M,{style:{width:"250px"},placeholder:"Filter by Dependency name",value:s,onChange:function(e,n){return o(n)},onClear:function(){return o("")}})})}),(0,X.jsx)(ye.E,{variant:ye.A.pagination,align:{default:"alignRight"},children:(0,X.jsx)(Be,{isTop:!0,count:p.length,params:l,onChange:u})})]})}),(0,X.jsxs)(be.i,{"aria-label":"Compound expandable table",variant:Ce.B.compact,children:[(0,X.jsx)(Me.h,{children:(0,X.jsxs)(Te.Tr,{children:[(0,X.jsx)(Ae.Th,{width:25,sort:{columnIndex:1,sortBy:(0,he.Z)({},d),onSort:h},children:x.name}),(0,X.jsx)(Ae.Th,{children:x.version}),(0,X.jsx)(Ae.Th,{children:x.direct}),(0,X.jsx)(Ae.Th,{children:x.transitive}),(0,X.jsx)(Ae.Th,{children:x.rhRemediation})]})}),(0,X.jsx)(Ge,{isNoData:0===p.length,numRenderedColumns:8,noDataEmptyState:(0,X.jsxs)(ge.u,{variant:ge.I.sm,children:[(0,X.jsx)(ve.t,{icon:(0,X.jsx)(pe.k,{icon:dn.ZP}),titleText:"No results found",headingLevel:"h2"}),(0,X.jsx)(xe.B,{children:"Clear all filters and try again."})]}),children:null===v||void 0===v?void 0:v.map((function(e,r){var i,t,a,s,o,c=y[e.ref],l=!!c;return null!==(i=e.issues)&&void 0!==i&&i.length||null!==(t=e.transitive)&&void 0!==t&&t.length?(0,X.jsxs)(Se.p,{isExpanded:l,children:[(0,X.jsxs)(Te.Tr,{children:[(0,X.jsx)(we.Td,{width:30,dataLabel:x.name,component:"th",children:(0,X.jsx)(Re,{name:e.ref})}),(0,X.jsx)(we.Td,{width:15,dataLabel:x.version,children:C(e.ref)}),(0,X.jsx)(we.Td,{width:15,dataLabel:x.direct,compoundExpand:b(e,"direct",r,2),children:null!==(a=e.issues)&&void 0!==a&&a.length?(0,X.jsxs)("div",{style:{display:"flex",alignItems:"center"},children:[(0,X.jsx)("div",{style:{width:"25px"},children:null===(s=e.issues)||void 0===s?void 0:s.length}),(0,X.jsx)(E.i,{orientation:{default:"vertical"},style:{paddingRight:"10px"}}),(0,X.jsx)(ln,{vulnerabilities:e.issues})]}):0}),(0,X.jsx)(we.Td,{width:15,dataLabel:x.transitive,compoundExpand:b(e,"transitive",r,3),children:null!==(o=e.transitive)&&void 0!==o&&o.length?(0,X.jsxs)("div",{style:{display:"flex",alignItems:"center"},children:[(0,X.jsx)("div",{style:{width:"25px"},children:e.transitive.map((function(e){var n;return null===(n=e.issues)||void 0===n?void 0:n.length})).reduce((function(){return(arguments.length>0&&void 0!==arguments[0]?arguments[0]:0)+(arguments.length>1&&void 0!==arguments[1]?arguments[1]:0)}))}),(0,X.jsx)(E.i,{orientation:{default:"vertical"},style:{paddingRight:"10px"}}),(0,X.jsx)(ln,{transitiveDependencies:e.transitive})]}):0}),(0,X.jsx)(we.Td,{width:15,dataLabel:x.rhRemediation,children:(0,X.jsx)(un,{dependency:e})})]}),l?(0,X.jsx)(Te.Tr,{isExpanded:l,children:(0,X.jsx)(we.Td,{dataLabel:x[c],noPadding:!0,colSpan:6,children:(0,X.jsx)(De.G,{children:(0,X.jsx)("div",{className:"pf-v5-u-m-md",children:"direct"===c&&e.issues&&e.issues.length>0?(0,X.jsx)(on,{providerName:n,dependency:e,vulnerabilities:e.issues}):"transitive"===c&&e.transitive&&e.transitive.length>0?(0,X.jsx)(sn,{providerName:n,transitiveDependencies:e.transitive}):null})})})}):null]},e.ref):null}))})]}),(0,X.jsx)(Be,{isTop:!1,count:p.length,params:l,onChange:u}),"osv"===n&&(0,X.jsx)("div",{children:(0,X.jsx)("p",{children:"Disclaimer:This Product uses data from the NVD API but is not endorsed or certified by the NVD"})})]})})})})},gn=r(61602),vn=function(e){var n=e.report,r=fn(),t=P(n),s=i.useState(k(t[0])),o=(0,ce.Z)(s,2),c=o[0],l=o[1],d=i.useState(!0),u=(0,ce.Z)(d,1)[0],h=r.writeKey&&""!==r.writeKey.trim()?gn.b.load({writeKey:r.writeKey}):null,g=(0,i.useRef)(""),v=(0,i.useRef)(!1);(0,i.useEffect)((function(){h&&!v.current&&(null!=r.userId?h.identify(r.userId):null!=r.anonymousId&&h.setAnonymousId(r.anonymousId),v.current=!0)}),[]),(0,i.useEffect)((function(){if(h){var e=function(){var e=(0,oe.Z)((0,se.Z)().mark((function e(n){return(0,se.Z)().wrap((function(e){for(;;)switch(e.prev=e.next){case 0:n!==g.current&&(h.track("rhda.exhort.tab",{tabName:n}),g.current=n);case 1:case"end":return e.stop()}}),e)})));return function(n){return e.apply(this,arguments)}}();e(c)}}),[c,h]);var p=t.map((function(e){var n,r=k(e),i=null===(n=e.report.dependencies)||void 0===n?void 0:n.filter((function(e){return e.highestVulnerability}));return(0,X.jsx)(le.O,{eventKey:r,title:(0,X.jsx)(de.T,{children:r}),"aria-label":"".concat(r," source"),children:(0,X.jsx)(a.NP,{variant:a.Dk.default,children:(0,X.jsx)(hn,{name:r,dependencies:i})})})}));return(0,X.jsx)("div",{children:(0,X.jsx)(ue.m,{activeKey:c,onSelect:function(e,n){l(n)},"aria-label":"Providers",role:"region",variant:u?"light300":"default",isBox:!0,children:p})})},pn=function(e){var n=e.report,r=i.useState(Object.keys(n)[0]||""),t=(0,ce.Z)(r,2),c=t[0],l=t[1],d=i.useState(!0),u=(0,ce.Z)(d,1)[0],h=Object.entries(n).map((function(e){var n=(0,ce.Z)(e,2),r=n[0],i=n[1];return(0,X.jsxs)(le.O,{eventKey:r,title:(0,X.jsx)(de.T,{children:A(r)}),"aria-label":"".concat(r," source"),children:[(0,X.jsx)(ae,{report:i}),(0,X.jsx)(a.NP,{variant:a.Dk.light,children:(0,X.jsx)(s.r,{hasGutter:!0,children:(0,X.jsx)(o.P,{children:(0,X.jsx)(ie,{report:i,isReportMap:!0,purl:r})})})}),(0,X.jsx)(a.NP,{variant:a.Dk.default,children:(0,X.jsx)(vn,{report:i})})]})}));return(0,X.jsx)("div",{children:(0,X.jsx)(ue.m,{activeKey:c,onSelect:function(e,n){l(n)},"aria-label":"Providers",role:"region",variant:u?"light300":"default",isBox:!0,children:h})})},xn=window.appData,jn=(0,i.createContext)(xn),fn=function(){return(0,i.useContext)(jn)};var mn=function(){return(0,X.jsx)(jn.Provider,{value:xn,children:(e=xn.report,"object"===typeof e&&null!==e&&Object.keys(e).every((function(n){return"scanned"in e[n]&&"providers"in e[n]&&"object"===typeof e[n].scanned&&"object"===typeof e[n].providers}))?(0,X.jsx)(a.NP,{variant:a.Dk.default,children:(0,X.jsx)(pn,{report:xn.report})}):(0,X.jsxs)(X.Fragment,{children:[(0,X.jsx)(ae,{report:xn.report}),(0,X.jsx)(a.NP,{variant:a.Dk.light,children:(0,X.jsx)(s.r,{hasGutter:!0,children:(0,X.jsx)(o.P,{children:(0,X.jsx)(ie,{report:xn.report})})})}),(0,X.jsx)(a.NP,{variant:a.Dk.default,children:(0,X.jsx)(vn,{report:xn.report})})]}))});var e},yn=function(e){e&&e instanceof Function&&r.e(736).then(r.bind(r,40599)).then((function(n){var r=n.getCLS,i=n.getFID,t=n.getFCP,a=n.getLCP,s=n.getTTFB;r(e),i(e),t(e),a(e),s(e)}))};t.createRoot(document.getElementById("root")).render((0,X.jsx)(i.StrictMode,{children:(0,X.jsx)(mn,{})})),yn()}},n={};function r(i){var t=n[i];if(void 0!==t)return t.exports;var a=n[i]={id:i,loaded:!1,exports:{}};return e[i].call(a.exports,a,a.exports,r),a.loaded=!0,a.exports}r.m=e,function(){var e=[];r.O=function(n,i,t,a){if(!i){var s=1/0;for(d=0;d=a)&&Object.keys(r.O).every((function(e){return r.O[e](i[c])}))?i.splice(c--,1):(o=!1,a0&&e[d-1][2]>a;d--)e[d]=e[d-1];e[d]=[i,t,a]}}(),r.n=function(e){var n=e&&e.__esModule?function(){return e.default}:function(){return e};return r.d(n,{a:n}),n},function(){var e,n=Object.getPrototypeOf?function(e){return Object.getPrototypeOf(e)}:function(e){return e.__proto__};r.t=function(i,t){if(1&t&&(i=this(i)),8&t)return i;if("object"===typeof i&&i){if(4&t&&i.__esModule)return i;if(16&t&&"function"===typeof i.then)return i}var a=Object.create(null);r.r(a);var s={};e=e||[null,n({}),n([]),n(n)];for(var o=2&t&&i;"object"==typeof o&&!~e.indexOf(o);o=n(o))Object.getOwnPropertyNames(o).forEach((function(e){s[e]=function(){return i[e]}}));return s.default=function(){return i},r.d(a,s),a}}(),r.d=function(e,n){for(var i in n)r.o(n,i)&&!r.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:n[i]})},r.e=function(){return Promise.resolve()},r.g=function(){if("object"===typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"===typeof window)return window}}(),r.o=function(e,n){return Object.prototype.hasOwnProperty.call(e,n)},r.r=function(e){"undefined"!==typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.nmd=function(e){return e.paths=[],e.children||(e.children=[]),e},function(){var e={179:0};r.O.j=function(n){return 0===e[n]};var n=function(n,i){var t,a,s=i[0],o=i[1],c=i[2],l=0;if(s.some((function(n){return 0!==e[n]}))){for(t in o)r.o(o,t)&&(r.m[t]=o[t]);if(c)var d=c(r)}for(n&&n(i);l start() { "api.snyk.token", SNYK_TOKEN, "api.trustedcontent.host", server.baseUrl(), "api.ossindex.host", server.baseUrl(), - "api.osvnvd.host", server.baseUrl()); + "api.onguard.host", server.baseUrl()); } @Override diff --git a/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java b/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java index 88d56627..6130d6f9 100644 --- a/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java +++ b/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java @@ -216,7 +216,7 @@ protected void stubAllProviders() { stubSnykRequests(); stubOssToken(); stubTrustedContentRequests(); - stubOsvNvdRequests(); + stubOsvRequests(); } protected void verifyProviders(Collection providers, Map credentials) { @@ -229,7 +229,7 @@ protected void verifyProviders(Collection providers, Map case Constants.OSS_INDEX_PROVIDER -> verifyOssRequest( credentials.get(Constants.OSS_INDEX_USER_HEADER), credentials.get(Constants.OSS_INDEX_TOKEN_HEADER)); - case Constants.OSV_NVD_PROVIDER -> verifyOsvNvdRequest(); + case Constants.OSV_PROVIDER -> verifyOsvNvdRequest(); } }); verifyTrustedContentRequest(); @@ -316,7 +316,7 @@ protected void stubTrustedContentRequests() { .withBodyFile("trustedcontent/maven_report.json"))); } - protected void stubOsvNvdRequests() { + protected void stubOsvRequests() { server.stubFor( post(Constants.OSV_NVD_PURLS_PATH) .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON)) @@ -324,28 +324,28 @@ protected void stubOsvNvdRequests() { aResponse() .withStatus(200) .withHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON) - .withBodyFile("osvnvd/empty_report.json"))); + .withBodyFile("onguard/empty_report.json"))); server.stubFor( post(Constants.OSV_NVD_PURLS_PATH) .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON)) .withRequestBody( - equalToJson(loadFileAsString("__files/osvnvd/maven_request.json"), true, false)) + equalToJson(loadFileAsString("__files/onguard/maven_request.json"), true, false)) .willReturn( aResponse() .withStatus(200) .withHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON) - .withBodyFile("osvnvd/maven_report.json"))); + .withBodyFile("onguard/maven_report.json"))); server.stubFor( post(Constants.OSV_NVD_PURLS_PATH) .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON)) .withRequestBody( - equalToJson(loadFileAsString("__files/osvnvd/batch_request.json"), true, false)) + equalToJson(loadFileAsString("__files/onguard/batch_request.json"), true, false)) .willReturn( aResponse() .withStatus(200) .withHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON) - .withBodyFile("osvnvd/maven_report.json"))); + .withBodyFile("onguard/maven_report.json"))); } protected void verifyTrustedContentRequest() { diff --git a/src/test/java/com/redhat/exhort/integration/AnalysisTest.java b/src/test/java/com/redhat/exhort/integration/AnalysisTest.java index ecaee037..bea068a8 100644 --- a/src/test/java/com/redhat/exhort/integration/AnalysisTest.java +++ b/src/test/java/com/redhat/exhort/integration/AnalysisTest.java @@ -232,7 +232,7 @@ public void testEmptySbom(Map providers, Map au verifyNoInteractionsWithSnyk(); verifyNoInteractionsWithOSS(); - if (providers.containsKey(Constants.OSV_NVD_PROVIDER)) { + if (providers.containsKey(Constants.OSV_PROVIDER)) { verifyOsvNvdRequest(); } else { verifyNoInteractionsWithOsvNvd(); @@ -244,7 +244,7 @@ private static Stream emptySbomArguments() { return Stream.of( Arguments.of(Map.of(Constants.SNYK_PROVIDER, 200), Collections.emptyMap()), Arguments.of(Map.of(Constants.OSS_INDEX_PROVIDER, 401), Collections.emptyMap()), - Arguments.of(Map.of(Constants.OSV_NVD_PROVIDER, 200), Collections.emptyMap()), + Arguments.of(Map.of(Constants.OSV_PROVIDER, 200), Collections.emptyMap()), Arguments.of( Map.of(Constants.SNYK_PROVIDER, 200, Constants.OSS_INDEX_PROVIDER, 401), Collections.emptyMap()), @@ -273,7 +273,7 @@ private static Stream emptySbomArguments() { 200, Constants.OSS_INDEX_PROVIDER, 200, - Constants.OSV_NVD_PROVIDER, + Constants.OSV_PROVIDER, 200), Map.of( Constants.SNYK_TOKEN_HEADER, @@ -373,7 +373,7 @@ public void testUnauthorizedRequest() { assertFalse(status.getOk()); assertEquals(Constants.SNYK_PROVIDER, status.getName()); assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), status.getCode()); - assertEquals(200, report.getProviders().get(Constants.OSV_NVD_PROVIDER).getStatus().getCode()); + assertEquals(200, report.getProviders().get(Constants.OSV_PROVIDER).getStatus().getCode()); verifySnykRequest(INVALID_TOKEN); verifyOsvNvdRequest(); @@ -411,7 +411,7 @@ public void testForbiddenRequest() { assertEquals(Constants.SNYK_PROVIDER, status.getName()); assertEquals(Response.Status.FORBIDDEN.getStatusCode(), status.getCode()); - assertEquals(200, report.getProviders().get(Constants.OSV_NVD_PROVIDER).getStatus().getCode()); + assertEquals(200, report.getProviders().get(Constants.OSV_PROVIDER).getStatus().getCode()); verifySnykRequest(UNAUTH_TOKEN); verifyOsvNvdRequest(); diff --git a/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java b/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java index 793a4e67..6d29f0cd 100644 --- a/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java +++ b/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java @@ -89,7 +89,7 @@ public void testEmptySbom( verifyNoInteractionsWithSnyk(); verifyNoInteractionsWithOSS(); - if (providers.containsKey(Constants.OSV_NVD_PROVIDER)) { + if (providers.containsKey(Constants.OSV_PROVIDER)) { verifyOsvNvdRequest(); } else { verifyNoInteractionsWithOsvNvd(); @@ -108,16 +108,14 @@ private static Stream emptySbomArguments() { Collections.emptyMap(), Constants.MAVEN_PURL_TYPE), Arguments.of( - Map.of(Constants.OSV_NVD_PROVIDER, 200), - Collections.emptyMap(), - Constants.MAVEN_PURL_TYPE), + Map.of(Constants.OSV_PROVIDER, 200), Collections.emptyMap(), Constants.MAVEN_PURL_TYPE), Arguments.of( Map.of( Constants.SNYK_PROVIDER, 200, Constants.OSS_INDEX_PROVIDER, 401, - Constants.OSV_NVD_PROVIDER, + Constants.OSV_PROVIDER, 200), Map.of(Constants.SNYK_TOKEN_HEADER, OK_TOKEN), Constants.MAVEN_PURL_TYPE), @@ -127,7 +125,7 @@ private static Stream emptySbomArguments() { 200, Constants.OSS_INDEX_PROVIDER, 200, - Constants.OSV_NVD_PROVIDER, + Constants.OSV_PROVIDER, 200), Map.of( Constants.OSS_INDEX_USER_HEADER, @@ -141,7 +139,7 @@ private static Stream emptySbomArguments() { 200, Constants.OSS_INDEX_PROVIDER, 200, - Constants.OSV_NVD_PROVIDER, + Constants.OSV_PROVIDER, 200), Map.of( Constants.SNYK_TOKEN_HEADER, @@ -157,7 +155,7 @@ private static Stream emptySbomArguments() { 200, Constants.OSS_INDEX_PROVIDER, 401, - Constants.OSV_NVD_PROVIDER, + Constants.OSV_PROVIDER, 200), Collections.emptyMap(), Constants.MAVEN_PURL_TYPE), @@ -167,7 +165,7 @@ private static Stream emptySbomArguments() { 200, Constants.OSS_INDEX_PROVIDER, 401, - Constants.OSV_NVD_PROVIDER, + Constants.OSV_PROVIDER, 200), Collections.emptyMap(), Constants.NPM_PURL_TYPE), @@ -177,7 +175,7 @@ private static Stream emptySbomArguments() { 200, Constants.OSS_INDEX_PROVIDER, 401, - Constants.OSV_NVD_PROVIDER, + Constants.OSV_PROVIDER, 200), Collections.emptyMap(), Constants.GOLANG_PURL_TYPE), @@ -187,7 +185,7 @@ private static Stream emptySbomArguments() { 200, Constants.OSS_INDEX_PROVIDER, 401, - Constants.OSV_NVD_PROVIDER, + Constants.OSV_PROVIDER, 200), Collections.emptyMap(), Constants.PYPI_PURL_TYPE)); @@ -285,7 +283,7 @@ public void testUnauthorizedRequest() { status = report.getSummary().getProviderStatuses().stream() - .filter(ps -> ps.getProvider().equals(Constants.OSV_NVD_PROVIDER)) + .filter(ps -> ps.getProvider().equals(Constants.OSV_PROVIDER)) .findFirst() .get(); assertTrue(status.getOk()); @@ -333,7 +331,7 @@ public void testForbiddenRequest() { status = report.getSummary().getProviderStatuses().stream() - .filter(ps -> ps.getProvider().equals(Constants.OSV_NVD_PROVIDER)) + .filter(ps -> ps.getProvider().equals(Constants.OSV_PROVIDER)) .findFirst() .get(); assertTrue(status.getOk()); diff --git a/src/test/java/com/redhat/exhort/integration/providers/VulnerabilityProviderTest.java b/src/test/java/com/redhat/exhort/integration/providers/VulnerabilityProviderTest.java index b21b7a5c..5ceeead7 100644 --- a/src/test/java/com/redhat/exhort/integration/providers/VulnerabilityProviderTest.java +++ b/src/test/java/com/redhat/exhort/integration/providers/VulnerabilityProviderTest.java @@ -40,7 +40,7 @@ public class VulnerabilityProviderTest { @Test public void test() { - var expected = new String[] {Constants.OSS_INDEX_PROVIDER, Constants.OSV_NVD_PROVIDER}; + var expected = new String[] {Constants.OSS_INDEX_PROVIDER, Constants.OSV_PROVIDER}; assertArrayEquals(expected, provider.getEnabled().toArray(new String[] {})); } diff --git a/src/test/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandlerTest.java b/src/test/java/com/redhat/exhort/integration/providers/osv/OsvResponseHandlerTest.java similarity index 93% rename from src/test/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandlerTest.java rename to src/test/java/com/redhat/exhort/integration/providers/osv/OsvResponseHandlerTest.java index e3bf7853..50c5d2c3 100644 --- a/src/test/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandlerTest.java +++ b/src/test/java/com/redhat/exhort/integration/providers/osv/OsvResponseHandlerTest.java @@ -16,7 +16,7 @@ * limitations under the License. */ -package com.redhat.exhort.integration.providers.osvnvd; +package com.redhat.exhort.integration.providers.osv; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -39,13 +39,13 @@ import jakarta.inject.Inject; @QuarkusTest -public class OsvNvdResponseHandlerTest { +public class OsvResponseHandlerTest { - @Inject OsvNvdResponseHandler handler; + @Inject OsvResponseHandler handler; @Test void testVectors() throws IOException, URISyntaxException { - var providerResponse = getProviderResponse("osvnvd/maven_report.json"); + var providerResponse = getProviderResponse("onguard/maven_report.json"); var postgresRef = PackageRef.builder().purl("pkg:maven/org.postgresql/postgresql@42.5.0?type=jar").build(); var jacksonRef = diff --git a/src/test/resources/__files/osvnvd/batch_request.json b/src/test/resources/__files/onguard/batch_request.json similarity index 100% rename from src/test/resources/__files/osvnvd/batch_request.json rename to src/test/resources/__files/onguard/batch_request.json diff --git a/src/test/resources/__files/osvnvd/empty_report.json b/src/test/resources/__files/onguard/empty_report.json similarity index 100% rename from src/test/resources/__files/osvnvd/empty_report.json rename to src/test/resources/__files/onguard/empty_report.json diff --git a/src/test/resources/__files/osvnvd/maven_report.json b/src/test/resources/__files/onguard/maven_report.json similarity index 99% rename from src/test/resources/__files/osvnvd/maven_report.json rename to src/test/resources/__files/onguard/maven_report.json index ed719429..1b475735 100644 --- a/src/test/resources/__files/osvnvd/maven_report.json +++ b/src/test/resources/__files/onguard/maven_report.json @@ -10,7 +10,7 @@ "BIT-postgresql-jdbc-driver-2022-41946", "GHSA-562r-vg33-8x8h" ], - "cveId": "CVE-2022-41946", + "id": "CVE-2022-41946", "created": "2024-01-15T21:37:48.619+00:00", "summary": "TemporaryFolder on unix-like systems does not limit access to created files", "description": "**Vulnerability**\n\n`PreparedStatement.setText(int, InputStream)`\nand\n\n`PreparedStatemet.setBytea(int, InputStream)`\n\nwill create a temporary file if the InputStream is larger than 51k\n\n \nExample of vulnerable code:\n\n```java\nString s = \"some very large string greater than 51200 bytes\";\n\nPreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) );\n```\nThis will create a temporary file which is readable by other users on Unix like systems, but not MacOS.\n\nImpact\nOn Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.\n\nThis vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.\n\nWhen analyzing the impact of this vulnerability, here are the important questions to ask:\n\nIs the driver running in an environment where the OS has other untrusted users.\nIf yes, and you answered 'yes' to question 1, this vulnerability impacts you.\nIf no, this vulnerability does not impact you.\nPatches\nBecause certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.\n\nJava 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1\nJava 1.7 users: this vulnerability is fixed in 42.2.27.jre7\nJava 1.6 and lower users: no patch is available; you must use the workaround below.\nWorkarounds\nIf you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.\n\nReferences\n[CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html)\nFix commit https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5\nSimilar Vulnerabilities\nGoogle Guava - https://github.com/google/guava/issues/4011\nApache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\nJetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824", @@ -210,7 +210,7 @@ "aliases": [ "GHSA-57j2-w4cx-62h2" ], - "cveId": "CVE-2020-36518", + "id": "CVE-2020-36518", "created": "2024-01-15T21:37:47.413+00:00", "summary": "Deeply nested json in jackson-databind", "description": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", @@ -434,7 +434,7 @@ "aliases": [ "GHSA-jjjh-jjxp-wpff" ], - "cveId": "CVE-2022-42003", + "id": "CVE-2022-42003", "created": "2024-01-15T21:37:47.413+00:00", "description": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", "affected": [ @@ -636,7 +636,7 @@ "aliases": [ "GHSA-rgv9-q543-rqg4" ], - "cveId": "CVE-2022-42004", + "id": "CVE-2022-42004", "created": "2024-01-15T21:37:47.413+00:00", "summary": "Uncontrolled Resource Consumption in FasterXML jackson-databind", "description": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", @@ -868,7 +868,7 @@ "aliases": [ "GHSA-3fhx-3vvg-2j84" ], - "cveId": "CVE-2023-2974", + "id": "CVE-2023-2974", "created": "2024-01-15T21:37:49.155+00:00", "description": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", "affected": [ diff --git a/src/test/resources/__files/osvnvd/maven_request.json b/src/test/resources/__files/onguard/maven_request.json similarity index 100% rename from src/test/resources/__files/osvnvd/maven_request.json rename to src/test/resources/__files/onguard/maven_request.json diff --git a/src/test/resources/__files/reports/batch_report_all_token.json b/src/test/resources/__files/reports/batch_report_all_token.json index 574e508b..726e622c 100644 --- a/src/test/resources/__files/reports/batch_report_all_token.json +++ b/src/test/resources/__files/reports/batch_report_all_token.json @@ -191,15 +191,15 @@ }, "sources": {} }, - "osv-nvd": { + "osv": { "status": { "ok": true, - "name": "osv-nvd", + "name": "osv", "code": 200, "message": "OK" }, "sources": { - "osv-nvd": { + "osv": { "summary": { "direct": 0, "transitive": 5, @@ -224,7 +224,7 @@ { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -257,7 +257,7 @@ "highestVulnerability": { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -293,7 +293,7 @@ { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -321,7 +321,7 @@ { "id": "CVE-2022-42004", "title": "Uncontrolled Resource Consumption in FasterXML jackson-databind", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -349,7 +349,7 @@ { "id": "CVE-2020-36518", "title": "Deeply nested json in jackson-databind", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -381,7 +381,7 @@ "highestVulnerability": { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -412,7 +412,7 @@ "highestVulnerability": { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -452,7 +452,7 @@ { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -483,7 +483,7 @@ "highestVulnerability": { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -516,7 +516,7 @@ "highestVulnerability": { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -873,10 +873,10 @@ }, "sources": {} }, - "osv-nvd": { + "osv": { "status": { "ok": true, - "name": "osv-nvd", + "name": "osv", "code": 200, "message": "OK" }, @@ -941,15 +941,15 @@ }, "sources": {} }, - "osv-nvd": { + "osv": { "status": { "ok": true, - "name": "osv-nvd", + "name": "osv", "code": 200, "message": "OK" }, "sources": { - "osv-nvd": { + "osv": { "summary": { "direct": 0, "transitive": 0, diff --git a/src/test/resources/__files/reports/report_all_token.json b/src/test/resources/__files/reports/report_all_token.json index 4d43577f..e454fe6a 100644 --- a/src/test/resources/__files/reports/report_all_token.json +++ b/src/test/resources/__files/reports/report_all_token.json @@ -198,15 +198,15 @@ } }, - "osv-nvd": { + "osv": { "status": { "ok": true, - "name": "osv-nvd", + "name": "osv", "code": 200, "message": "OK" }, "sources": { - "osv-nvd": { + "osv": { "summary": { "direct": 0, "transitive": 5, @@ -233,7 +233,7 @@ { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -266,7 +266,7 @@ "highestVulnerability": { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -302,7 +302,7 @@ { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -330,7 +330,7 @@ { "id": "CVE-2022-42004", "title": "Uncontrolled Resource Consumption in FasterXML jackson-databind", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -358,7 +358,7 @@ { "id": "CVE-2020-36518", "title": "Deeply nested json in jackson-databind", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -390,7 +390,7 @@ "highestVulnerability": { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -421,7 +421,7 @@ "highestVulnerability": { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -463,7 +463,7 @@ { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -494,7 +494,7 @@ "highestVulnerability": { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -527,7 +527,7 @@ "highestVulnerability": { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", diff --git a/src/test/resources/__files/reports/v3/report_all_token.json b/src/test/resources/__files/reports/v3/report_all_token.json index 040576d2..1f819a26 100644 --- a/src/test/resources/__files/reports/v3/report_all_token.json +++ b/src/test/resources/__files/reports/v3/report_all_token.json @@ -27,7 +27,7 @@ }, { "ok": true, - "provider": "osv-nvd", + "provider": "osv", "status": 200, "message": "OK" }, @@ -196,7 +196,7 @@ { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -226,7 +226,7 @@ "highestVulnerability": { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -252,7 +252,7 @@ { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -274,7 +274,7 @@ { "id": "CVE-2022-42004", "title": "Uncontrolled Resource Consumption in FasterXML jackson-databind", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -296,7 +296,7 @@ { "id": "CVE-2020-36518", "title": "Deeply nested json in jackson-databind", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -324,7 +324,7 @@ "highestVulnerability": { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -352,7 +352,7 @@ "highestVulnerability": { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -384,7 +384,7 @@ { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -410,7 +410,7 @@ "highestVulnerability": { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -438,7 +438,7 @@ "highestVulnerability": { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", diff --git a/ui/src/components/DepCompoundTable.tsx b/ui/src/components/DepCompoundTable.tsx index 7fd7d5dd..8c5e556e 100644 --- a/ui/src/components/DepCompoundTable.tsx +++ b/ui/src/components/DepCompoundTable.tsx @@ -291,7 +291,7 @@ export const DepCompoundTable = ({name, dependencies}: { name: string; dependenc params={currentPage} onChange={onPageChange} /> - {name === 'osv-nvd' && ( + {name === 'osv' && (

Disclaimer:This Product uses data from the NVD API but is not endorsed or certified by the NVD

diff --git a/ui/src/mocks/reportDocker.mock.ts b/ui/src/mocks/reportDocker.mock.ts index 56d90ed5..901482b7 100644 --- a/ui/src/mocks/reportDocker.mock.ts +++ b/ui/src/mocks/reportDocker.mock.ts @@ -191,15 +191,15 @@ export const dockerReport: AppData = { "message": "OK" } }, - "osv-nvd": { + "osv": { "status": { "ok": true, - "name": "osv-nvd", + "name": "osv", "code": 200, "message": "OK" }, "sources": { - "osv-nvd": { + "osv": { "summary": { "direct": 0, "transitive": 5, @@ -223,7 +223,7 @@ export const dockerReport: AppData = { { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -256,7 +256,7 @@ export const dockerReport: AppData = { "highestVulnerability": { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -292,7 +292,7 @@ export const dockerReport: AppData = { { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -320,7 +320,7 @@ export const dockerReport: AppData = { { "id": "CVE-2022-42004", "title": "Uncontrolled Resource Consumption in FasterXML jackson-databind", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -348,7 +348,7 @@ export const dockerReport: AppData = { { "id": "CVE-2020-36518", "title": "Deeply nested json in jackson-databind", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -380,7 +380,7 @@ export const dockerReport: AppData = { "highestVulnerability": { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -411,7 +411,7 @@ export const dockerReport: AppData = { "highestVulnerability": { "id": "CVE-2023-2974", "title": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -450,7 +450,7 @@ export const dockerReport: AppData = { { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -481,7 +481,7 @@ export const dockerReport: AppData = { "highestVulnerability": { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -514,7 +514,7 @@ export const dockerReport: AppData = { "highestVulnerability": { "id": "CVE-2022-41946", "title": "TemporaryFolder on unix-like systems does not limit access to created files", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -866,15 +866,15 @@ export const dockerReport: AppData = { "message": "OK" } }, - "osv-nvd": { + "osv": { "status": { "ok": true, - "name": "osv-nvd", + "name": "osv", "code": 200, "message": "OK" }, "sources": { - "osv-nvd": { + "osv": { "summary": { "direct": 0, "transitive": 0, diff --git a/ui/src/mocks/reportMixed.mock.ts b/ui/src/mocks/reportMixed.mock.ts index 51ab1af8..c9110861 100644 --- a/ui/src/mocks/reportMixed.mock.ts +++ b/ui/src/mocks/reportMixed.mock.ts @@ -1856,15 +1856,15 @@ export const reportMixed: AppData = { "message": "OK" } }, - "osv-nvd": { + "osv": { "status": { "ok": true, - "name": "osv-nvd", + "name": "osv", "code": 200, "message": "OK" }, "sources": { - "osv-nvd": { + "osv": { "summary": { "direct": 4, "transitive": 57, @@ -1882,7 +1882,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2022-22965", "title": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -1907,7 +1907,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2022-22965", "title": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -1930,7 +1930,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-22965", "title": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -1955,7 +1955,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2022-22965", "title": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -1977,7 +1977,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-22970", "title": "In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "High", @@ -1998,7 +1998,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-22965", "title": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2023,7 +2023,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2016-1000027", "title": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2045,7 +2045,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-22118", "title": "In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -2068,7 +2068,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2016-1000027", "title": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2093,7 +2093,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-46589", "title": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2115,7 +2115,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-25122", "title": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2137,7 +2137,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2023-44487", "title": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2159,7 +2159,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-25329", "title": "Potential remote code execution in Apache Tomcat", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "High", @@ -2181,7 +2181,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2023-41080", "title": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.\n\nThe vulnerability is limited to the ROOT (default) web application.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2201,7 +2201,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-24122", "title": "When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "High", @@ -2221,7 +2221,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2023-42795", "title": "Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2243,7 +2243,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2023-45648", "title": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2266,7 +2266,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-46589", "title": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2291,7 +2291,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2021-46877", "title": "jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2313,7 +2313,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2020-36518", "title": "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2335,7 +2335,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-42003", "title": "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2357,7 +2357,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-42004", "title": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2380,7 +2380,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2021-46877", "title": "jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2405,7 +2405,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2022-22950", "title": "n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2427,7 +2427,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2023-20861", "title": "In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2447,7 +2447,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2023-20863", "title": "In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2470,7 +2470,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-22950", "title": "n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2494,7 +2494,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-22965", "title": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2521,7 +2521,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2022-1471", "title": "SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2543,7 +2543,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-25857", "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2565,7 +2565,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-38751", "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2587,7 +2587,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-38752", "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2609,7 +2609,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-38749", "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2631,7 +2631,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-41854", "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2653,7 +2653,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-38750", "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -2676,7 +2676,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-1471", "title": "SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2701,7 +2701,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-6378", "title": "logback serialization vulnerability", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2723,7 +2723,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-42550", "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "High", @@ -2746,7 +2746,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-6378", "title": "logback serialization vulnerability", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2771,7 +2771,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-6378", "title": "logback serialization vulnerability", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2794,7 +2794,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-6378", "title": "logback serialization vulnerability", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2819,7 +2819,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-20883", "title": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2842,7 +2842,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-20883", "title": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2867,7 +2867,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-34055", "title": "In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * the application uses Spring MVC or Spring WebFlux\n * org.springframework.boot:spring-boot-actuator is on the classpath\n\n\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2888,7 +2888,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-34055", "title": "In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * the application uses Spring MVC or Spring WebFlux\n * org.springframework.boot:spring-boot-actuator is on the classpath\n\n\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2911,7 +2911,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2022-22968", "title": "In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2934,7 +2934,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-22968", "title": "In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2959,7 +2959,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2021-22060", "title": "In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -2979,7 +2979,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-22096", "title": "In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3000,7 +3000,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2021-22060", "title": "In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3022,7 +3022,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-1471", "title": "SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3049,7 +3049,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2022-26520", "title": "In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3071,7 +3071,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-21724", "title": "pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3093,7 +3093,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-31197", "title": "PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3115,7 +3115,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-41946", "title": "pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -3138,7 +3138,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-26520", "title": "In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3163,7 +3163,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-26520", "title": "In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3188,7 +3188,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-4853", "title": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "High", @@ -3215,7 +3215,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2023-0044", "title": "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3240,7 +3240,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-2974", "title": "quarkus-core vulnerable to client driven TLS cipher downgrading", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3268,7 +3268,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-2974", "title": "quarkus-core vulnerable to client driven TLS cipher downgrading", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3298,7 +3298,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2022-41881", "title": "Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3321,7 +3321,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2022-41881", "title": "Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3346,7 +3346,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2021-37137", "title": "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3368,7 +3368,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-37136", "title": "The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3391,7 +3391,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2021-37137", "title": "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3416,7 +3416,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-44487", "title": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3443,7 +3443,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-21409", "title": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "High", @@ -3466,7 +3466,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-44487", "title": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3496,7 +3496,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-34462", "title": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3519,7 +3519,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-34462", "title": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3544,7 +3544,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2021-43797", "title": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3566,7 +3566,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2022-24823", "title": "Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Local", "attackComplexity": "Low", @@ -3589,7 +3589,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2021-43797", "title": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3614,7 +3614,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-24815", "title": "Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: `return \"/\" + rest;` from `Utils.java` returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\\` are not properly handled and an attacker can build a path that is valid within the classpath. This issue only affects users deploying in windows environments and upgrading is the advised remediation path. There are no known workarounds for this vulnerability.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3637,7 +3637,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-24815", "title": "Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: `return \"/\" + rest;` from `Utils.java` returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\\` are not properly handled and an attacker can build a path that is valid within the classpath. This issue only affects users deploying in windows environments and upgrading is the advised remediation path. There are no known workarounds for this vulnerability.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3662,7 +3662,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-4853", "title": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "High", @@ -3694,7 +3694,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-1370", "title": "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\n\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.\n\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3714,7 +3714,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2021-27568", "title": "An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "High", @@ -3737,7 +3737,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-1370", "title": "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\n\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.\n\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3760,7 +3760,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2023-51074", "title": "json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3781,7 +3781,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-51074", "title": "json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3803,7 +3803,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2023-1370", "title": "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\n\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.\n\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.\n\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3826,7 +3826,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2021-3827", "title": "A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "High", @@ -3851,7 +3851,7 @@ export const reportMixed: AppData = { "issues": [{ "id": "CVE-2021-40690", "title": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3873,7 +3873,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2023-44483", "title": "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.\n", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3895,7 +3895,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2013-5823", "title": "Apache XML Security For Java vulnerable to Infinite Loop", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3915,7 +3915,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2013-4517", "title": "Improper Input Validation in Apache Santuario XML Security", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "privilegesRequired": "None", @@ -3934,7 +3934,7 @@ export const reportMixed: AppData = { }, { "id": "CVE-2013-2172", "title": "Inefficient Algorithmic Complexity in Apache Santuario XML Security", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "privilegesRequired": "None", @@ -3954,7 +3954,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2021-40690", "title": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", @@ -3978,7 +3978,7 @@ export const reportMixed: AppData = { "highestVulnerability": { "id": "CVE-2021-40690", "title": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.", - "source": "osv-nvd", + "source": "osv", "cvss": { "attackVector": "Network", "attackComplexity": "Low", diff --git a/ui/src/utils/utils.ts b/ui/src/utils/utils.ts index cc0d09c9..a57d55dc 100644 --- a/ui/src/utils/utils.ts +++ b/ui/src/utils/utils.ts @@ -113,7 +113,7 @@ export const issueLink = (provider: string, issueId: string, appData: AppData) = return appData.snykIssueTemplate.replace(ISSUE_PLACEHOLDER, issueId); case 'oss-index': return appData.ossIssueTemplate.replace(ISSUE_PLACEHOLDER, issueId); - case 'osv-nvd': + case 'osv': return appData.nvdIssueTemplate.replace(ISSUE_PLACEHOLDER, issueId); } };