From 6266610ecab3a73dfd9a6618de9f578266594fcb Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Wed, 1 Apr 2026 21:51:03 +0200 Subject: [PATCH 001/173] fix(parsers): use unsaved_tags instead of tags= in Finding constructor for performance Passing tags= directly to the Finding() constructor triggers expensive tagulous processing for every finding. Using finding.unsaved_tags instead bypasses this overhead and lets the import pipeline handle tags efficiently. Affected parsers: jfrog_xray_unified, dependency_check, cargo_audit, anchore_grype, threat_composer. Benchmark on 14,219 findings: 99s -> 7.97s (12x faster). --- dojo/tools/anchore_grype/parser.py | 54 +++++------- dojo/tools/cargo_audit/parser.py | 22 ++--- dojo/tools/dependency_check/parser.py | 107 ++++++++++++------------ dojo/tools/jfrog_xray_unified/parser.py | 41 ++++----- dojo/tools/threat_composer/parser.py | 5 +- 5 files changed, 96 insertions(+), 133 deletions(-) diff --git a/dojo/tools/anchore_grype/parser.py b/dojo/tools/anchore_grype/parser.py index bd36e4bebb2..2272a1cec57 100644 --- a/dojo/tools/anchore_grype/parser.py +++ b/dojo/tools/anchore_grype/parser.py @@ -12,7 +12,6 @@ class AnchoreGrypeParser: - """ Anchore Grype JSON report format generated with `-o json` option. @@ -66,7 +65,8 @@ def get_findings(self, file, test): rel_epss = related_vulnerability.get("epss") rel_vuln_id = related_vulnerability.get("id") vulnerability_ids = self.get_vulnerability_ids( - vuln_id, related_vulnerabilities, + vuln_id, + related_vulnerabilities, ) matches = item["matchDetails"] @@ -77,11 +77,7 @@ def get_findings(self, file, test): artifact_purl = artifact.get("purl") artifact_location = artifact.get("locations") file_path = None - if ( - artifact_location - and len(artifact_location) > 0 - and artifact_location[0].get("path") - ): + if artifact_location and len(artifact_location) > 0 and artifact_location[0].get("path"): file_path = artifact_location[0].get("path") finding_title = f"{vuln_id} in {artifact_name}:{artifact_version}" @@ -89,25 +85,17 @@ def get_findings(self, file, test): finding_tags = None finding_description = "" if vuln_namespace: - finding_description += ( - f"**Vulnerability Namespace:** {vuln_namespace}" - ) + finding_description += f"**Vulnerability Namespace:** {vuln_namespace}" if vuln_description: - finding_description += ( - f"\n**Vulnerability Description:** {vuln_description}" - ) + finding_description += f"\n**Vulnerability Description:** {vuln_description}" if rel_description and rel_description != vuln_description: finding_description += f"\n**Related Vulnerability Description:** {rel_description}" if matches: if isinstance(item["matchDetails"], dict): - finding_description += ( - f"\n**Matcher:** {matches['matcher']}" - ) + finding_description += f"\n**Matcher:** {matches['matcher']}" finding_tags = [matches["matcher"].replace("-matcher", "")] elif len(matches) == 1: - finding_description += ( - f"\n**Matcher:** {matches[0]['matcher']}" - ) + finding_description += f"\n**Matcher:** {matches[0]['matcher']}" finding_tags = [ matches[0]["matcher"].replace("-matcher", ""), ] @@ -138,30 +126,22 @@ def get_findings(self, file, test): finding_references = "" if vuln_datasource: - finding_references += ( - f"**Vulnerability Datasource:** {vuln_datasource}\n" - ) + finding_references += f"**Vulnerability Datasource:** {vuln_datasource}\n" if vuln_urls: if len(vuln_urls) == 1: if vuln_urls[0] != vuln_datasource: - finding_references += ( - f"**Vulnerability URL:** {vuln_urls[0]}\n" - ) + finding_references += f"**Vulnerability URL:** {vuln_urls[0]}\n" else: finding_references += "**Vulnerability URLs:**\n" for url in vuln_urls: if url != vuln_datasource: finding_references += f"- {url}\n" if rel_datasource: - finding_references += ( - f"**Related Vulnerability Datasource:** {rel_datasource}\n" - ) + finding_references += f"**Related Vulnerability Datasource:** {rel_datasource}\n" if rel_urls: if len(rel_urls) == 1: if rel_urls[0] != vuln_datasource: - finding_references += ( - f"**Related Vulnerability URL:** {rel_urls[0]}\n" - ) + finding_references += f"**Related Vulnerability URL:** {rel_urls[0]}\n" else: finding_references += "**Related Vulnerability URLs:**\n" for url in rel_urls: @@ -202,7 +182,6 @@ def get_findings(self, file, test): component_name=artifact_name, component_version=artifact_version.replace("\x00", ""), vuln_id_from_tool=vuln_id, - tags=finding_tags, static_finding=True, dynamic_finding=False, nb_occurences=1, @@ -210,6 +189,7 @@ def get_findings(self, file, test): fix_available=fix_available, fix_version=fix_version, ) + dupes[dupe_key].unsaved_tags = finding_tags dupes[dupe_key].unsaved_vulnerability_ids = vulnerability_ids if settings.V3_FEATURE_LOCATIONS and artifact_purl: dupes[dupe_key].unsaved_locations.append( @@ -229,7 +209,8 @@ def get_cvss(self, cvss): vector = cvss_item["vector"] cvss_objects = cvss_parser.parse_cvss_from_text(vector) if len(cvss_objects) > 0 and isinstance( - cvss_objects[0], CVSS3, + cvss_objects[0], + CVSS3, ): return vector return None @@ -259,8 +240,11 @@ def get_vulnerability_ids(self, vuln_id, related_vulnerabilities): if vuln_id: vulnerability_ids.append(vuln_id) if related_vulnerabilities: - vulnerability_ids.extend(related_vulnerability_id for related_vulnerability in related_vulnerabilities - if (related_vulnerability_id := related_vulnerability.get("id"))) + vulnerability_ids.extend( + related_vulnerability_id + for related_vulnerability in related_vulnerabilities + if (related_vulnerability_id := related_vulnerability.get("id")) + ) if vulnerability_ids: return vulnerability_ids return None diff --git a/dojo/tools/cargo_audit/parser.py b/dojo/tools/cargo_audit/parser.py index 49379081793..024d33f278d 100644 --- a/dojo/tools/cargo_audit/parser.py +++ b/dojo/tools/cargo_audit/parser.py @@ -8,7 +8,6 @@ class CargoAuditParser: - """A class that can be used to parse the cargo audit JSON report file""" def get_fields(self) -> list[str]: @@ -80,24 +79,13 @@ def get_findings(self, filename, test): vuln_id = advisory.get("id") vulnerability_ids = [advisory.get("id")] categories = f"**Categories:** {', '.join(advisory['categories'])}" if "categories" in advisory else "" - description = ( - categories - + f"\n**Description:** `{advisory.get('description')}`" - ) + description = categories + f"\n**Description:** `{advisory.get('description')}`" - if ( - item["affected"] is not None - and "functions" in item["affected"] - ): + if item["affected"] is not None and "functions" in item["affected"]: affected_func = [ - f'{func}: {", ".join(versions)}' - for func, versions in item["affected"][ - "functions" - ].items() + f"{func}: {', '.join(versions)}" for func, versions in item["affected"]["functions"].items() ] - description += ( - f"\n**Affected functions**: {', '.join(affected_func)}" - ) + description += f"\n**Affected functions**: {', '.join(affected_func)}" references = f"{advisory.get('url')}\n" + "\n".join( advisory["references"], @@ -130,7 +118,6 @@ def get_findings(self, filename, test): title=title, test=test, severity=severity, - tags=tags, description=description, component_name=package_name, component_version=package_version, @@ -140,6 +127,7 @@ def get_findings(self, filename, test): references=references, mitigation=mitigation, ) + finding.unsaved_tags = tags finding.unsaved_vulnerability_ids = vulnerability_ids if settings.V3_FEATURE_LOCATIONS and package_name: finding.unsaved_locations.append( diff --git a/dojo/tools/dependency_check/parser.py b/dojo/tools/dependency_check/parser.py index 2d45f998161..4c472e2f4c4 100644 --- a/dojo/tools/dependency_check/parser.py +++ b/dojo/tools/dependency_check/parser.py @@ -87,7 +87,10 @@ def add_finding(self, finding, dupes): dupes[key] = finding def get_filename_and_path_from_dependency( - self, dependency, related_dependency, namespace, + self, + dependency, + related_dependency, + namespace, ): if related_dependency is None: return dependency.findtext( @@ -104,7 +107,10 @@ def get_filename_and_path_from_dependency( return None, None def get_component_name_and_version_from_dependency( - self, dependency, related_dependency, namespace, + self, + dependency, + related_dependency, + namespace, ): identifiers_node = dependency.find(namespace + "identifiers") if identifiers_node is not None: @@ -116,20 +122,13 @@ def get_component_name_and_version_from_dependency( purl_parts = purl.to_dict() component_name = ( purl_parts["namespace"] + ":" - if purl_parts["namespace"] - and len(purl_parts["namespace"]) > 0 - else "" - ) - component_name += ( - purl_parts["name"] - if purl_parts["name"] and len(purl_parts["name"]) > 0 + if purl_parts["namespace"] and len(purl_parts["namespace"]) > 0 else "" ) + component_name += purl_parts["name"] if purl_parts["name"] and len(purl_parts["name"]) > 0 else "" component_name = component_name or None component_version = ( - purl_parts["version"] - if purl_parts["version"] and len(purl_parts["version"]) > 0 - else "" + purl_parts["version"] if purl_parts["version"] and len(purl_parts["version"]) > 0 else "" ) return component_name, component_version, pck_id @@ -149,20 +148,10 @@ def get_component_name_and_version_from_dependency( if cpe_node: cpe_id = cpe_node.findtext(f"{namespace}name") cpe = CPE(cpe_id) - component_name = ( - cpe.get_vendor()[0] + ":" - if len(cpe.get_vendor()) > 0 - else "" - ) - component_name += ( - cpe.get_product()[0] if len(cpe.get_product()) > 0 else "" - ) + component_name = cpe.get_vendor()[0] + ":" if len(cpe.get_vendor()) > 0 else "" + component_name += cpe.get_product()[0] if len(cpe.get_product()) > 0 else "" component_name = component_name or None - component_version = ( - cpe.get_version()[0] - if len(cpe.get_version()) > 0 - else None - ) + component_version = cpe.get_version()[0] if len(cpe.get_version()) > 0 else None return component_name, component_version, None maven_node = identifiers_node.find( @@ -251,7 +240,8 @@ def get_severity_and_cvss_meta(self, vulnerability, namespace) -> dict: if severity: if severity.strip().lower() not in self.SEVERITY_MAPPING: logger.warning( - "Warning: Unknow severity value detected '%s'. Bypass to 'Medium' value", severity, + "Warning: Unknow severity value detected '%s'. Bypass to 'Medium' value", + severity, ) severity = "Medium" else: @@ -266,13 +256,20 @@ def get_severity_and_cvss_meta(self, vulnerability, namespace) -> dict: } def get_finding_from_vulnerability( - self, dependency, related_dependency, vulnerability, test, namespace, + self, + dependency, + related_dependency, + vulnerability, + test, + namespace, ): ( dependency_filename, dependency_filepath, ) = self.get_filename_and_path_from_dependency( - dependency, related_dependency, namespace, + dependency, + related_dependency, + namespace, ) # logger.debug('dependency_filename: %s', dependency_filename) @@ -318,13 +315,17 @@ def get_finding_from_vulnerability( component_version, component_purl, ) = self.get_component_name_and_version_from_dependency( - dependency, related_dependency, namespace, + dependency, + related_dependency, + namespace, ) stripped_name = name # startswith CVE-XXX-YYY stripped_name = re.sub( - r"^CVE-\d{4}-\d{4,7}", "", stripped_name, + r"^CVE-\d{4}-\d{4,7}", + "", + stripped_name, ).strip() # startswith CWE-XXX: stripped_name = re.sub(r"^CWE-\d+\:", "", stripped_name).strip() @@ -333,7 +334,8 @@ def get_finding_from_vulnerability( if component_name is None: logger.warning( - "component_name was None for File: %s, using dependency file name instead.", dependency_filename, + "component_name was None for File: %s, using dependency file name instead.", + dependency_filename, ) component_name = dependency_filename @@ -352,15 +354,9 @@ def get_finding_from_vulnerability( ref_url = reference_node.findtext(f"{namespace}url") ref_name = reference_node.findtext(f"{namespace}name") if ref_url == ref_name: - reference_detail += ( - f"**Source:** {ref_source}\n**URL:** {ref_url}\n\n" - ) + reference_detail += f"**Source:** {ref_source}\n**URL:** {ref_url}\n\n" else: - reference_detail += ( - f"**Source:** {ref_source}\n" - f"**URL:** {ref_url}\n" - f"**Name:** {ref_name}\n\n" - ) + reference_detail += f"**Source:** {ref_source}\n**URL:** {ref_url}\n**Name:** {ref_name}\n\n" if related_dependency is not None: tags.append("related") @@ -370,14 +366,18 @@ def get_finding_from_vulnerability( notes = "Document on why we are suppressing this vulnerability is missing!" tags.append("no_suppression_document") mitigation = f"**This vulnerability is mitigated and/or suppressed:** {notes}\n" - mitigation += f"Update {component_name}:{component_version} to at least the version recommended in the description" + mitigation += ( + f"Update {component_name}:{component_version} to at least the version recommended in the description" + ) mitigated = datetime.datetime.now(datetime.UTC) is_Mitigated = True active = False tags.append("suppressed") else: - mitigation = f"Update {component_name}:{component_version} to at least the version recommended in the description" + mitigation = ( + f"Update {component_name}:{component_version} to at least the version recommended in the description" + ) description += "\n**Filepath:** " + str(dependency_filepath) active = True @@ -390,7 +390,6 @@ def get_finding_from_vulnerability( mitigation=mitigation, mitigated=mitigated, is_mitigated=is_Mitigated, - tags=tags, active=active, dynamic_finding=False, static_finding=True, @@ -400,6 +399,8 @@ def get_finding_from_vulnerability( **self.get_severity_and_cvss_meta(vulnerability, namespace), ) + finding.unsaved_tags = tags + if settings.V3_FEATURE_LOCATIONS and component_purl: finding.unsaved_locations.append( LocationData.dependency(purl=component_purl, file_path=dependency_filename), @@ -466,19 +467,15 @@ def get_findings(self, filename, test): namespace + "relatedDependencies", ) if relatedDependencies is not None: - for ( - relatedDependency - ) in relatedDependencies.findall( + for relatedDependency in relatedDependencies.findall( namespace + "relatedDependency", ): - finding = ( - self.get_finding_from_vulnerability( - dependency, - relatedDependency, - vulnerability, - test, - namespace, - ) + finding = self.get_finding_from_vulnerability( + dependency, + relatedDependency, + vulnerability, + test, + namespace, ) if finding: # could be None if scan_date: @@ -502,7 +499,9 @@ def get_findings(self, filename, test): elif settings.V3_FEATURE_LOCATIONS: # Collect product-level dependency locations _, _, component_purl = self.get_component_name_and_version_from_dependency( - dependency, None, namespace, + dependency, + None, + namespace, ) if component_purl: test.unsaved_metadata.append( diff --git a/dojo/tools/jfrog_xray_unified/parser.py b/dojo/tools/jfrog_xray_unified/parser.py index a15d94c8dac..2dcc223afb4 100644 --- a/dojo/tools/jfrog_xray_unified/parser.py +++ b/dojo/tools/jfrog_xray_unified/parser.py @@ -9,7 +9,6 @@ class JFrogXrayUnifiedParser: - """JFrog Xray JSON reports""" def get_scan_types(self): @@ -49,9 +48,7 @@ def get_item(vulnerability, test): # not all cves have cvssv3 scores, so skip these. If no v3 scores, # we'll default to index 0 if "cvss_v3_score" in vulnerability["cves"][thisCveIndex]: - thisCvssV3Score = vulnerability["cves"][thisCveIndex][ - "cvss_v3_score" - ] + thisCvssV3Score = vulnerability["cves"][thisCveIndex]["cvss_v3_score"] if thisCvssV3Score > highestCvssV3Score: highestCvssV3Index = thisCveIndex highestCvssV3Score = thisCvssV3Score @@ -84,23 +81,13 @@ def get_item(vulnerability, test): cvss_v2 = worstCve["cvss_v2_vector"] fix_available = False - if ( - "fixed_versions" in vulnerability - and len(vulnerability["fixed_versions"]) > 0 - ): + if "fixed_versions" in vulnerability and len(vulnerability["fixed_versions"]) > 0: mitigation = "Versions containing a fix:\n" mitigation += "\n".join(vulnerability["fixed_versions"]) fix_available = True - if ( - "external_advisory_source" in vulnerability - and "external_advisory_severity" in vulnerability - ): - extra_desc = ( - vulnerability["external_advisory_source"] - + ": " - + vulnerability["external_advisory_severity"] - ) + if "external_advisory_source" in vulnerability and "external_advisory_severity" in vulnerability: + extra_desc = vulnerability["external_advisory_source"] + ": " + vulnerability["external_advisory_severity"] if vulnerability["issue_id"]: title = vulnerability["issue_id"] + " - " + vulnerability["summary"] @@ -108,10 +95,15 @@ def get_item(vulnerability, test): title = vulnerability["summary"] references_str = vulnerability.get("references") - references = "\n".join(references_str) if isinstance(references_str, list) else (references_str if isinstance(references_str, str) else "") + references = ( + "\n".join(references_str) + if isinstance(references_str, list) + else (references_str if isinstance(references_str, str) else "") + ) scan_time = datetime.strptime( - vulnerability["artifact_scan_time"], "%Y-%m-%dT%H:%M:%S%z", + vulnerability["artifact_scan_time"], + "%Y-%m-%dT%H:%M:%S%z", ) # component has several parts separated by colons. Last part is the @@ -132,9 +124,7 @@ def get_item(vulnerability, test): title=title, test=test, severity=severity, - description=( - vulnerability.get("description", vulnerability.get("summary")) + "\n\n" + extra_desc - ).strip(), + description=(vulnerability.get("description", vulnerability.get("summary")) + "\n\n" + extra_desc).strip(), mitigation=mitigation, component_name=component_name, component_version=component_version, @@ -146,10 +136,11 @@ def get_item(vulnerability, test): impact=severity, date=scan_time, unique_id_from_tool=vulnerability["issue_id"], - tags=tags, fix_available=fix_available, ) + finding.unsaved_tags = tags + cvss_data = parse_cvss_data(cvssv3) if cvss_data: finding.cvssv3 = cvss_data.get("cvssv3") @@ -161,7 +152,9 @@ def get_item(vulnerability, test): if settings.V3_FEATURE_LOCATIONS and package_type and component_name: purl_type = package_type.lower() finding.unsaved_locations.append( - LocationData.dependency(purl_type=purl_type, name=component_name, version=component_version, file_path=vulnerability["path"]), + LocationData.dependency( + purl_type=purl_type, name=component_name, version=component_version, file_path=vulnerability["path"] + ), ) return finding diff --git a/dojo/tools/threat_composer/parser.py b/dojo/tools/threat_composer/parser.py index 266d63fd662..ce43ea74e0d 100644 --- a/dojo/tools/threat_composer/parser.py +++ b/dojo/tools/threat_composer/parser.py @@ -6,7 +6,6 @@ class ThreatComposerParser: - """Threat Composer JSON can be imported. See here for more info on this JSON format.""" PRIORITY_VALUES = ["Low", "Medium", "High"] @@ -66,7 +65,6 @@ def get_findings(self, file, test): mitigation_links[linked_id].append(mitigations[mitigation_id]) for threat in data["threats"]: - if "threatAction" in threat: title = threat["threatAction"] severity, impact, comments = self.parse_threat_metadata(threat.get("metadata", [])) @@ -84,11 +82,12 @@ def get_findings(self, file, test): unique_id_from_tool=unique_id_from_tool, mitigation=mitigation, impact=impact, - tags=tags, static_finding=True, dynamic_finding=False, ) + finding.unsaved_tags = tags + match threat.get("status", "threatIdentified"): case "threatResolved": finding.active = False From 0f7c99a134ce7cf474f96c8ba18fac142e52e1be Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Wed, 1 Apr 2026 21:55:38 +0200 Subject: [PATCH 002/173] fix: resolve ruff D203 and COM812 lint errors from formatter conflict --- dojo/tools/anchore_grype/parser.py | 1 + dojo/tools/cargo_audit/parser.py | 1 + dojo/tools/jfrog_xray_unified/parser.py | 3 ++- dojo/tools/threat_composer/parser.py | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/dojo/tools/anchore_grype/parser.py b/dojo/tools/anchore_grype/parser.py index 2272a1cec57..b9acb9cba34 100644 --- a/dojo/tools/anchore_grype/parser.py +++ b/dojo/tools/anchore_grype/parser.py @@ -12,6 +12,7 @@ class AnchoreGrypeParser: + """ Anchore Grype JSON report format generated with `-o json` option. diff --git a/dojo/tools/cargo_audit/parser.py b/dojo/tools/cargo_audit/parser.py index 024d33f278d..cd84b8100dc 100644 --- a/dojo/tools/cargo_audit/parser.py +++ b/dojo/tools/cargo_audit/parser.py @@ -8,6 +8,7 @@ class CargoAuditParser: + """A class that can be used to parse the cargo audit JSON report file""" def get_fields(self) -> list[str]: diff --git a/dojo/tools/jfrog_xray_unified/parser.py b/dojo/tools/jfrog_xray_unified/parser.py index 2dcc223afb4..9235d0e20b1 100644 --- a/dojo/tools/jfrog_xray_unified/parser.py +++ b/dojo/tools/jfrog_xray_unified/parser.py @@ -9,6 +9,7 @@ class JFrogXrayUnifiedParser: + """JFrog Xray JSON reports""" def get_scan_types(self): @@ -153,7 +154,7 @@ def get_item(vulnerability, test): purl_type = package_type.lower() finding.unsaved_locations.append( LocationData.dependency( - purl_type=purl_type, name=component_name, version=component_version, file_path=vulnerability["path"] + purl_type=purl_type, name=component_name, version=component_version, file_path=vulnerability["path"], ), ) diff --git a/dojo/tools/threat_composer/parser.py b/dojo/tools/threat_composer/parser.py index ce43ea74e0d..e7e95b6ca77 100644 --- a/dojo/tools/threat_composer/parser.py +++ b/dojo/tools/threat_composer/parser.py @@ -6,6 +6,7 @@ class ThreatComposerParser: + """Threat Composer JSON can be imported. See here for more info on this JSON format.""" PRIORITY_VALUES = ["Low", "Medium", "High"] From ca68a95fdf8888439f09dae77024a98f0780209e Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Wed, 1 Apr 2026 22:37:22 +0200 Subject: [PATCH 003/173] fix: update tests to check unsaved_tags instead of tags --- unittests/tools/test_anchore_grype_parser.py | 10 +++++----- unittests/tools/test_cargo_audit_parser.py | 8 ++++---- unittests/tools/test_dependency_check_parser.py | 6 +++--- .../tools/test_jfrog_xray_unified_parser.py | 16 ++++++++-------- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/unittests/tools/test_anchore_grype_parser.py b/unittests/tools/test_anchore_grype_parser.py index 44239da61f0..796fe501ed4 100644 --- a/unittests/tools/test_anchore_grype_parser.py +++ b/unittests/tools/test_anchore_grype_parser.py @@ -132,7 +132,7 @@ def test_check_all_fields(self): self.assertEqual("libgssapi-krb5-2", finding.component_name) self.assertEqual("1.17-3+deb10u3", finding.component_version) self.assertEqual("CVE-2004-0971", finding.vuln_id_from_tool) - self.assertEqual(["dpkg"], finding.tags) + self.assertEqual(["dpkg"], finding.unsaved_tags) self.assertEqual(1, finding.nb_occurences) finding = findings[1] @@ -167,7 +167,7 @@ def test_check_all_fields(self): self.assertEqual("redis", finding.component_name) self.assertEqual("4.0.2", finding.component_version) self.assertEqual("CVE-2021-32626", finding.vuln_id_from_tool) - self.assertEqual(["python", "python2"], finding.tags) + self.assertEqual(["python", "python2"], finding.unsaved_tags) self.assertEqual(1, finding.nb_occurences) finding = findings[2] @@ -197,7 +197,7 @@ def test_check_all_fields(self): self.assertEqual("libc-bin", finding.component_name) self.assertEqual("2.28-10", finding.component_version) self.assertEqual("CVE-2021-33574", finding.vuln_id_from_tool) - self.assertEqual(["dpkg"], finding.tags) + self.assertEqual(["dpkg"], finding.unsaved_tags) self.assertEqual(1, finding.nb_occurences) finding = findings[3] @@ -227,7 +227,7 @@ def test_check_all_fields(self): self.assertEqual("libc6", finding.component_name) self.assertEqual("2.28-10", finding.component_version) self.assertEqual("CVE-2021-33574", finding.vuln_id_from_tool) - self.assertEqual(["dpkg"], finding.tags) + self.assertEqual(["dpkg"], finding.unsaved_tags) self.assertEqual(1, finding.nb_occurences) finding = findings[4] @@ -257,7 +257,7 @@ def test_check_all_fields(self): self.assertEqual("Django", finding.component_name) self.assertEqual("3.2.9", finding.component_version) self.assertEqual("GHSA-v6rh-hp5x-86rv", finding.vuln_id_from_tool) - self.assertEqual(["python"], finding.tags) + self.assertEqual(["python"], finding.unsaved_tags) self.assertEqual(2, finding.nb_occurences) def test_grype_issue_9618(self): diff --git a/unittests/tools/test_cargo_audit_parser.py b/unittests/tools/test_cargo_audit_parser.py index e68b73e1f46..4ee54c3531d 100644 --- a/unittests/tools/test_cargo_audit_parser.py +++ b/unittests/tools/test_cargo_audit_parser.py @@ -22,7 +22,7 @@ def test_parse_many_findings(self): self.assertEqual("[arc-swap 0.4.7] Dangling reference in `access::Map` with Constant", finding.title) self.assertEqual("High", finding.severity) self.assertIsNotNone(finding.description) - self.assertEqual(["dangling reference"], finding.tags) + self.assertEqual(["dangling reference"], finding.unsaved_tags) self.assertEqual("arc-swap", finding.component_name) self.assertEqual("0.4.7", finding.component_version) self.assertEqual("RUSTSEC-2020-0091", finding.vuln_id_from_tool) @@ -37,7 +37,7 @@ def test_parse_many_findings(self): self.assertEqual("[hyper 0.13.9] Multiple Transfer-Encoding headers misinterprets request payload", finding.title) self.assertEqual("High", finding.severity) self.assertIsNotNone(finding.description) - self.assertEqual(["http", "request-smuggling"], finding.tags) + self.assertEqual(["http", "request-smuggling"], finding.unsaved_tags) self.assertEqual("hyper", finding.component_name) self.assertEqual("0.13.9", finding.component_version) self.assertEqual("RUSTSEC-2021-0020", finding.vuln_id_from_tool) @@ -52,7 +52,7 @@ def test_parse_many_findings(self): self.assertEqual("[smallvec 0.6.13] Buffer overflow in SmallVec::insert_many", finding.title) self.assertEqual("High", finding.severity) self.assertIsNotNone(finding.description) - self.assertEqual(["buffer-overflow", "heap-overflow", "unsound"], finding.tags) + self.assertEqual(["buffer-overflow", "heap-overflow", "unsound"], finding.unsaved_tags) self.assertEqual("smallvec", finding.component_name) self.assertEqual("0.6.13", finding.component_version) self.assertEqual("RUSTSEC-2021-0003", finding.vuln_id_from_tool) @@ -67,7 +67,7 @@ def test_parse_many_findings(self): self.assertEqual("[smallvec 1.5.0] Buffer overflow in SmallVec::insert_many", finding.title) self.assertEqual("High", finding.severity) self.assertIsNotNone(finding.description) - self.assertEqual(["buffer-overflow", "heap-overflow", "unsound"], finding.tags) + self.assertEqual(["buffer-overflow", "heap-overflow", "unsound"], finding.unsaved_tags) self.assertEqual("smallvec", finding.component_name) self.assertEqual("1.5.0", finding.component_version) self.assertEqual("RUSTSEC-2021-0003", finding.vuln_id_from_tool) diff --git a/unittests/tools/test_dependency_check_parser.py b/unittests/tools/test_dependency_check_parser.py index 7b23e5aafa5..23d7226f7cf 100644 --- a/unittests/tools/test_dependency_check_parser.py +++ b/unittests/tools/test_dependency_check_parser.py @@ -108,7 +108,7 @@ def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self): items[1].mitigation, "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description", ) - self.assertEqual(items[1].tags, "related") + self.assertEqual(items[1].unsaved_tags, "related") self.assertEqual(1, len(items[1].unsaved_vulnerability_ids)) self.assertEqual("CVE-0000-0001", items[1].unsaved_vulnerability_ids[0]) @@ -258,7 +258,7 @@ def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self): items[9].mitigation, "**This vulnerability is mitigated and/or suppressed:** Document on why we are suppressing this vulnerability is missing!\nUpdate jquery:3.1.1 to at least the version recommended in the description", ) - self.assertEqual(items[9].tags, ["suppressed", "no_suppression_document"]) + self.assertEqual(items[9].unsaved_tags, ["suppressed", "no_suppression_document"]) self.assertEqual(items[9].severity, "Critical") self.assertEqual(items[9].cvssv3, "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") self.assertEqual(items[9].cvssv3_score, 9.8) @@ -270,7 +270,7 @@ def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self): items[10].mitigation, "**This vulnerability is mitigated and/or suppressed:** This is our reason for not to upgrade it.\nUpdate jquery:3.1.1 to at least the version recommended in the description", ) - self.assertEqual(items[10].tags, "suppressed") + self.assertEqual(items[10].unsaved_tags, "suppressed") self.assertEqual(items[10].severity, "Critical") self.assertEqual(items[10].cvssv3, "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") self.assertEqual(items[10].cvssv3_score, 9.8) diff --git a/unittests/tools/test_jfrog_xray_unified_parser.py b/unittests/tools/test_jfrog_xray_unified_parser.py index 92bc30c75ff..025b3af9ecf 100644 --- a/unittests/tools/test_jfrog_xray_unified_parser.py +++ b/unittests/tools/test_jfrog_xray_unified_parser.py @@ -33,7 +33,7 @@ def test_parse_file_with_one_vuln(self): self.assertIsNotNone(item.mitigation) self.assertGreater(len(item.mitigation), 0) self.assertEqual("Jinja2", item.component_name) - self.assertEqual('"packagetype_pypi"', item.tags) + self.assertEqual('"packagetype_pypi"', item.unsaved_tags) self.assertEqual("2.11.2", item.component_version) self.assertEqual("pypi-remote/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -186,7 +186,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertEqual(" is too late.", item.description[-13:]) self.assertIsNone(item.mitigation) self.assertEqual("3.12:sqlite-libs", item.component_name) - self.assertEqual('"packagetype_alpine"', item.tags) + self.assertEqual('"packagetype_alpine"', item.unsaved_tags) self.assertEqual("3.32.1-r0", item.component_version) self.assertEqual("dockerhub-remote/kiwigrid/k8s-sidecar/sha256__7cba93c3dde21c78fe07ee3f8ed8d82d05bf00415392606401df8a7d72057b5b/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -209,7 +209,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertEqual("(Affected 1.0.2-1.0.2w).", item.description[-24:]) self.assertIsNone(item.mitigation) self.assertEqual("ubuntu:bionic:libssl1.1", item.component_name) - self.assertEqual('"packagetype_debian"', item.tags) + self.assertEqual('"packagetype_debian"', item.unsaved_tags) self.assertEqual("1.1.1-1ubuntu2.1~18.04.6", item.component_version) self.assertEqual("dockerhub-remote/library/mongo/sha256__31f6433f7cfcd2180483e40728cbf97142df1e85de36d80d75c93e5e7fe10405/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -233,7 +233,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertIsNotNone(item.mitigation) self.assertGreater(len(item.mitigation), 0) self.assertEqual("github.com/docker/docker", item.component_name) - self.assertEqual('"packagetype_go"', item.tags) + self.assertEqual('"packagetype_go"', item.unsaved_tags) self.assertEqual("1.4.2-0.20200203170920-46ec8731fbce", item.component_version) self.assertEqual("dockerhub-remote/fluxcd/helm-controller/sha256__27790f965d8965884e8dfc12cba0d1f609794a1abc69bc81a658bd76e463ffce/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -255,7 +255,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertEqual("sensitive information.", item.description[-22:]) self.assertIsNone(item.mitigation) self.assertEqual("com.fasterxml.jackson.core:jackson-databind", item.component_name) - self.assertEqual('"packagetype_maven"', item.tags) + self.assertEqual('"packagetype_maven"', item.unsaved_tags) self.assertEqual("2.10.4", item.component_version) self.assertEqual("elastic-docker-remote/elasticsearch/elasticsearch/7.9.1-amd64/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -279,7 +279,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertIsNotNone(item.mitigation) self.assertGreater(len(item.mitigation), 0) self.assertEqual("jquery", item.component_name) - self.assertEqual('"packagetype_npm"', item.tags) + self.assertEqual('"packagetype_npm"', item.unsaved_tags) self.assertEqual("3.4.1", item.component_version) self.assertEqual("pypi-remote/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -303,7 +303,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertIsNotNone(item.mitigation) self.assertGreater(len(item.mitigation), 0) self.assertEqual("pip", item.component_name) - self.assertEqual('"packagetype_pypi"', item.tags) + self.assertEqual('"packagetype_pypi"', item.unsaved_tags) self.assertEqual("20.2.3", item.component_version) self.assertEqual("dockerhub-remote/kiwigrid/k8s-sidecar/sha256__4b5a25c8dbac9637f8e680566959fdccd1a98d74ce2f2746f9b0f9ff6b57d03b/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -326,7 +326,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertEqual("TABLE statements.\n\nRed Hat Severity: Moderate", item.description[-45:]) self.assertIsNone(item.mitigation) self.assertEqual("7:sqlite:0", item.component_name) - self.assertIn("packagetype_rpm", item.tags) + self.assertIn("packagetype_rpm", item.unsaved_tags) self.assertEqual("3.7.17-8.el7_7.1", item.component_version) self.assertEqual("elastic-docker-remote/elasticsearch/elasticsearch/7.9.1-amd64/", item.file_path) self.assertIsNotNone(item.severity_justification) From 69a25ab3b63a5d496ebb91c26a1d3384d4ba852c Mon Sep 17 00:00:00 2001 From: Emmanuel Iturbide Date: Thu, 2 Apr 2026 12:34:16 +0200 Subject: [PATCH 004/173] Add Endpoint capability to Wazuh 4.8 exporter --- dojo/tools/wazuh/v4_8.py | 18 ++++++++++++++---- unittests/tools/test_wazuh_parser.py | 16 ++++++++++++++++ 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/dojo/tools/wazuh/v4_8.py b/dojo/tools/wazuh/v4_8.py index 2031c759986..61eba99ec11 100644 --- a/dojo/tools/wazuh/v4_8.py +++ b/dojo/tools/wazuh/v4_8.py @@ -1,4 +1,7 @@ -from dojo.models import Finding +from django.conf import settings + +from dojo.models import Endpoint, Finding +from dojo.tools.locations import LocationData class WazuhV4_8: @@ -17,10 +20,8 @@ def parse_findings(self, test, data): continue # Skip if this finding has already been processed description = vuln.get("description") - description += "\nAgent id:" + item.get("agent").get("id") - description += "\nAgent name:" + item.get("agent").get("name") severity = vuln.get("severity") - cvssv3_score = vuln.get("score").get("base") + cvssv3_score = vuln.get("score").get("base") if vuln.get("score") else None publish_date = vuln.get("published_at").split("T")[0] detection_time = vuln.get("detected_at").split("T")[0] references = vuln.get("reference") @@ -56,6 +57,15 @@ def parse_findings(self, test, data): unique_id_from_tool=dupe_key, date=detection_time, ) + + # Create endpoint from agent name + agent_name = item.get("agent").get("name") + if agent_name is not None: + if settings.V3_FEATURE_LOCATIONS: + find.unsaved_locations = [LocationData.url(host=agent_name)] + else: + find.unsaved_endpoints = [Endpoint(host=agent_name)] + find.unsaved_vulnerability_ids = [cve] dupes[dupe_key] = find diff --git a/unittests/tools/test_wazuh_parser.py b/unittests/tools/test_wazuh_parser.py index a8d75689d06..adecc1e059c 100644 --- a/unittests/tools/test_wazuh_parser.py +++ b/unittests/tools/test_wazuh_parser.py @@ -65,3 +65,19 @@ def test_parse_wazuh_abnormal_severity(self): findings = parser.get_findings(testfile, Test()) for finding in findings: self.assertEqual("Info", finding.severity) + + def test_parse_v4_8_many_findings_with_location(self): + with (get_unit_tests_scans_path("wazuh") / "v4-8_many_findings.json").open(encoding="utf-8") as testfile: + parser = WazuhParser() + findings = parser.get_findings(testfile, Test()) + finding = findings[0] + self.assertEqual(10, len(findings)) + self.validate_locations(findings) + self.assertEqual("CVE-2025-27558 affects (version: 6.8.0-60.63)", findings[0].title) + self.assertEqual("Critical", findings[0].severity) + self.assertEqual(9.1, findings[0].cvssv3_score) + location = self.get_unsaved_locations(finding)[0] + self.assertEqual("myhost0", location.host) + self.assertEqual("linux-image-6.8.0-60-generic", finding.component_name) + self.assertEqual("6.8.0-60.63", finding.component_version) + self.assertEqual("2025-06-30", finding.date) From 4f9ba0ef806fbc55b54dea191cb4ea7eaeec129b Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Sun, 5 Apr 2026 09:54:14 +0200 Subject: [PATCH 005/173] fix: correct unsaved_tags assertions to expect lists and fix tag ordering Update tests for dependency_check and jfrog_xray_unified parsers to match the actual list format returned by unsaved_tags, and fix the expected order of tags for the suppressed-without-notes case in dependency_check. --- unittests/tools/test_dependency_check_parser.py | 6 +++--- unittests/tools/test_jfrog_xray_unified_parser.py | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/unittests/tools/test_dependency_check_parser.py b/unittests/tools/test_dependency_check_parser.py index 23d7226f7cf..31e1394ec51 100644 --- a/unittests/tools/test_dependency_check_parser.py +++ b/unittests/tools/test_dependency_check_parser.py @@ -108,7 +108,7 @@ def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self): items[1].mitigation, "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description", ) - self.assertEqual(items[1].unsaved_tags, "related") + self.assertEqual(items[1].unsaved_tags, ["related"]) self.assertEqual(1, len(items[1].unsaved_vulnerability_ids)) self.assertEqual("CVE-0000-0001", items[1].unsaved_vulnerability_ids[0]) @@ -258,7 +258,7 @@ def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self): items[9].mitigation, "**This vulnerability is mitigated and/or suppressed:** Document on why we are suppressing this vulnerability is missing!\nUpdate jquery:3.1.1 to at least the version recommended in the description", ) - self.assertEqual(items[9].unsaved_tags, ["suppressed", "no_suppression_document"]) + self.assertEqual(items[9].unsaved_tags, ["no_suppression_document", "suppressed"]) self.assertEqual(items[9].severity, "Critical") self.assertEqual(items[9].cvssv3, "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") self.assertEqual(items[9].cvssv3_score, 9.8) @@ -270,7 +270,7 @@ def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self): items[10].mitigation, "**This vulnerability is mitigated and/or suppressed:** This is our reason for not to upgrade it.\nUpdate jquery:3.1.1 to at least the version recommended in the description", ) - self.assertEqual(items[10].unsaved_tags, "suppressed") + self.assertEqual(items[10].unsaved_tags, ["suppressed"]) self.assertEqual(items[10].severity, "Critical") self.assertEqual(items[10].cvssv3, "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") self.assertEqual(items[10].cvssv3_score, 9.8) diff --git a/unittests/tools/test_jfrog_xray_unified_parser.py b/unittests/tools/test_jfrog_xray_unified_parser.py index 025b3af9ecf..239161912cd 100644 --- a/unittests/tools/test_jfrog_xray_unified_parser.py +++ b/unittests/tools/test_jfrog_xray_unified_parser.py @@ -33,7 +33,7 @@ def test_parse_file_with_one_vuln(self): self.assertIsNotNone(item.mitigation) self.assertGreater(len(item.mitigation), 0) self.assertEqual("Jinja2", item.component_name) - self.assertEqual('"packagetype_pypi"', item.unsaved_tags) + self.assertEqual(["packagetype_pypi"], item.unsaved_tags) self.assertEqual("2.11.2", item.component_version) self.assertEqual("pypi-remote/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -186,7 +186,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertEqual(" is too late.", item.description[-13:]) self.assertIsNone(item.mitigation) self.assertEqual("3.12:sqlite-libs", item.component_name) - self.assertEqual('"packagetype_alpine"', item.unsaved_tags) + self.assertEqual(["packagetype_alpine"], item.unsaved_tags) self.assertEqual("3.32.1-r0", item.component_version) self.assertEqual("dockerhub-remote/kiwigrid/k8s-sidecar/sha256__7cba93c3dde21c78fe07ee3f8ed8d82d05bf00415392606401df8a7d72057b5b/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -209,7 +209,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertEqual("(Affected 1.0.2-1.0.2w).", item.description[-24:]) self.assertIsNone(item.mitigation) self.assertEqual("ubuntu:bionic:libssl1.1", item.component_name) - self.assertEqual('"packagetype_debian"', item.unsaved_tags) + self.assertEqual(["packagetype_debian"], item.unsaved_tags) self.assertEqual("1.1.1-1ubuntu2.1~18.04.6", item.component_version) self.assertEqual("dockerhub-remote/library/mongo/sha256__31f6433f7cfcd2180483e40728cbf97142df1e85de36d80d75c93e5e7fe10405/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -233,7 +233,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertIsNotNone(item.mitigation) self.assertGreater(len(item.mitigation), 0) self.assertEqual("github.com/docker/docker", item.component_name) - self.assertEqual('"packagetype_go"', item.unsaved_tags) + self.assertEqual(["packagetype_go"], item.unsaved_tags) self.assertEqual("1.4.2-0.20200203170920-46ec8731fbce", item.component_version) self.assertEqual("dockerhub-remote/fluxcd/helm-controller/sha256__27790f965d8965884e8dfc12cba0d1f609794a1abc69bc81a658bd76e463ffce/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -255,7 +255,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertEqual("sensitive information.", item.description[-22:]) self.assertIsNone(item.mitigation) self.assertEqual("com.fasterxml.jackson.core:jackson-databind", item.component_name) - self.assertEqual('"packagetype_maven"', item.unsaved_tags) + self.assertEqual(["packagetype_maven"], item.unsaved_tags) self.assertEqual("2.10.4", item.component_version) self.assertEqual("elastic-docker-remote/elasticsearch/elasticsearch/7.9.1-amd64/", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -279,7 +279,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertIsNotNone(item.mitigation) self.assertGreater(len(item.mitigation), 0) self.assertEqual("jquery", item.component_name) - self.assertEqual('"packagetype_npm"', item.unsaved_tags) + self.assertEqual(["packagetype_npm"], item.unsaved_tags) self.assertEqual("3.4.1", item.component_version) self.assertEqual("pypi-remote/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl", item.file_path) self.assertIsNotNone(item.severity_justification) @@ -303,7 +303,7 @@ def test_parse_file_with_very_many_vulns(self): self.assertIsNotNone(item.mitigation) self.assertGreater(len(item.mitigation), 0) self.assertEqual("pip", item.component_name) - self.assertEqual('"packagetype_pypi"', item.unsaved_tags) + self.assertEqual(["packagetype_pypi"], item.unsaved_tags) self.assertEqual("20.2.3", item.component_version) self.assertEqual("dockerhub-remote/kiwigrid/k8s-sidecar/sha256__4b5a25c8dbac9637f8e680566959fdccd1a98d74ce2f2746f9b0f9ff6b57d03b/", item.file_path) self.assertIsNotNone(item.severity_justification) From 667c0e6d841e141e029e7399af4dccc8c905b24e Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Mon, 6 Apr 2026 19:57:50 +0200 Subject: [PATCH 006/173] refactor: revert ruff formatting changes, keep only unsaved_tags logic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous commit mixed substantive changes (tags= → unsaved_tags) with ruff auto-formatting. This restores the original code style while preserving the performance fix. --- dojo/tools/anchore_grype/parser.py | 52 +++++++----- dojo/tools/cargo_audit/parser.py | 19 ++++- dojo/tools/dependency_check/parser.py | 104 ++++++++++++------------ dojo/tools/jfrog_xray_unified/parser.py | 37 +++++---- dojo/tools/threat_composer/parser.py | 1 + 5 files changed, 124 insertions(+), 89 deletions(-) diff --git a/dojo/tools/anchore_grype/parser.py b/dojo/tools/anchore_grype/parser.py index 2461a72c14a..f53935d8ee2 100644 --- a/dojo/tools/anchore_grype/parser.py +++ b/dojo/tools/anchore_grype/parser.py @@ -76,8 +76,7 @@ def get_findings(self, file, test): rel_epss = related_vulnerability.get("epss") rel_vuln_id = related_vulnerability.get("id") vulnerability_ids = self.get_vulnerability_ids( - vuln_id, - related_vulnerabilities, + vuln_id, related_vulnerabilities, ) matches = item["matchDetails"] @@ -88,7 +87,11 @@ def get_findings(self, file, test): artifact_purl = artifact.get("purl") artifact_location = artifact.get("locations") file_path = None - if artifact_location and len(artifact_location) > 0 and artifact_location[0].get("path"): + if ( + artifact_location + and len(artifact_location) > 0 + and artifact_location[0].get("path") + ): file_path = artifact_location[0].get("path") finding_title = f"{vuln_id} in {artifact_name}:{artifact_version}" @@ -96,17 +99,25 @@ def get_findings(self, file, test): finding_tags = None finding_description = "" if vuln_namespace: - finding_description += f"**Vulnerability Namespace:** {vuln_namespace}" + finding_description += ( + f"**Vulnerability Namespace:** {vuln_namespace}" + ) if vuln_description: - finding_description += f"\n**Vulnerability Description:** {vuln_description}" + finding_description += ( + f"\n**Vulnerability Description:** {vuln_description}" + ) if rel_description and rel_description != vuln_description: finding_description += f"\n**Related Vulnerability Description:** {rel_description}" if matches: if isinstance(item["matchDetails"], dict): - finding_description += f"\n**Matcher:** {matches['matcher']}" + finding_description += ( + f"\n**Matcher:** {matches['matcher']}" + ) finding_tags = [matches["matcher"].replace("-matcher", "")] elif len(matches) == 1: - finding_description += f"\n**Matcher:** {matches[0]['matcher']}" + finding_description += ( + f"\n**Matcher:** {matches[0]['matcher']}" + ) finding_tags = [ matches[0]["matcher"].replace("-matcher", ""), ] @@ -137,22 +148,30 @@ def get_findings(self, file, test): finding_references = "" if vuln_datasource: - finding_references += f"**Vulnerability Datasource:** {vuln_datasource}\n" + finding_references += ( + f"**Vulnerability Datasource:** {vuln_datasource}\n" + ) if vuln_urls: if len(vuln_urls) == 1: if vuln_urls[0] != vuln_datasource: - finding_references += f"**Vulnerability URL:** {vuln_urls[0]}\n" + finding_references += ( + f"**Vulnerability URL:** {vuln_urls[0]}\n" + ) else: finding_references += "**Vulnerability URLs:**\n" for url in vuln_urls: if url != vuln_datasource: finding_references += f"- {url}\n" if rel_datasource: - finding_references += f"**Related Vulnerability Datasource:** {rel_datasource}\n" + finding_references += ( + f"**Related Vulnerability Datasource:** {rel_datasource}\n" + ) if rel_urls: if len(rel_urls) == 1: if rel_urls[0] != vuln_datasource: - finding_references += f"**Related Vulnerability URL:** {rel_urls[0]}\n" + finding_references += ( + f"**Related Vulnerability URL:** {rel_urls[0]}\n" + ) else: finding_references += "**Related Vulnerability URLs:**\n" for url in rel_urls: @@ -209,7 +228,6 @@ def get_findings(self, file, test): dupes[dupe_key].unsaved_tags = finding_tags dupes[dupe_key].unsaved_vulnerability_ids = vulnerability_ids - if settings.V3_FEATURE_LOCATIONS and artifact_purl: dupes[dupe_key].unsaved_locations.append( LocationData.dependency(purl=artifact_purl, file_path=file_path), @@ -228,8 +246,7 @@ def get_cvss(self, cvss): vector = cvss_item["vector"] cvss_objects = cvss_parser.parse_cvss_from_text(vector) if len(cvss_objects) > 0 and isinstance( - cvss_objects[0], - CVSS3, + cvss_objects[0], CVSS3, ): return vector return None @@ -259,11 +276,8 @@ def get_vulnerability_ids(self, vuln_id, related_vulnerabilities): if vuln_id: vulnerability_ids.append(vuln_id) if related_vulnerabilities: - vulnerability_ids.extend( - related_vulnerability_id - for related_vulnerability in related_vulnerabilities - if (related_vulnerability_id := related_vulnerability.get("id")) - ) + vulnerability_ids.extend(related_vulnerability_id for related_vulnerability in related_vulnerabilities + if (related_vulnerability_id := related_vulnerability.get("id"))) if vulnerability_ids: return vulnerability_ids return None diff --git a/dojo/tools/cargo_audit/parser.py b/dojo/tools/cargo_audit/parser.py index cd84b8100dc..cb7eeb97e31 100644 --- a/dojo/tools/cargo_audit/parser.py +++ b/dojo/tools/cargo_audit/parser.py @@ -80,13 +80,24 @@ def get_findings(self, filename, test): vuln_id = advisory.get("id") vulnerability_ids = [advisory.get("id")] categories = f"**Categories:** {', '.join(advisory['categories'])}" if "categories" in advisory else "" - description = categories + f"\n**Description:** `{advisory.get('description')}`" + description = ( + categories + + f"\n**Description:** `{advisory.get('description')}`" + ) - if item["affected"] is not None and "functions" in item["affected"]: + if ( + item["affected"] is not None + and "functions" in item["affected"] + ): affected_func = [ - f"{func}: {', '.join(versions)}" for func, versions in item["affected"]["functions"].items() + f'{func}: {", ".join(versions)}' + for func, versions in item["affected"][ + "functions" + ].items() ] - description += f"\n**Affected functions**: {', '.join(affected_func)}" + description += ( + f"\n**Affected functions**: {', '.join(affected_func)}" + ) references = f"{advisory.get('url')}\n" + "\n".join( advisory["references"], diff --git a/dojo/tools/dependency_check/parser.py b/dojo/tools/dependency_check/parser.py index 4c472e2f4c4..e976d0a4d96 100644 --- a/dojo/tools/dependency_check/parser.py +++ b/dojo/tools/dependency_check/parser.py @@ -87,10 +87,7 @@ def add_finding(self, finding, dupes): dupes[key] = finding def get_filename_and_path_from_dependency( - self, - dependency, - related_dependency, - namespace, + self, dependency, related_dependency, namespace, ): if related_dependency is None: return dependency.findtext( @@ -107,10 +104,7 @@ def get_filename_and_path_from_dependency( return None, None def get_component_name_and_version_from_dependency( - self, - dependency, - related_dependency, - namespace, + self, dependency, related_dependency, namespace, ): identifiers_node = dependency.find(namespace + "identifiers") if identifiers_node is not None: @@ -122,13 +116,20 @@ def get_component_name_and_version_from_dependency( purl_parts = purl.to_dict() component_name = ( purl_parts["namespace"] + ":" - if purl_parts["namespace"] and len(purl_parts["namespace"]) > 0 + if purl_parts["namespace"] + and len(purl_parts["namespace"]) > 0 + else "" + ) + component_name += ( + purl_parts["name"] + if purl_parts["name"] and len(purl_parts["name"]) > 0 else "" ) - component_name += purl_parts["name"] if purl_parts["name"] and len(purl_parts["name"]) > 0 else "" component_name = component_name or None component_version = ( - purl_parts["version"] if purl_parts["version"] and len(purl_parts["version"]) > 0 else "" + purl_parts["version"] + if purl_parts["version"] and len(purl_parts["version"]) > 0 + else "" ) return component_name, component_version, pck_id @@ -148,10 +149,20 @@ def get_component_name_and_version_from_dependency( if cpe_node: cpe_id = cpe_node.findtext(f"{namespace}name") cpe = CPE(cpe_id) - component_name = cpe.get_vendor()[0] + ":" if len(cpe.get_vendor()) > 0 else "" - component_name += cpe.get_product()[0] if len(cpe.get_product()) > 0 else "" + component_name = ( + cpe.get_vendor()[0] + ":" + if len(cpe.get_vendor()) > 0 + else "" + ) + component_name += ( + cpe.get_product()[0] if len(cpe.get_product()) > 0 else "" + ) component_name = component_name or None - component_version = cpe.get_version()[0] if len(cpe.get_version()) > 0 else None + component_version = ( + cpe.get_version()[0] + if len(cpe.get_version()) > 0 + else None + ) return component_name, component_version, None maven_node = identifiers_node.find( @@ -240,8 +251,7 @@ def get_severity_and_cvss_meta(self, vulnerability, namespace) -> dict: if severity: if severity.strip().lower() not in self.SEVERITY_MAPPING: logger.warning( - "Warning: Unknow severity value detected '%s'. Bypass to 'Medium' value", - severity, + "Warning: Unknow severity value detected '%s'. Bypass to 'Medium' value", severity, ) severity = "Medium" else: @@ -256,20 +266,13 @@ def get_severity_and_cvss_meta(self, vulnerability, namespace) -> dict: } def get_finding_from_vulnerability( - self, - dependency, - related_dependency, - vulnerability, - test, - namespace, + self, dependency, related_dependency, vulnerability, test, namespace, ): ( dependency_filename, dependency_filepath, ) = self.get_filename_and_path_from_dependency( - dependency, - related_dependency, - namespace, + dependency, related_dependency, namespace, ) # logger.debug('dependency_filename: %s', dependency_filename) @@ -315,17 +318,13 @@ def get_finding_from_vulnerability( component_version, component_purl, ) = self.get_component_name_and_version_from_dependency( - dependency, - related_dependency, - namespace, + dependency, related_dependency, namespace, ) stripped_name = name # startswith CVE-XXX-YYY stripped_name = re.sub( - r"^CVE-\d{4}-\d{4,7}", - "", - stripped_name, + r"^CVE-\d{4}-\d{4,7}", "", stripped_name, ).strip() # startswith CWE-XXX: stripped_name = re.sub(r"^CWE-\d+\:", "", stripped_name).strip() @@ -334,8 +333,7 @@ def get_finding_from_vulnerability( if component_name is None: logger.warning( - "component_name was None for File: %s, using dependency file name instead.", - dependency_filename, + "component_name was None for File: %s, using dependency file name instead.", dependency_filename, ) component_name = dependency_filename @@ -354,9 +352,15 @@ def get_finding_from_vulnerability( ref_url = reference_node.findtext(f"{namespace}url") ref_name = reference_node.findtext(f"{namespace}name") if ref_url == ref_name: - reference_detail += f"**Source:** {ref_source}\n**URL:** {ref_url}\n\n" + reference_detail += ( + f"**Source:** {ref_source}\n**URL:** {ref_url}\n\n" + ) else: - reference_detail += f"**Source:** {ref_source}\n**URL:** {ref_url}\n**Name:** {ref_name}\n\n" + reference_detail += ( + f"**Source:** {ref_source}\n" + f"**URL:** {ref_url}\n" + f"**Name:** {ref_name}\n\n" + ) if related_dependency is not None: tags.append("related") @@ -366,18 +370,14 @@ def get_finding_from_vulnerability( notes = "Document on why we are suppressing this vulnerability is missing!" tags.append("no_suppression_document") mitigation = f"**This vulnerability is mitigated and/or suppressed:** {notes}\n" - mitigation += ( - f"Update {component_name}:{component_version} to at least the version recommended in the description" - ) + mitigation += f"Update {component_name}:{component_version} to at least the version recommended in the description" mitigated = datetime.datetime.now(datetime.UTC) is_Mitigated = True active = False tags.append("suppressed") else: - mitigation = ( - f"Update {component_name}:{component_version} to at least the version recommended in the description" - ) + mitigation = f"Update {component_name}:{component_version} to at least the version recommended in the description" description += "\n**Filepath:** " + str(dependency_filepath) active = True @@ -467,15 +467,19 @@ def get_findings(self, filename, test): namespace + "relatedDependencies", ) if relatedDependencies is not None: - for relatedDependency in relatedDependencies.findall( + for ( + relatedDependency + ) in relatedDependencies.findall( namespace + "relatedDependency", ): - finding = self.get_finding_from_vulnerability( - dependency, - relatedDependency, - vulnerability, - test, - namespace, + finding = ( + self.get_finding_from_vulnerability( + dependency, + relatedDependency, + vulnerability, + test, + namespace, + ) ) if finding: # could be None if scan_date: @@ -499,9 +503,7 @@ def get_findings(self, filename, test): elif settings.V3_FEATURE_LOCATIONS: # Collect product-level dependency locations _, _, component_purl = self.get_component_name_and_version_from_dependency( - dependency, - None, - namespace, + dependency, None, namespace, ) if component_purl: test.unsaved_metadata.append( diff --git a/dojo/tools/jfrog_xray_unified/parser.py b/dojo/tools/jfrog_xray_unified/parser.py index 9235d0e20b1..f391e3b001c 100644 --- a/dojo/tools/jfrog_xray_unified/parser.py +++ b/dojo/tools/jfrog_xray_unified/parser.py @@ -49,7 +49,9 @@ def get_item(vulnerability, test): # not all cves have cvssv3 scores, so skip these. If no v3 scores, # we'll default to index 0 if "cvss_v3_score" in vulnerability["cves"][thisCveIndex]: - thisCvssV3Score = vulnerability["cves"][thisCveIndex]["cvss_v3_score"] + thisCvssV3Score = vulnerability["cves"][thisCveIndex][ + "cvss_v3_score" + ] if thisCvssV3Score > highestCvssV3Score: highestCvssV3Index = thisCveIndex highestCvssV3Score = thisCvssV3Score @@ -82,13 +84,23 @@ def get_item(vulnerability, test): cvss_v2 = worstCve["cvss_v2_vector"] fix_available = False - if "fixed_versions" in vulnerability and len(vulnerability["fixed_versions"]) > 0: + if ( + "fixed_versions" in vulnerability + and len(vulnerability["fixed_versions"]) > 0 + ): mitigation = "Versions containing a fix:\n" mitigation += "\n".join(vulnerability["fixed_versions"]) fix_available = True - if "external_advisory_source" in vulnerability and "external_advisory_severity" in vulnerability: - extra_desc = vulnerability["external_advisory_source"] + ": " + vulnerability["external_advisory_severity"] + if ( + "external_advisory_source" in vulnerability + and "external_advisory_severity" in vulnerability + ): + extra_desc = ( + vulnerability["external_advisory_source"] + + ": " + + vulnerability["external_advisory_severity"] + ) if vulnerability["issue_id"]: title = vulnerability["issue_id"] + " - " + vulnerability["summary"] @@ -96,15 +108,10 @@ def get_item(vulnerability, test): title = vulnerability["summary"] references_str = vulnerability.get("references") - references = ( - "\n".join(references_str) - if isinstance(references_str, list) - else (references_str if isinstance(references_str, str) else "") - ) + references = "\n".join(references_str) if isinstance(references_str, list) else (references_str if isinstance(references_str, str) else "") scan_time = datetime.strptime( - vulnerability["artifact_scan_time"], - "%Y-%m-%dT%H:%M:%S%z", + vulnerability["artifact_scan_time"], "%Y-%m-%dT%H:%M:%S%z", ) # component has several parts separated by colons. Last part is the @@ -125,7 +132,9 @@ def get_item(vulnerability, test): title=title, test=test, severity=severity, - description=(vulnerability.get("description", vulnerability.get("summary")) + "\n\n" + extra_desc).strip(), + description=( + vulnerability.get("description", vulnerability.get("summary")) + "\n\n" + extra_desc + ).strip(), mitigation=mitigation, component_name=component_name, component_version=component_version, @@ -153,9 +162,7 @@ def get_item(vulnerability, test): if settings.V3_FEATURE_LOCATIONS and package_type and component_name: purl_type = package_type.lower() finding.unsaved_locations.append( - LocationData.dependency( - purl_type=purl_type, name=component_name, version=component_version, file_path=vulnerability["path"], - ), + LocationData.dependency(purl_type=purl_type, name=component_name, version=component_version, file_path=vulnerability["path"]), ) return finding diff --git a/dojo/tools/threat_composer/parser.py b/dojo/tools/threat_composer/parser.py index e7e95b6ca77..4e347ae82e7 100644 --- a/dojo/tools/threat_composer/parser.py +++ b/dojo/tools/threat_composer/parser.py @@ -66,6 +66,7 @@ def get_findings(self, file, test): mitigation_links[linked_id].append(mitigations[mitigation_id]) for threat in data["threats"]: + if "threatAction" in threat: title = threat["threatAction"] severity, impact, comments = self.parse_threat_metadata(threat.get("metadata", [])) From d80353b35319148fd8845b35a0094f87aa8ef0d7 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 6 Apr 2026 18:16:02 +0000 Subject: [PATCH 007/173] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 8 ++++---- helm/defectdojo/README.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/package.json b/components/package.json index 97246b1477c..9abaf4184c6 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.57.0", + "version": "2.58.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 34a1621df2d..2aa2d56cd3e 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.57.0" +appVersion: "2.58.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.9.21 +version: 1.9.22-dev icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png maintainers: - name: madchap @@ -33,5 +33,5 @@ dependencies: # - kind: security # description: Critical bug annotations: - artifacthub.io/prerelease: "false" - artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.57.0\n" + artifacthub.io/prerelease: "true" + artifacthub.io/changes: "" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 071f90bcbf3..519decabd6a 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -511,7 +511,7 @@ The HELM schema will be generated for you. # General information about chart values -![Version: 1.9.21](https://img.shields.io/badge/Version-1.9.21-informational?style=flat-square) ![AppVersion: 2.57.0](https://img.shields.io/badge/AppVersion-2.57.0-informational?style=flat-square) +![Version: 1.9.22-dev](https://img.shields.io/badge/Version-1.9.22--dev-informational?style=flat-square) ![AppVersion: 2.58.0-dev](https://img.shields.io/badge/AppVersion-2.58.0--dev-informational?style=flat-square) A Helm chart for Kubernetes to install DefectDojo From 7424cc0ba72489f6632d293f6b64e26b782480c8 Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Tue, 7 Apr 2026 16:00:07 -0400 Subject: [PATCH 008/173] update SAML for cloud vs on-prem --- docs/content/admin/sso/PRO__saml.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/content/admin/sso/PRO__saml.md b/docs/content/admin/sso/PRO__saml.md index 8c84a77f847..80c7952a732 100644 --- a/docs/content/admin/sso/PRO__saml.md +++ b/docs/content/admin/sso/PRO__saml.md @@ -45,6 +45,20 @@ If no group with a matching name exists, DefectDojo will automatically create on To activate group mapping, check the **Enable Group Mapping** checkbox at the bottom of the form. +## Cloud vs On-Premise Differences + +DefectDojo Cloud does not have the same level of SAML customization as DefectDojo On-Prem. The only variables that can be set are through the UI. Here are some of the key differences: + +| Capability | Cloud | On-Premise | +|---|---|---| +| **Username matching** | NameID only | NameID only (the `SAML_USE_NAME_ID_AS_USERNAME` env var applies to Open Source only, not Pro) | +| **SAML assertion encryption** | Not currently supported | Not currently supported | +| **SAML login logs** | Not available in the UI. Contact Support to request logs. | Available via application container logs (`docker logs dojo`) | +| **Configuration method** | Enterprise Settings UI only | Enterprise Settings UI, Django Admin, or Django Shell | +| **Environment variables** | Cannot be set by customers directly. Contact Support for changes. | Can be set via `dojo-compose-cli environment add` | + +If you need to match users on an attribute other than NameID (such as `uid` or `email`), configure your Identity Provider to send the desired value as the NameID rather than adjusting DefectDojo settings. + ## Additional Options * **Create Unknown User** — automatically create a new DefectDojo user if they are not found in the SAML response. From 5e8b6957de66652409220efd3617be6d233c5869 Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Tue, 7 Apr 2026 16:02:45 -0400 Subject: [PATCH 009/173] add guidance on enabling hierarchy feature for cloud customers --- .../hierarchy/PRO__assets_organizations.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/content/asset_modelling/hierarchy/PRO__assets_organizations.md b/docs/content/asset_modelling/hierarchy/PRO__assets_organizations.md index c1588159dce..bffdd35984c 100644 --- a/docs/content/asset_modelling/hierarchy/PRO__assets_organizations.md +++ b/docs/content/asset_modelling/hierarchy/PRO__assets_organizations.md @@ -8,7 +8,24 @@ aliases: --- DefectDojo Pro is extending the Product/Product Type object classes to provide greater flexibility with the data model. -Currently, this feature is in Beta. Pro users who are interested in opting in can do so by emailing [support@defectdojo.com](mailto:support@defectdojo.com). +Currently, this feature is in Beta. + +## Enabling the Hierarchy Feature + +Hierarchy features ship with new versions of DefectDojo Pro by default, but existing customers who wish to migrate these features can do so using the following methods + +### Cloud Customers + +The hierarchy feature and label changes must be enabled by DefectDojo Support. Email [support@defectdojo.com](mailto:support@defectdojo.com) with your instance URL and request: + +1. **Asset Hierarchy** — enables parent/child relationships between Assets. Once enabled, the hierarchy can be viewed and managed from the **Product** tab in the navigation. +2. **Label Changes** (optional) — renames "Product Type" to "Organization" and "Product" to "Asset" throughout the UI. This is a separate step from enabling the hierarchy and can be requested at the same time or later. + +Note that label changes are cosmetic only: API endpoints and field names remain unchanged, so existing automation will continue to work. + +### On-Premise Customers + + Contact Support for guidance on enabling these features via your instance configuration. ## Significant Changes From e239ba01b661219584eaf2dba3f89b72ed8e894c Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Tue, 7 Apr 2026 16:05:45 -0400 Subject: [PATCH 010/173] add best practices for API import, pagination, asyc deletion --- docs/content/automation/api/api-v2-docs.md | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/content/automation/api/api-v2-docs.md b/docs/content/automation/api/api-v2-docs.md index 1d55a413a7b..b88e744a0cd 100644 --- a/docs/content/automation/api/api-v2-docs.md +++ b/docs/content/automation/api/api-v2-docs.md @@ -264,6 +264,34 @@ A classic way of reimporting a scan is by specifying the ID of the test instead: } ``` +## Asynchronous Deletion Behavior + +Deletions in DefectDojo (via both the API and UI) are processed **asynchronously** by Celery background workers. When you delete an Engagement, Test, or other object, the API or UI returns a success response immediately, but the actual deletion runs in the background. + +This means: +- Objects may still appear in queries for a period of time after deletion is confirmed. +- Cascade deletions (e.g., deleting an Engagement also deletes its Tests and Findings) are processed as a chain of background tasks. Child objects are removed in dependency order: Findings, then Tests, then Engagements. +- For large Engagements with many Findings, this process can take several minutes to complete. + +There is no need to build custom scripts to delete objects in dependency order. A single `DELETE` request on an Engagement will cascade to all child objects automatically. Simply allow time for the background tasks to complete. + +## API Pagination Limits + +DefectDojo Pro enforces a maximum page size of **250** results per API request. Setting `limit` higher than 250 may result in HTTP 502 errors due to query timeouts. + +Open Source DefectDojo instances may also experience timeouts with very large page sizes depending on dataset size and server resources. + +For large result sets, use pagination with a page size of 50-250 and add short delays between paginated requests to avoid saturating the worker pool. + +## Large-Scale Import Best Practices + +When importing scan results at scale (e.g., SBOM pipelines with thousands of components), consider the following: + +- **Use `background_import=true`** for large payloads. Synchronous imports tie up a uwsgi worker for the duration of the import, which can degrade performance for all users. +- **Target payload sizes under 1 MB per import** where possible. Split large SBOMs into smaller files per product or component group. +- **Add delays between consecutive API calls** to avoid worker pool exhaustion, which causes HTTP 502 errors. +- **Use Reimport** (`/api/v2/reimport-scan/`) for recurring scans to update existing findings rather than creating duplicates. + ## Using the Scan Completion Date (API: `scan_date`) field DefectDojo offers a plethora of supported scanner reports, but not all of them contain the From 4499ba78fa096f69883041d631d67412524e3cd8 Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Tue, 7 Apr 2026 16:06:52 -0400 Subject: [PATCH 011/173] add jira service account note --- docs/content/issue_tracking/jira/troubleshooting_jira.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/content/issue_tracking/jira/troubleshooting_jira.md b/docs/content/issue_tracking/jira/troubleshooting_jira.md index 552c70f9eed..5d68776e48a 100644 --- a/docs/content/issue_tracking/jira/troubleshooting_jira.md +++ b/docs/content/issue_tracking/jira/troubleshooting_jira.md @@ -55,6 +55,12 @@ For example: curl -H "Authorization: Bearer ATATT1234567890abcdefghijklmnopqrstuvwxyz" https://.atlassian.net/rest/api/latest/issue//transitions?expand=transitions.fields ``` +## Jira Service Accounts Are Not Supported + +Jira Cloud Service Accounts (created via Atlassian's admin console) use a different API host than standard user accounts and are **not currently supported** by DefectDojo's Jira integration. Attempting to use a Service Account API token or OAuth 2.0 credentials from a Service Account will result in HTTP 403 errors. + +To set up the Jira integration, create a standard Jira user account (with a valid email address) and generate an API token from that account. If you want to clearly identify issues created by DefectDojo, create a dedicated user named something like "DefectDojo" and use its API token for the integration. + ## I can't find an Epic Name ID for my Space Certain Spaces in Jira, such as Team-Managed Spaces, do not use Epics and therefore will not have an Epic Name ID. In this case, set Epic Name ID to 0 in DefectDojo. From 040e98869909a3c5f02554382599955dc71a9592 Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Tue, 7 Apr 2026 16:11:15 -0400 Subject: [PATCH 012/173] add beta notice, links to integrators docs --- docs/content/issue_tracking/intro/intro.md | 4 ++-- docs/content/issue_tracking/pro_integration/integrations.md | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/content/issue_tracking/intro/intro.md b/docs/content/issue_tracking/intro/intro.md index f307850524d..1fbfc616137 100644 --- a/docs/content/issue_tracking/intro/intro.md +++ b/docs/content/issue_tracking/intro/intro.md @@ -10,8 +10,8 @@ The DefectDojo issue tracking integrations connect your vulnerability management | Edition | Supported Issue Tracking Integrations | |--------------|---------------------------------------| -| Community Edition | * Jira | -| Pro | * Jira
* Azure DevOps
* GitHub
* GitLab Boards
* ServiceNow | +| Community Edition | * [Jira](/issue_tracking/jira/os__jira_guide/) | +| Pro | * [Jira](/issue_tracking/jira/pro__jira_guide/)
* [Azure DevOps](/issue_tracking/pro_integration/integrations_toolreference/#azure-devops-boards)
* [GitHub](/issue_tracking/pro_integration/integrations_toolreference/#github)
* [GitLab Boards](/issue_tracking/pro_integration/integrations_toolreference/#gitlab)
* [ServiceNow](/issue_tracking/pro_integration/integrations_toolreference/#servicenow) | When enabled, DefectDojo can create issues automatically, or selectively from Products or Engagement. As Findings are updated in DefectDojo—resolved, mitigated, or reactivated—the corresponding issues can be kept in sync, ensuring both systems reflect the current state of risk. diff --git a/docs/content/issue_tracking/pro_integration/integrations.md b/docs/content/issue_tracking/pro_integration/integrations.md index a52b35848fb..4be4e89b1e5 100644 --- a/docs/content/issue_tracking/pro_integration/integrations.md +++ b/docs/content/issue_tracking/pro_integration/integrations.md @@ -5,6 +5,8 @@ audience: pro aliases: - /en/share_your_findings/integrations --- +**Availability:** Integrations is currently in **Beta** and is only available for **Cloud-hosted** DefectDojo Pro instances. On-premise deployments do not yet have the required infrastructure to support Integrations. If you are an on-premise customer interested in this feature, please contact [support@defectdojo.com](mailto:support@defectdojo.com) for updates on availability. + DefectDojo Pro's Integrations let you push your Findings and Finding Groups to ticket tracking systems to easily integrate security remediation with your teams existing development workflow. Supported Integrations: From ce43605ecbf6b75335dc13f8194debb8250c01af Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Tue, 7 Apr 2026 16:13:37 -0400 Subject: [PATCH 013/173] update sonarqube docs --- .../supported_tools/parsers/api/sonarqube.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/content/supported_tools/parsers/api/sonarqube.md b/docs/content/supported_tools/parsers/api/sonarqube.md index c6299ad9f18..2d0117ea6f1 100644 --- a/docs/content/supported_tools/parsers/api/sonarqube.md +++ b/docs/content/supported_tools/parsers/api/sonarqube.md @@ -31,6 +31,23 @@ In `Add API Scan Configuration` - If using SonarCloud, the organization ID can be used from step 1, but it can be overridden by supplying a different organization ID in the `Service key 2` input field. +## Disabling Hotspot Imports + +By default, the SonarQube API Import includes both security issues and security hotspots. To import only security issues and exclude hotspots, set the following environment variable on your DefectDojo instance: + +``` +DD_SONARQUBE_API_PARSER_HOTSPOTS=False +``` + +For on-premise installations using the dojo-compose-cli: + +```bash +dojo-compose-cli environment add --key DD_SONARQUBE_API_PARSER_HOTSPOTS --value "False" +dojo-compose-cli app stop && dojo-compose-cli app start +``` + +Note that this setting is instance-wide and affects all SonarQube API imports. There is currently no per-tool-configuration or per-import toggle for hotspots. If you need hotspots for some projects but not others, you will need to build a custom middleware to filter results before importing. + ## Multiple SonarQube API Configurations In the import or re-import dialog, you can select which `API Scan From 1d791255d9ec8202b0590bc66f60a7b1f8dfdebd Mon Sep 17 00:00:00 2001 From: valentijnscholten Date: Wed, 8 Apr 2026 03:45:40 +0200 Subject: [PATCH 014/173] watson middleware: handle SuspiciousOperationException (#14650) --- dojo/tasks.py | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/dojo/tasks.py b/dojo/tasks.py index f09f8c783f6..5a494072a8b 100644 --- a/dojo/tasks.py +++ b/dojo/tasks.py @@ -6,6 +6,7 @@ from celery.utils.log import get_task_logger from django.apps import apps from django.conf import settings +from django.core.exceptions import SuspiciousOperation from django.core.management import call_command from django.db.models import Count, Prefetch from django.urls import reverse @@ -293,7 +294,37 @@ def update_watson_search_index_for_model(model_name, pk_list, *args, **kwargs): continue # Let watson handle the bulk indexing - context_manager.end() + try: + context_manager.end() + except SuspiciousOperation: + # Some finding content (e.g. a very long tag-like string) triggered + # Django's strip_tags SuspiciousOperation guard. Fall back to + # per-instance indexing so we can skip the offending object(s) + # instead of silently dropping the entire batch. + # https://www.djangoproject.com/weblog/2025/may/07/security-releases/ + # https://github.com/DefectDojo/django-DefectDojo/issues/14649 + logger.warning( + f"Batch watson index update for {model_name} hit SuspiciousOperation; " + "falling back to per-instance indexing", + ) + instances_added = 0 + instances_skipped = 0 + for instance in instances: + single_ctx = SearchContextManager() + single_ctx.start() + try: + single_ctx.add_to_context(engine, instance) + single_ctx.end() + instances_added += 1 + except SuspiciousOperation: + logger.warning( + f"Skipping watson index update for {model_name}:{instance.pk} " + "— content triggered SuspiciousOperation in strip_tags", + ) + instances_skipped += 1 + except Exception as e: + logger.warning(f"Skipping watson index update for {model_name}:{instance.pk} - {e}") + instances_skipped += 1 logger.debug(f"Completed async watson index update: {instances_added} updated, {instances_skipped} skipped") From aa6dcb9ee067d4f8d7db3c03ddbfba67bda0c988 Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Wed, 8 Apr 2026 12:21:46 -0400 Subject: [PATCH 015/173] update changelog --- docs/content/releases/pro/changelog.md | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/docs/content/releases/pro/changelog.md b/docs/content/releases/pro/changelog.md index 4caa1e784f5..2d4cfcf1a8b 100644 --- a/docs/content/releases/pro/changelog.md +++ b/docs/content/releases/pro/changelog.md @@ -10,6 +10,20 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/releases/os_upgrading/upgrading_guide/). +## Apr 2026: v2.57 + +### Apr 7, 2026: v2.57.0 + +* **(Custom Enrichment)** On-prem administrators can now configure custom URLs for EPSS and KEV enrichment data sources under **Settings → Finding Enrichment Settings**. Each source (EPSS scores and CISA Known Exploited Vulnerabilities) can be independently enabled and pointed to an internal mirror or proxy. A **Test Configuration** button validates connectivity before saving. Findings with CVE IDs are automatically enriched with EPSS score/percentile and KEV status during enrichment runs. +* **(Performance)** Optimized API response times across all endpoints with selective field loading and conditional prefetches. +* **(Performance)** Improved Dashboard load times by eliminating redundant authorization queries and caching license lookups. +* **(Performance)** Improved deduplication performance by batching duplicate marking and deferring large text fields. +* **(Performance)** Improved false-positive history processing performance during async imports by using batch operations. +* **(Pro UI)** Asset hierarchy filter dropdowns now only show relevant options (e.g., Parent filter shows only assets that have children). +* **(Security)** Hardened container configurations for improved runtime security. +* **(Universal Parser)** Added a list view and field mappings modal to the Pro UI for managing Universal Parser configurations. +* **(Universal Parser)** Added support for 7 new fields: `file_path`, `component_name`, `component_version`, `line`, `steps_to_reproduce`, `severity_justification`, and CVSSv4 vectors. + ## Mar 2026: v2.56 ### Mar 30, 2026: v2.56.4 @@ -107,23 +121,23 @@ No significant UX changes. ## Dec 2025: v2.53 -### Dec 29, 2025: v2.53.5 +#### Dec 29, 2025: v2.53.5 * **(Pro UI)** Added Finding count columns to Engagement table. * **(Pro UI)** Enter/Return no longer automatically submits forms. -### Dec 22, 2025: v2.53.4 +#### Dec 22, 2025: v2.53.4 * **(Pro UI)** Asset Hierarchy now uses separate tabs for Asset selection and for the rendered Asset tree: ![image](images/asset-hierarchy-2.53.4.png) -### Dec 15, 2025: v2.53.3 +#### Dec 15, 2025: v2.53.3 *DefectDojo v2.53.2 does not have a corresponding Pro release.* * **(Connectors)** Support for private CA certificates has been added to Connectors to assist with connectivity. -### Dec 8, 2025: v2.53.1 +#### Dec 8, 2025: v2.53.1 * **(Assets/Organizations)** Introduced overhaul to Products/Product Types, added the ability to create and diagram relationships between Assets. See [Assets/Organizations documentation](/asset_modelling/hierarchy/pro__assets_organizations/) for details, and information on opting in to the Beta. * **(Findings)** Added new KEV fields for ransomware, exploits, and date handling. @@ -131,7 +145,7 @@ No significant UX changes. ![image](images/pro_tablepreferences.png) -### Dec 1, 2025: v2.53.0 +#### Dec 1, 2025: v2.53.0 * **(Pro UI)** Added Asset Hierarchy. * **(Priority)** Priority and Risk can now be overridden manually, or through Rules Engine. From 5c47b148b5c2322e72d66dd57999f59c731631e1 Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Wed, 8 Apr 2026 14:14:45 -0400 Subject: [PATCH 016/173] add unit test --- unittests/test_pdf_report_rendering.py | 223 +++++++++++++++++++++++++ 1 file changed, 223 insertions(+) create mode 100644 unittests/test_pdf_report_rendering.py diff --git a/unittests/test_pdf_report_rendering.py b/unittests/test_pdf_report_rendering.py new file mode 100644 index 00000000000..283fd4f6272 --- /dev/null +++ b/unittests/test_pdf_report_rendering.py @@ -0,0 +1,223 @@ +from django.template import engines +from django.utils.timezone import now + +from dojo.models import ( + Engagement, + Finding, + Product, + Product_Type, + Test, + Test_Type, + User, +) +from unittests.dojo_test_case import DojoTestCase + + +class TestPdfReportTextWrapping(DojoTestCase): + + """ + Tests that PDF report templates render long and pre-wrapped content + within margins instead of overflowing. + """ + + fixtures = ["dojo_testdata.json"] + + LONG_URL = "https://app.example.com/assets/vendor-" + "a1b2c3d4" * 8 + ".js.map" + + # Content with an embedded
 tag, simulating imports (e.g. BugCrowd CSV)
+    # that store HTML-wrapped text in finding fields.
+    DESCRIPTION_WITH_PRE = (
+        "
\n"
+        "An internal debug configuration file (debug-config-e7f3a901.json) is publicly "
+        "accessible at the URL: " + LONG_URL + ". "
+        "Debug configuration files can reveal internal service addresses, feature flags, "
+        "and environment variables. Exposing such files can leak sensitive information "
+        "about the application infrastructure, aiding attackers in lateral movement and "
+        "facilitating exploitation of internal services.\n"
+        "
" + ) + + MITIGATION_WITH_PRE = ( + '
\n'
+        "Remove Debug Files From Public Directories: Ensure .json debug configuration "
+        "files are not deployed to publicly accessible paths on the web server.\n"
+        "Restrict Access: If debug configurations are required in staging environments, "
+        "restrict access to authenticated admin users only via IP whitelisting.\n"
+        "Environment-Specific Builds: Use separate build profiles for development and "
+        "production to ensure debug artifacts are excluded from release bundles.\n"
+        "Audit Build Artifacts: Regularly scan deployment artifacts for unintended "
+        "inclusion of debug or configuration files.\n"
+        "
" + ) + + IMPACT_WITH_PRE = ( + '
\n'
+        "Information Disclosure: Attackers can discover internal microservice endpoints, "
+        "feature flag states, and environment-specific configuration values.\n"
+        "Lateral Movement: Revealed internal addresses may allow attackers to probe "
+        "backend services that are not intended to be publicly reachable.\n"
+        "Credential Exposure: If the debug configuration includes API keys or tokens "
+        "left by developers, this could lead to unauthorized access.\n"
+        "
" + ) + + STEPS_WITH_PRE = ( + '
\n'
+        "Open a web browser.\n"
+        "Navigate to the URL: " + LONG_URL + ".\n"
+        "Observe that the configuration file is accessible and can be downloaded.\n"
+        "Review the file contents for internal service addresses and environment variables.\n"
+        "
" + ) + + # Plain markdown content (no embedded
 tags) with a very long unbroken token
+    DESCRIPTION_LONG_TOKEN = (
+        "A session token was observed in the query string: "
+        "token=" + "x" * 300 + " "
+        "which exceeds normal length and may cause rendering issues in reports."
+    )
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.get(username="admin")
+        self.product_type = Product_Type.objects.create(name="Report Test PT")
+        self.product = Product.objects.create(
+            name="Report Test Product",
+            description="Product for report tests",
+            prod_type=self.product_type,
+        )
+        self.engagement = Engagement.objects.create(
+            name="Report Test Engagement",
+            product=self.product,
+            target_start=now(),
+            target_end=now(),
+        )
+        self.test_type = Test_Type.objects.create(name="Report Test Scan")
+        self.test_obj = Test.objects.create(
+            engagement=self.engagement,
+            test_type=self.test_type,
+            title="Report Rendering Test",
+            target_start=now(),
+            target_end=now(),
+        )
+        self.django_engine = engines["django"]
+
+    def _create_finding(self, **kwargs):
+        defaults = {
+            "title": "Debug Configuration File Exposed",
+            "test": self.test_obj,
+            "severity": "Medium",
+            "description": self.DESCRIPTION_WITH_PRE,
+            "mitigation": self.MITIGATION_WITH_PRE,
+            "impact": self.IMPACT_WITH_PRE,
+            "steps_to_reproduce": self.STEPS_WITH_PRE,
+            "active": True,
+            "verified": True,
+            "reporter": self.user,
+            "numerical_severity": "S2",
+            "date": now().date(),
+        }
+        defaults.update(kwargs)
+        return Finding.objects.create(**defaults)
+
+    def _render_finding_report(self, findings):
+        """Render finding_pdf_report.html with the given findings and return HTML."""
+        template = self.django_engine.get_template("dojo/finding_pdf_report.html")
+        context = {
+            "report_name": "Finding Report",
+            "findings": findings,
+            "include_finding_notes": 0,
+            "include_finding_images": 0,
+            "include_executive_summary": 0,
+            "include_table_of_contents": 0,
+            "include_disclaimer": 0,
+            "disclaimer": "",
+            "user": self.user,
+            "team_name": "Test Team",
+            "title": "Finding Report",
+            "host": "http://localhost:8080",
+            "user_id": self.user.id,
+        }
+        return template.render(context)
+
+    def test_no_nested_pre_tags_in_report(self):
+        """
+        Markdown-rendered fields should not produce nested 
 elements.
+
+        When imported data already contains 
 tags (common with BugCrowd CSV
+        imports), the template wrapper must not add an additional 
 layer.
+        The outer wrapper should be a 
. + """ + finding = self._create_finding() + html = self._render_finding_report(Finding.objects.filter(pk=finding.pk)) + + # The template should wrap markdown-rendered fields in div.report-field, + # not in
 tags. We should not see 
 nesting.
+        self.assertNotIn("
", html)
+        self.assertNotIn("
+        # Find the section containing our long token
+        idx = html.index("x" * 300)
+        # Walk backwards to find the nearest opening tag
+        preceding = html[max(0, idx - 500):idx]
+        self.assertIn("report-field", preceding)
+
+    def test_report_base_css_has_overflow_wrap(self):
+        """The report base template must include overflow-wrap for text wrapping."""
+        template = self.django_engine.get_template("report_base.html")
+        # Render with minimal context to get the CSS
+        html = template.render({"report_name": "Test"})
+
+        self.assertIn("overflow-wrap: break-word", html)
+
+    def test_report_base_css_styles_nested_pre(self):
+        """
+        The report base CSS must style .report-field pre to prevent
+        nested 
 elements from breaking out of margins.
+        """
+        template = self.django_engine.get_template("report_base.html")
+        html = template.render({"report_name": "Test"})
+
+        self.assertIn(".report-field pre", html)
+        self.assertIn("overflow-wrap: break-word", html)
+
+    def test_raw_request_pre_tags_preserved(self):
+        """
+        Raw request/response 
 tags should remain unchanged.
+
+        Only markdown-rendered fields should use div.report-field wrappers.
+        The raw_request class pre tags are for literal request/response data
+        and should stay as 
.
+        """
+        template = self.django_engine.get_template("dojo/finding_pdf_report.html")
+        source = template.template.source
+        self.assertIn('class="raw_request"', source)
+        # raw_request should still be inside 
 tags
+        self.assertIn('
', source)

From 21aab026fa10e422d370f208b3c5db7130b71760 Mon Sep 17 00:00:00 2001
From: Paul Osinski 
Date: Wed, 8 Apr 2026 14:12:54 -0400
Subject: [PATCH 017/173] replace 
 wrappers and update CSS on reports

---
 dojo/templates/dojo/endpoint_pdf_report.html   | 14 +++++++-------
 dojo/templates/dojo/engagement_pdf_report.html | 14 +++++++-------
 dojo/templates/dojo/finding_pdf_report.html    | 14 +++++++-------
 .../dojo/product_endpoint_pdf_report.html      | 14 +++++++-------
 dojo/templates/dojo/product_pdf_report.html    | 14 +++++++-------
 .../dojo/product_type_pdf_report.html          | 14 +++++++-------
 dojo/templates/dojo/test_pdf_report.html       | 14 +++++++-------
 dojo/templates/report_base.html                | 18 ++++++++++++++++++
 8 files changed, 67 insertions(+), 49 deletions(-)

diff --git a/dojo/templates/dojo/endpoint_pdf_report.html b/dojo/templates/dojo/endpoint_pdf_report.html
index ef187bb1b76..b6e6ded2948 100644
--- a/dojo/templates/dojo/endpoint_pdf_report.html
+++ b/dojo/templates/dojo/endpoint_pdf_report.html
@@ -178,15 +178,15 @@ 
{% if finding.cvssv3 %}
CVSS v3
-
{{ finding.cvssv3|markdown_render }}
+
{{ finding.cvssv3|markdown_render }}
{% endif %}
Description
-
{{ finding.description|markdown_render }}
+
{{ finding.description|markdown_render }}
{% if finding.mitigation %}
Mitigation
-
{{ finding.mitigation|markdown_render }}
+
{{ finding.mitigation|markdown_render }}
{% endif %} {% if finding.get_report_requests %} @@ -203,22 +203,22 @@
Response {{forloop.counter}}
{% if finding.impact %}
Impact
-
{{ finding.impact|markdown_render }}
+
{{ finding.impact|markdown_render }}
{% endif %} {% if finding.steps_to_reproduce %}
Steps to Reproduce
-
{{ finding.steps_to_reproduce|markdown_render }}
+
{{ finding.steps_to_reproduce|markdown_render }}
{% endif %} {% if finding.severity_justification %}
Severity Justification
-
{{ finding.severity_justification|markdown_render }}
+
{{ finding.severity_justification|markdown_render }}
{% endif %} {% if finding.references %}
References
-
{{ finding.references|markdown_render }}
+
{{ finding.references|markdown_render }}
{% endif %} {% if include_finding_images %} diff --git a/dojo/templates/dojo/engagement_pdf_report.html b/dojo/templates/dojo/engagement_pdf_report.html index bb10597d7e9..f574a195cac 100644 --- a/dojo/templates/dojo/engagement_pdf_report.html +++ b/dojo/templates/dojo/engagement_pdf_report.html @@ -313,15 +313,15 @@
{% if finding.cvssv3 %}
CVSS v3
-
{{ finding.cvssv3|markdown_render }}
+
{{ finding.cvssv3|markdown_render }}
{% endif %}
Description
-
{{ finding.description|markdown_render }}
+
{{ finding.description|markdown_render }}
{% if finding.mitigation %}
Mitigation
-
{{ finding.mitigation|markdown_render }}
+
{{ finding.mitigation|markdown_render }}
{% endif %} {% if finding.get_report_requests %} @@ -338,22 +338,22 @@
Response {{forloop.counter}}
{% if finding.impact %}
Impact
-
{{ finding.impact|markdown_render }}
+
{{ finding.impact|markdown_render }}
{% endif %} {% if finding.steps_to_reproduce %}
Steps to Reproduce
-
{{ finding.steps_to_reproduce|markdown_render }}
+
{{ finding.steps_to_reproduce|markdown_render }}
{% endif %} {% if finding.severity_justification %}
Severity Justification
-
{{ finding.severity_justification|markdown_render }}
+
{{ finding.severity_justification|markdown_render }}
{% endif %} {% if finding.references %}
References
-
{{ finding.references|markdown_render }}
+
{{ finding.references|markdown_render }}
{% endif %} {% if include_finding_images %} diff --git a/dojo/templates/dojo/finding_pdf_report.html b/dojo/templates/dojo/finding_pdf_report.html index a40739d041b..e82dcb82a3d 100644 --- a/dojo/templates/dojo/finding_pdf_report.html +++ b/dojo/templates/dojo/finding_pdf_report.html @@ -157,15 +157,15 @@
{% if finding.cvssv3 %}
CVSS v3
-
{{ finding.cvssv3|markdown_render }}
+
{{ finding.cvssv3|markdown_render }}
{% endif %}
Description
-
{{ finding.description|markdown_render }}
+
{{ finding.description|markdown_render }}
{% if finding.mitigation %}
Mitigation
-
{{ finding.mitigation|markdown_render }}
+
{{ finding.mitigation|markdown_render }}
{% endif %} {% if finding.get_report_requests %} @@ -182,22 +182,22 @@
Response {{forloop.counter}}
{% if finding.impact %}
Impact
-
{{ finding.impact|markdown_render }}
+
{{ finding.impact|markdown_render }}
{% endif %} {% if finding.steps_to_reproduce %}
Steps to Reproduce
-
{{ finding.steps_to_reproduce|markdown_render }}
+
{{ finding.steps_to_reproduce|markdown_render }}
{% endif %} {% if finding.severity_justification %}
Severity Justification
-
{{ finding.severity_justification|markdown_render }}
+
{{ finding.severity_justification|markdown_render }}
{% endif %} {% if finding.references %}
References
-
{{ finding.references|markdown_render }}
+
{{ finding.references|markdown_render }}
{% endif %} {% if include_finding_images %} diff --git a/dojo/templates/dojo/product_endpoint_pdf_report.html b/dojo/templates/dojo/product_endpoint_pdf_report.html index f7de27fe7a3..6da95cd5bbd 100644 --- a/dojo/templates/dojo/product_endpoint_pdf_report.html +++ b/dojo/templates/dojo/product_endpoint_pdf_report.html @@ -227,15 +227,15 @@
{% if finding.cvssv3 %}
CVSS v3
-
{{ finding.cvssv3|markdown_render }}
+
{{ finding.cvssv3|markdown_render }}
{% endif %}
Description
-
{{ finding.description|markdown_render }}
+
{{ finding.description|markdown_render }}
{% if finding.mitigation %}
Mitigation
-
{{ finding.mitigation|markdown_render }}
+
{{ finding.mitigation|markdown_render }}
{% endif %} {% if finding.get_report_requests %} @@ -252,22 +252,22 @@
Response {{forloop.counter}}
{% if finding.impact %}
Impact
-
{{ finding.impact|markdown_render }}
+
{{ finding.impact|markdown_render }}
{% endif %} {% if finding.steps_to_reproduce %}
Steps to Reproduce
-
{{ finding.steps_to_reproduce|markdown_render }}
+
{{ finding.steps_to_reproduce|markdown_render }}
{% endif %} {% if finding.severity_justification %}
Severity Justification
-
{{ finding.severity_justification|markdown_render }}
+
{{ finding.severity_justification|markdown_render }}
{% endif %} {% if finding.references %}
References
-
{{ finding.references|markdown_render }}
+
{{ finding.references|markdown_render }}
{% endif %} {% if include_finding_images %} diff --git a/dojo/templates/dojo/product_pdf_report.html b/dojo/templates/dojo/product_pdf_report.html index 9768c006888..df1cf7b1b26 100644 --- a/dojo/templates/dojo/product_pdf_report.html +++ b/dojo/templates/dojo/product_pdf_report.html @@ -283,15 +283,15 @@
{% if finding.cvssv3 %}
CVSS v3
-
{{ finding.cvssv3|markdown_render }}
+
{{ finding.cvssv3|markdown_render }}
{% endif %}
Description
-
{{ finding.description|markdown_render }}
+
{{ finding.description|markdown_render }}
{% if finding.mitigation %}
Mitigation
-
{{ finding.mitigation|markdown_render }}
+
{{ finding.mitigation|markdown_render }}
{% endif %} {% if finding.get_report_requests %} @@ -308,22 +308,22 @@
Response {{forloop.counter}}
{% if finding.impact %}
Impact
-
{{ finding.impact|markdown_render }}
+
{{ finding.impact|markdown_render }}
{% endif %} {% if finding.steps_to_reproduce %}
Steps to Reproduce
-
{{ finding.steps_to_reproduce|markdown_render }}
+
{{ finding.steps_to_reproduce|markdown_render }}
{% endif %} {% if finding.severity_justification %}
Severity Justification
-
{{ finding.severity_justification|markdown_render }}
+
{{ finding.severity_justification|markdown_render }}
{% endif %} {% if finding.references %}
References
-
{{ finding.references|markdown_render }}
+
{{ finding.references|markdown_render }}
{% endif %} {% if include_finding_images %} diff --git a/dojo/templates/dojo/product_type_pdf_report.html b/dojo/templates/dojo/product_type_pdf_report.html index 483d024edc7..0a623ee3637 100644 --- a/dojo/templates/dojo/product_type_pdf_report.html +++ b/dojo/templates/dojo/product_type_pdf_report.html @@ -212,15 +212,15 @@
{% if finding.cvssv3 %}
CVSS v3
-
{{ finding.cvssv3|markdown_render }}
+
{{ finding.cvssv3|markdown_render }}
{% endif %}
Description
-
{{ finding.description|markdown_render }}
+
{{ finding.description|markdown_render }}
{% if finding.mitigation %}
Mitigation
-
{{ finding.mitigation|markdown_render }}
+
{{ finding.mitigation|markdown_render }}
{% endif %} {% if finding.get_report_requests %} @@ -237,22 +237,22 @@
Response {{forloop.counter}}
{% if finding.impact %}
Impact
-
{{ finding.impact|markdown_render }}
+
{{ finding.impact|markdown_render }}
{% endif %} {% if finding.steps_to_reproduce %}
Steps to Reproduce
-
{{ finding.steps_to_reproduce|markdown_render }}
+
{{ finding.steps_to_reproduce|markdown_render }}
{% endif %} {% if finding.severity_justification %}
Severity Justification
-
{{ finding.severity_justification|markdown_render }}
+
{{ finding.severity_justification|markdown_render }}
{% endif %} {% if finding.references %}
References
-
{{ finding.references|markdown_render }}
+
{{ finding.references|markdown_render }}
{% endif %} {% if include_finding_images %} diff --git a/dojo/templates/dojo/test_pdf_report.html b/dojo/templates/dojo/test_pdf_report.html index 17af82137bc..986ec8fccaa 100644 --- a/dojo/templates/dojo/test_pdf_report.html +++ b/dojo/templates/dojo/test_pdf_report.html @@ -325,15 +325,15 @@
{% if finding.cvssv3 %}
CVSS v3
-
{{ finding.cvssv3|markdown_render }}
+
{{ finding.cvssv3|markdown_render }}
{% endif %}
Description
-
{{ finding.description|markdown_render }}
+
{{ finding.description|markdown_render }}
{% if finding.mitigation %}
Mitigation
-
{{ finding.mitigation|markdown_render }}
+
{{ finding.mitigation|markdown_render }}
{% endif %} {% if finding.get_report_requests %} @@ -350,22 +350,22 @@
Response {{forloop.counter}}
{% if finding.impact %}
Impact
-
{{ finding.impact|markdown_render }}
+
{{ finding.impact|markdown_render }}
{% endif %} {% if finding.steps_to_reproduce %}
Steps to Reproduce
-
{{ finding.steps_to_reproduce|markdown_render }}
+
{{ finding.steps_to_reproduce|markdown_render }}
{% endif %} {% if finding.severity_justification %}
Severity Justification
-
{{ finding.severity_justification|markdown_render }}
+
{{ finding.severity_justification|markdown_render }}
{% endif %} {% if finding.references %}
References
-
{{ finding.references|markdown_render }}
+
{{ finding.references|markdown_render }}
{% endif %} {% if include_finding_images %} diff --git a/dojo/templates/report_base.html b/dojo/templates/report_base.html index a27264a0038..a3328eaadba 100644 --- a/dojo/templates/report_base.html +++ b/dojo/templates/report_base.html @@ -134,6 +134,24 @@ padding: 0 !important; overflow: visible !important; word-break: normal !important; + overflow-wrap: break-word !important; + } + + .report-field { + margin-bottom: 15px !important; + overflow-wrap: break-word !important; + word-break: normal !important; + } + + .report-field pre { + white-space: pre-wrap !important; + padding: 0 !important; + border: 0 !important; + background-color: transparent !important; + overflow: visible !important; + overflow-wrap: break-word !important; + word-break: normal !important; + margin: 0 !important; } ul{ From 70d785c3b9ab24b869e13467753e17019eba4e83 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 9 Apr 2026 08:57:03 +0200 Subject: [PATCH 018/173] :bug: fix govulncheck ndjson ouput #14642 --- dojo/tools/govulncheck/parser.py | 22 +- unittests/scans/govulncheck/issue_14642.json | 23329 +++++++++++++++++ unittests/tools/test_govulncheck_parser.py | 6 + 3 files changed, 23354 insertions(+), 3 deletions(-) create mode 100644 unittests/scans/govulncheck/issue_14642.json diff --git a/dojo/tools/govulncheck/parser.py b/dojo/tools/govulncheck/parser.py index e2dced95f85..4bdea0908ff 100644 --- a/dojo/tools/govulncheck/parser.py +++ b/dojo/tools/govulncheck/parser.py @@ -74,7 +74,23 @@ def get_affected_version(self, data, osv_id): def get_findings(self, scan_file, test): findings = [] try: - data = json.load(scan_file) + try: + data = json.load(scan_file) + except json.JSONDecodeError: + scan_file.seek(0) + data = [] + buf = "" + for line in scan_file: + if not line.strip(): + continue + buf += line.decode("utf-8") if isinstance(line, bytes) else line + try: + data.append(json.loads(buf)) + buf = "" + except json.JSONDecodeError: + continue + if not data: + raise ValueError except Exception: msg = "Invalid JSON format" raise ValueError(msg) @@ -160,7 +176,7 @@ def get_findings(self, scan_file, test): range_info = "\n ".join(formatted_ranges) vuln_functions = ", ".join( - set(osv_data["affected"][0]["ecosystem_specific"]["imports"][0].get("symbols", [])), + set(osv_data["affected"][0].get("ecosystem_specific", {}).get("imports", [{}])[0].get("symbols", [])), ) description = ( @@ -172,7 +188,7 @@ def get_findings(self, scan_file, test): f"**Traces found :**\n{self.get_finding_trace_info(data, osv_data['id'])}" ) - references = [f"{ref['type']}: {ref['url']}" for ref in osv_data["references"]] + references = [f"{ref['type']}: {ref['url']}" for ref in osv_data.get("references", [])] db_specific_url = osv_data["database_specific"].get("url", "Unknown") if db_specific_url: references.append(f"Database: {db_specific_url}") diff --git a/unittests/scans/govulncheck/issue_14642.json b/unittests/scans/govulncheck/issue_14642.json new file mode 100644 index 00000000000..b04546b7ac2 --- /dev/null +++ b/unittests/scans/govulncheck/issue_14642.json @@ -0,0 +1,23329 @@ +{ + "config": { + "protocol_version": "v1.0.0", + "scanner_name": "govulncheck", + "scanner_version": "v1.1.4", + "db": "https://vuln.go.dev", + "db_last_modified": "2026-04-08T15:08:18Z", + "go_version": "go1.24.4", + "scan_level": "symbol", + "scan_mode": "source" + } +} +{ + "SBOM": { + "go_version": "go1.24.4", + "modules": [ + { + "path": "github.com/alielmi98/golang-expense-tracker-api" + }, + { + "path": "github.com/KyleBanks/depth", + "version": "v1.2.1" + }, + { + "path": "github.com/PuerkitoBio/purell", + "version": "v1.1.1" + }, + { + "path": "github.com/PuerkitoBio/urlesc", + "version": "v0.0.0-20170810143723-de5bf2ad4578" + }, + { + "path": "github.com/didip/tollbooth", + "version": "v4.0.2+incompatible" + }, + { + "path": "github.com/fsnotify/fsnotify", + "version": "v1.7.0" + }, + { + "path": "github.com/gabriel-vasile/mimetype", + "version": "v1.4.3" + }, + { + "path": "github.com/gin-contrib/sse", + "version": "v0.1.0" + }, + { + "path": "github.com/gin-gonic/gin", + "version": "v1.10.0" + }, + { + "path": "github.com/go-openapi/jsonpointer", + "version": "v0.19.5" + }, + { + "path": "github.com/go-openapi/jsonreference", + "version": "v0.19.6" + }, + { + "path": "github.com/go-openapi/spec", + "version": "v0.20.4" + }, + { + "path": "github.com/go-openapi/swag", + "version": "v0.19.15" + }, + { + "path": "github.com/go-playground/locales", + "version": "v0.14.1" + }, + { + "path": "github.com/go-playground/universal-translator", + "version": "v0.18.1" + }, + { + "path": "github.com/go-playground/validator/v10", + "version": "v10.20.0" + }, + { + "path": "github.com/golang-jwt/jwt", + "version": "v3.2.2+incompatible" + }, + { + "path": "github.com/hashicorp/hcl", + "version": "v1.0.0" + }, + { + "path": "github.com/jackc/pgpassfile", + "version": "v1.0.0" + }, + { + "path": "github.com/jackc/pgservicefile", + "version": "v0.0.0-20221227161230-091c0ba34f0a" + }, + { + "path": "github.com/jackc/pgx/v5", + "version": "v5.5.5" + }, + { + "path": "github.com/jackc/puddle/v2", + "version": "v2.2.1" + }, + { + "path": "github.com/jinzhu/inflection", + "version": "v1.0.0" + }, + { + "path": "github.com/jinzhu/now", + "version": "v1.1.5" + }, + { + "path": "github.com/josharian/intern", + "version": "v1.0.0" + }, + { + "path": "github.com/leodido/go-urn", + "version": "v1.4.0" + }, + { + "path": "github.com/magiconair/properties", + "version": "v1.8.7" + }, + { + "path": "github.com/mailru/easyjson", + "version": "v0.7.6" + }, + { + "path": "github.com/mattn/go-isatty", + "version": "v0.0.20" + }, + { + "path": "github.com/mitchellh/mapstructure", + "version": "v1.5.0" + }, + { + "path": "github.com/patrickmn/go-cache", + "version": "v2.1.0+incompatible" + }, + { + "path": "github.com/pelletier/go-toml/v2", + "version": "v2.2.2" + }, + { + "path": "github.com/sagikazarmark/slog-shim", + "version": "v0.1.0" + }, + { + "path": "github.com/spf13/afero", + "version": "v1.11.0" + }, + { + "path": "github.com/spf13/cast", + "version": "v1.6.0" + }, + { + "path": "github.com/spf13/pflag", + "version": "v1.0.5" + }, + { + "path": "github.com/spf13/viper", + "version": "v1.19.0" + }, + { + "path": "github.com/subosito/gotenv", + "version": "v1.6.0" + }, + { + "path": "github.com/swaggo/files", + "version": "v1.0.1" + }, + { + "path": "github.com/swaggo/gin-swagger", + "version": "v1.6.0" + }, + { + "path": "github.com/swaggo/swag", + "version": "v1.16.4" + }, + { + "path": "github.com/ugorji/go/codec", + "version": "v1.2.12" + }, + { + "path": "golang.org/x/crypto", + "version": "v0.23.0" + }, + { + "path": "golang.org/x/net", + "version": "v0.25.0" + }, + { + "path": "golang.org/x/sync", + "version": "v0.6.0" + }, + { + "path": "golang.org/x/sys", + "version": "v0.20.0" + }, + { + "path": "golang.org/x/text", + "version": "v0.15.0" + }, + { + "path": "golang.org/x/time", + "version": "v0.5.0" + }, + { + "path": "golang.org/x/tools", + "version": "v0.13.0" + }, + { + "path": "google.golang.org/protobuf", + "version": "v1.34.1" + }, + { + "path": "gopkg.in/ini.v1", + "version": "v1.67.0" + }, + { + "path": "gopkg.in/yaml.v2", + "version": "v2.4.0" + }, + { + "path": "gopkg.in/yaml.v3", + "version": "v3.0.1" + }, + { + "path": "gorm.io/driver/postgres", + "version": "v1.5.11" + }, + { + "path": "gorm.io/gorm", + "version": "v1.25.12" + }, + { + "path": "stdlib", + "version": "v1.24.4" + } + ], + "roots": [ + "github.com/alielmi98/golang-expense-tracker-api/pkg/service_errors", + "github.com/alielmi98/golang-expense-tracker-api/api/helper", + "github.com/alielmi98/golang-expense-tracker-api/config", + "github.com/alielmi98/golang-expense-tracker-api/constants", + "github.com/alielmi98/golang-expense-tracker-api/api/dto", + "github.com/alielmi98/golang-expense-tracker-api/common", + "github.com/alielmi98/golang-expense-tracker-api/data/db", + "github.com/alielmi98/golang-expense-tracker-api/data/models", + "github.com/alielmi98/golang-expense-tracker-api/repository", + "github.com/alielmi98/golang-expense-tracker-api/services", + "github.com/alielmi98/golang-expense-tracker-api/api/middlewares", + "github.com/alielmi98/golang-expense-tracker-api/api/handlers", + "github.com/alielmi98/golang-expense-tracker-api/api/routers", + "github.com/alielmi98/golang-expense-tracker-api/docs", + "github.com/alielmi98/golang-expense-tracker-api/api", + "github.com/alielmi98/golang-expense-tracker-api/data/db/migrations", + "github.com/alielmi98/golang-expense-tracker-api/cmd" + ] + } +} +{ + "progress": { + "message": "Fetching vulnerabilities from the database..." + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2567", + "modified": "2024-07-09T20:04:43Z", + "published": "2024-07-02T19:20:38Z", + "aliases": [ + "GHSA-fqpg-rq76-99pq" + ], + "summary": "Panic in Pipeline when PgConn is busy or closed in github.com/jackc/pgx", + "details": "Pipeline can panic when PgConn is busy or closed.", + "affected": [ + { + "package": { + "name": "github.com/jackc/pgx/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "5.0.0-alpha.5" + }, + { + "fixed": "5.5.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/jackc/pgx/v5/pgconn", + "symbols": [ + "Pipeline.Sync" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/jackc/pgx/commit/dfd198003a03dbb96e4607b0d3a0bb9a7398ccb7" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2567", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2606", + "modified": "2024-09-13T14:17:49Z", + "published": "2024-03-14T17:12:43Z", + "aliases": [ + "CVE-2024-27304", + "GHSA-mrww-27vc-gghv", + "GHSA-7jwh-3vrq-q3m8" + ], + "summary": "SQL injection in github.com/jackc/pgproto3 and github.com/jackc/pgx", + "details": "An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.", + "affected": [ + { + "package": { + "name": "github.com/jackc/pgproto3/v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/jackc/pgproto3/v2", + "symbols": [ + "AuthenticationCleartextPassword.Encode", + "AuthenticationGSS.Encode", + "AuthenticationGSSContinue.Encode", + "AuthenticationMD5Password.Encode", + "AuthenticationOk.Encode", + "AuthenticationSASL.Encode", + "AuthenticationSASLContinue.Encode", + "AuthenticationSASLFinal.Encode", + "Backend.Send", + "BackendKeyData.Encode", + "Bind.Encode", + "BindComplete.Encode", + "CancelRequest.Encode", + "Close.Encode", + "CloseComplete.Encode", + "CommandComplete.Encode", + "CopyBothResponse.Encode", + "CopyData.Encode", + "CopyDone.Encode", + "CopyFail.Encode", + "CopyInResponse.Encode", + "CopyOutResponse.Encode", + "DataRow.Encode", + "Describe.Encode", + "EmptyQueryResponse.Encode", + "ErrorResponse.Encode", + "ErrorResponse.marshalBinary", + "Execute.Encode", + "Flush.Encode", + "Frontend.Send", + "FunctionCall.Encode", + "FunctionCallResponse.Encode", + "GSSEncRequest.Encode", + "GSSResponse.Encode", + "NoData.Encode", + "NoticeResponse.Encode", + "NotificationResponse.Encode", + "ParameterDescription.Encode", + "ParameterStatus.Encode", + "Parse.Encode", + "ParseComplete.Encode", + "PasswordMessage.Encode", + "PortalSuspended.Encode", + "Query.Encode", + "ReadyForQuery.Encode", + "RowDescription.Encode", + "SASLInitialResponse.Encode", + "SASLResponse.Encode", + "SSLRequest.Encode", + "StartupMessage.Encode", + "Sync.Encode", + "Terminate.Encode" + ] + }, + { + "path": "github.com/jackc/pgproto3/v2/example/pgfortune", + "symbols": [ + "PgFortuneBackend.Run", + "PgFortuneBackend.handleStartup", + "main" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/jackc/pgx", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/jackc/pgx/internal/sanitize", + "symbols": [ + "Query.Sanitize", + "SanitizeSQL" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/jackc/pgx/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.18.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/jackc/pgx/v4/internal/sanitize", + "symbols": [ + "Query.Sanitize", + "SanitizeSQL" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/jackc/pgx/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.5.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/jackc/pgx/v5/internal/sanitize", + "symbols": [ + "Query.Sanitize", + "SanitizeSQL" + ] + }, + { + "path": "github.com/jackc/pgx/v5/pgproto3", + "symbols": [ + "AuthenticationCleartextPassword.Encode", + "AuthenticationGSS.Encode", + "AuthenticationGSSContinue.Encode", + "AuthenticationMD5Password.Encode", + "AuthenticationOk.Encode", + "AuthenticationSASL.Encode", + "AuthenticationSASLContinue.Encode", + "AuthenticationSASLFinal.Encode", + "Backend.Flush", + "Backend.Send", + "BackendKeyData.Encode", + "Bind.Encode", + "BindComplete.Encode", + "CancelRequest.Encode", + "Close.Encode", + "CloseComplete.Encode", + "CommandComplete.Encode", + "CopyBothResponse.Encode", + "CopyData.Encode", + "CopyDone.Encode", + "CopyFail.Encode", + "CopyInResponse.Encode", + "CopyOutResponse.Encode", + "DataRow.Encode", + "Describe.Encode", + "EmptyQueryResponse.Encode", + "ErrorResponse.Encode", + "ErrorResponse.marshalBinary", + "Execute.Encode", + "Flush.Encode", + "Frontend.Flush", + "Frontend.Send", + "Frontend.SendBind", + "Frontend.SendClose", + "Frontend.SendDescribe", + "Frontend.SendExecute", + "Frontend.SendParse", + "Frontend.SendQuery", + "Frontend.SendSync", + "Frontend.SendUnbufferedEncodedCopyData", + "FunctionCall.Encode", + "FunctionCallResponse.Encode", + "GSSEncRequest.Encode", + "GSSResponse.Encode", + "NoData.Encode", + "NoticeResponse.Encode", + "NotificationResponse.Encode", + "ParameterDescription.Encode", + "ParameterStatus.Encode", + "Parse.Encode", + "ParseComplete.Encode", + "PasswordMessage.Encode", + "PortalSuspended.Encode", + "Query.Encode", + "ReadyForQuery.Encode", + "RowDescription.Encode", + "SASLInitialResponse.Encode", + "SASLResponse.Encode", + "SSLRequest.Encode", + "StartupMessage.Encode", + "Sync.Encode", + "Terminate.Encode" + ] + }, + { + "path": "github.com/jackc/pgx/v5/pgconn", + "symbols": [ + "Batch.ExecParams", + "Batch.ExecPrepared", + "Connect", + "ConnectConfig", + "ConnectWithOptions", + "MultiResultReader.Close", + "MultiResultReader.NextResult", + "MultiResultReader.ReadAll", + "PgConn.CheckConn", + "PgConn.Close", + "PgConn.CopyFrom", + "PgConn.CopyTo", + "PgConn.Deallocate", + "PgConn.Exec", + "PgConn.ExecBatch", + "PgConn.ExecParams", + "PgConn.ExecPrepared", + "PgConn.Ping", + "PgConn.Prepare", + "PgConn.ReceiveMessage", + "PgConn.SyncConn", + "PgConn.WaitForNotification", + "Pipeline.Close", + "Pipeline.Flush", + "Pipeline.GetResults", + "Pipeline.SendDeallocate", + "Pipeline.SendPrepare", + "Pipeline.SendQueryParams", + "Pipeline.SendQueryPrepared", + "Pipeline.Sync", + "ResultReader.Close", + "ResultReader.NextRow", + "ResultReader.Read", + "ValidateConnectTargetSessionAttrsPreferStandby", + "ValidateConnectTargetSessionAttrsPrimary", + "ValidateConnectTargetSessionAttrsReadOnly", + "ValidateConnectTargetSessionAttrsReadWrite", + "ValidateConnectTargetSessionAttrsStandby" + ] + }, + { + "path": "github.com/jackc/pgx/v5/pgproto3/example/pgfortune", + "symbols": [ + "PgFortuneBackend.Run", + "PgFortuneBackend.handleStartup", + "main" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv" + }, + { + "type": "FIX", + "url": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007" + }, + { + "type": "FIX", + "url": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4" + }, + { + "type": "FIX", + "url": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8" + }, + { + "type": "FIX", + "url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df" + } + ], + "credits": [ + { + "name": "paul-gerste-sonarsource" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2606", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4771", + "modified": "2026-04-07T14:58:41Z", + "published": "2026-04-07T14:58:41Z", + "aliases": [ + "CVE-2026-33815" + ], + "summary": "CVE-2026-33815 in github.com/jackc/pgx", + "details": "Memory-safety vulnerability in github.com/jackc/pgx/v5.", + "affected": [ + { + "package": { + "name": "github.com/jackc/pgx/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/jackc/pgx/v5/pgproto3", + "symbols": [ + "Backend.Receive", + "Bind.Decode" + ] + } + ] + } + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4771", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4772", + "modified": "2026-04-07T14:58:41Z", + "published": "2026-04-07T14:58:41Z", + "aliases": [ + "CVE-2026-33816" + ], + "summary": "CVE-2026-33816 in github.com/jackc/pgx", + "details": "Memory-safety vulnerability in github.com/jackc/pgx/v5.", + "affected": [ + { + "package": { + "name": "github.com/jackc/pgx/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/jackc/pgx/v5/pgproto3", + "symbols": [ + "Backend.Receive", + "FunctionCall.Decode" + ] + } + ] + } + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4772", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3553", + "modified": "2025-04-08T21:04:08Z", + "published": "2025-03-26T17:24:24Z", + "aliases": [ + "CVE-2025-30204", + "GHSA-mh63-6h87-95cp" + ], + "summary": "Excessive memory allocation during header parsing in github.com/golang-jwt/jwt", + "details": "Excessive memory allocation during header parsing in github.com/golang-jwt/jwt", + "affected": [ + { + "package": { + "name": "github.com/golang-jwt/jwt", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": {} + }, + { + "package": { + "name": "github.com/golang-jwt/jwt/v4", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.5.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/golang-jwt/jwt/v4", + "symbols": [ + "Parser.ParseUnverified" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/golang-jwt/jwt/v5", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "5.0.0-rc.1" + }, + { + "fixed": "5.2.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/golang-jwt/jwt/v5", + "symbols": [ + "Parser.ParseUnverified" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp" + }, + { + "type": "FIX", + "url": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3553", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1631", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-03-14T16:47:00Z", + "aliases": [ + "CVE-2023-24535", + "GHSA-hw7c-3rfg-p46j" + ], + "summary": "Panic when parsing invalid messages in google.golang.org/protobuf", + "details": "Parsing invalid messages can panic.\n\nParsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.", + "affected": [ + { + "package": { + "name": "google.golang.org/protobuf", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.29.0" + }, + { + "fixed": "1.29.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "google.golang.org/protobuf/encoding/prototext", + "symbols": [ + "Unmarshal", + "UnmarshalOptions.Unmarshal", + "UnmarshalOptions.unmarshal" + ] + }, + { + "path": "google.golang.org/protobuf/internal/encoding/text", + "symbols": [ + "Decoder.Peek", + "Decoder.Read", + "parseNumber" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/475995" + }, + { + "type": "REPORT", + "url": "https://github.com/golang/protobuf/issues/1530" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1631", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2611", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-03-05T20:24:05Z", + "aliases": [ + "CVE-2024-24786", + "GHSA-8r3f-844c-mc37" + ], + "summary": "Infinite loop in JSON unmarshaling in google.golang.org/protobuf", + "details": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.", + "affected": [ + { + "package": { + "name": "google.golang.org/protobuf", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.33.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "google.golang.org/protobuf/encoding/protojson", + "symbols": [ + "Unmarshal", + "UnmarshalOptions.Unmarshal", + "UnmarshalOptions.unmarshal" + ] + }, + { + "path": "google.golang.org/protobuf/internal/encoding/json", + "symbols": [ + "Decoder.Peek", + "Decoder.Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/569356" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2611", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0493", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-15T23:30:12Z", + "aliases": [ + "CVE-2022-29526", + "GHSA-p782-xgp4-8hr8" + ], + "summary": "Incorrect privilege reporting in syscall and golang.org/x/sys/unix", + "details": "When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.10" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "symbols": [ + "Faccessat" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/sys", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220412211240-33da011f77ad" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/sys/unix", + "symbols": [ + "Faccessat" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/399539" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52313" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/400074" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU" + } + ], + "credits": [ + { + "name": "Joël Gähwiler (@256dpi)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0493", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0603", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-08-22T18:00:47Z", + "aliases": [ + "CVE-2022-28948", + "GHSA-hp87-p4gw-j4gq" + ], + "summary": "Panic in gopkg.in/yaml.v3", + "details": "An issue in the Unmarshal function can cause a program to panic when attempting to deserialize invalid input.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v3", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.0-20220521103104-8f96da9f5d5e" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v3", + "symbols": [ + "Unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754" + }, + { + "type": "WEB", + "url": "https://github.com/go-yaml/yaml/issues/666" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0603", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2020-0014", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2018-17846", + "GHSA-vfw5-hrgq-h5wf" + ], + "summary": "Infinite loop due to improper handling of \"select\" tags in golang.org/x/net/html", + "details": "html.Parse does not properly handle \"select\" tags, which can lead to an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190125091013-d26f9f9a57f3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "inSelectIM", + "inSelectInTableIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go-review.googlesource.com/c/137275" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27842" + } + ], + "credits": [ + { + "name": "@tr3ee" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0014", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0078", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2018-17075", + "GHSA-5p4h-3377-7w67" + ], + "summary": "Panic when parsing malformed HTML in golang.org/x/net/html", + "details": "The HTML parser does not properly handle \"in frameset\" insertion mode, and can be made to panic when operating on malformed HTML that contains \u003ctemplate\u003e tags. If operating on user input, this may be a vector for a denial of service attack.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20180816102801-aaf60122140d" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "inBodyIM", + "inFramesetIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/123776" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27016" + }, + { + "type": "WEB", + "url": "https://bugs.chromium.org/p/chromium/issues/detail?id=829668" + }, + { + "type": "WEB", + "url": "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906" + } + ], + "credits": [ + { + "name": "Kunpei Sakai" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0078", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0238", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:33:43Z", + "aliases": [ + "CVE-2021-33194", + "GHSA-83g2-8m93-v3w7" + ], + "summary": "Infinite loop when parsing inputs in golang.org/x/net/html", + "details": "An attacker can craft an input to ParseFragment that causes it to enter an infinite loop and never return.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20210520170846-37e1c6afe023" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "ParseFragmentWithOptions", + "ParseWithOptions", + "inHeadIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/311090" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46288" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/wPunbCPkWUg" + } + ], + "credits": [ + { + "name": "OSS-Fuzz (discovery)" + }, + { + "name": "Andrew Thornton (reporter)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0238", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0192", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-01T20:11:34Z", + "aliases": [ + "CVE-2018-17142", + "GHSA-2wp2-chmh-r934" + ], + "summary": "Incorrect parsing of nested templates in golang.org/x/net/html", + "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input \"\u003cmath\u003e\u003ctemplate\u003e\u003cmo\u003e\u003ctemplate\u003e\".", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20180925071336-cf3bd585ca2a" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "parser.resetInsertionMode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/136875" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/cf3bd585ca2a5a21b057abd8be7eea2204af89d0" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27702" + } + ], + "credits": [ + { + "name": "@tr3ee" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0192", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0193", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-06T18:14:54Z", + "aliases": [ + "CVE-2018-17143", + "GHSA-fcf9-6fv2-fc5v" + ], + "summary": "Panic on unconsidered isindex and template combination in golang.org/x/net/html", + "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input \"\u003ctemplate\u003e\u003ctBody\u003e\u003cisindex/action=0\u003e\".", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20180921000356-2f5d2388922f" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "inBodyIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go-review.googlesource.com/c/net/+/136575" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/2f5d2388922f370f4355f327fcf4cfe9f5583908" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27704" + } + ], + "credits": [ + { + "name": "@tr3ee" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0193", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0197", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-01T20:15:19Z", + "aliases": [ + "CVE-2018-17847", + "CVE-2018-17848", + "GHSA-4r78-hx75-jjj2", + "GHSA-mv93-wvcp-7m7r" + ], + "summary": "Panic when parsing certain inputs in golang.org/x/net/html", + "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input \"\u003csvg\u003e\u003ctemplate\u003e\u003cdesc\u003e\u003ct\u003e\u003csvg\u003e\u003c/template\u003e\".", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190125002852-4b62a64f59f7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "nodeStack.contains" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/159397" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/27846" + } + ], + "credits": [ + { + "name": "@tr3ee" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0197", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0236", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-15T23:04:18Z", + "aliases": [ + "CVE-2021-31525", + "GHSA-h86h-8ppg-mxmh" + ], + "summary": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts", + "details": "A malicious HTTP server or client can cause the net/http client or server to panic.\n\nReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.\n\nThis also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.12" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2clientStream.writeRequest", + "http2isConnectionCloseRequest", + "isProtocolSwitchHeader", + "shouldClose" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20210428140749-89ef3d95e781" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http/httpguts", + "symbols": [ + "HeaderValuesContainsToken", + "headerValueContainsToken" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/313069" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/45710" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0236", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0288", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-15T23:08:33Z", + "aliases": [ + "CVE-2021-44716", + "GHSA-vc3p-29h2-gpcp" + ], + "summary": "Unbounded memory growth in net/http and golang.org/x/net/http2", + "details": "An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.12" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20211209124913-491a49abca63" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/369794" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50058" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k" + } + ], + "credits": [ + { + "name": "murakmii" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0288", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0536", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-08-01T22:20:53Z", + "aliases": [ + "CVE-2019-9512", + "CVE-2019-9514", + "GHSA-39qc-96h7-956f", + "GHSA-hgr8-6h9x-f7q9" + ], + "summary": "Reset flood in net/http and golang.org/x/net/http", + "details": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.\n\nServers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.13" + }, + { + "introduced": "1.12.0-0" + }, + { + "fixed": "1.12.8" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2serverConn.scheduleFrameWrite", + "http2serverConn.serve", + "http2serverConn.writeFrame" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190813141303-74dc4d7220e7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.scheduleFrameWrite", + "serverConn.serve", + "serverConn.writeFrame" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/190137" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/33606" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJ" + } + ], + "credits": [ + { + "name": "Jonathan Looney of Netflix" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0536", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0969", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-09-12T20:23:06Z", + "aliases": [ + "CVE-2022-27664", + "GHSA-69cg-p879-7622" + ], + "summary": "Denial of service in net/http and golang.org/x/net/http2", + "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.6" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.goAway" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220906165146-f3363e06e74c" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.goAway" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/54658" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/428735" + } + ], + "credits": [ + { + "name": "Bahruz Jabiyev" + }, + { + "name": "Tommaso Innocenti" + }, + { + "name": "Anthony Gavazzi" + }, + { + "name": "Steven Sprecher" + }, + { + "name": "Kaan Onarlioglu" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0969", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1144", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-12-08T19:01:21Z", + "aliases": [ + "CVE-2022-41717", + "GHSA-xrjj-mj9h-534m" + ], + "summary": "Excessive memory growth in net/http and golang.org/x/net/http2", + "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.9" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56350" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455717" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455635" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" + } + ], + "credits": [ + { + "name": "Josselin Costanzi" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1144", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1495", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-01-13T22:39:40Z", + "aliases": [ + "CVE-2022-41721", + "GHSA-fxg5-wq6x-vr4w" + ], + "summary": "Request smuggling due to improper request handling in golang.org/x/net/http2/h2c", + "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.0.0-20220524220425-1d687d428aca" + }, + { + "fixed": "0.1.1-0.20221104162952-702349b0e862" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2/h2c", + "symbols": [ + "h2cHandler.ServeHTTP", + "h2cUpgrade" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56352" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/447396" + } + ], + "credits": [ + { + "name": "John Howard (Google)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1495", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1571", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-02-16T22:31:36Z", + "aliases": [ + "CVE-2022-41723", + "GHSA-vvpx-j8f3-3w6h" + ], + "summary": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Get", + "Head", + "ListenAndServe", + "ListenAndServeTLS", + "Post", + "PostForm", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "Transport.RoundTrip" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "ClientConn.Close", + "ClientConn.Ping", + "ClientConn.RoundTrip", + "ClientConn.Shutdown", + "ConfigureServer", + "ConfigureTransport", + "ConfigureTransports", + "ConnectionError.Error", + "ErrCode.String", + "FrameHeader.String", + "FrameType.String", + "FrameWriteRequest.String", + "Framer.ReadFrame", + "Framer.WriteContinuation", + "Framer.WriteData", + "Framer.WriteDataPadded", + "Framer.WriteGoAway", + "Framer.WriteHeaders", + "Framer.WritePing", + "Framer.WritePriority", + "Framer.WritePushPromise", + "Framer.WriteRSTStream", + "Framer.WriteRawFrame", + "Framer.WriteSettings", + "Framer.WriteSettingsAck", + "Framer.WriteWindowUpdate", + "GoAwayError.Error", + "ReadFrameHeader", + "Server.ServeConn", + "Setting.String", + "SettingID.String", + "SettingsFrame.ForeachSetting", + "StreamError.Error", + "Transport.CloseIdleConnections", + "Transport.NewClientConn", + "Transport.RoundTrip", + "Transport.RoundTripOpt", + "bufferedWriter.Flush", + "bufferedWriter.Write", + "chunkWriter.Write", + "clientConnPool.GetClientConn", + "connError.Error", + "dataBuffer.Read", + "duplicatePseudoHeaderError.Error", + "gzipReader.Close", + "gzipReader.Read", + "headerFieldNameError.Error", + "headerFieldValueError.Error", + "noDialClientConnPool.GetClientConn", + "noDialH2RoundTripper.RoundTrip", + "pipe.Read", + "priorityWriteScheduler.CloseStream", + "priorityWriteScheduler.OpenStream", + "pseudoHeaderError.Error", + "requestBody.Close", + "requestBody.Read", + "responseWriter.Flush", + "responseWriter.FlushError", + "responseWriter.Push", + "responseWriter.SetReadDeadline", + "responseWriter.SetWriteDeadline", + "responseWriter.Write", + "responseWriter.WriteHeader", + "responseWriter.WriteString", + "serverConn.CloseConn", + "serverConn.Flush", + "stickyErrWriter.Write", + "transportResponseBody.Close", + "transportResponseBody.Read", + "writeData.String" + ] + }, + { + "path": "golang.org/x/net/http2/hpack", + "symbols": [ + "Decoder.DecodeFull", + "Decoder.Write", + "Decoder.parseFieldLiteral", + "Decoder.readString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/57855" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468135" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ], + "credits": [ + { + "name": "Philippe Antoine (Catena cyber)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1571", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1988", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-08-02T15:06:27Z", + "aliases": [ + "CVE-2023-3978", + "GHSA-2wrh-6pvc-2jm9" + ], + "summary": "Improper rendering of text nodes in golang.org/x/net/html", + "details": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.13.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Render", + "render1" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/61615" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/514896" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1988", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2102", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-10-11T16:49:53Z", + "aliases": [ + "CVE-2023-39325", + "GHSA-4374-p667-p6c8" + ], + "summary": "HTTP/2 rapid reset can cause excessive work in net/http", + "details": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.\n\nWith the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.\n\nThis issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.\n\nThe default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.10" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.processHeaders", + "http2serverConn.runHandler", + "http2serverConn.serve", + "http2serverConn.upgradeRequest" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.17.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.processHeaders", + "serverConn.runHandler", + "serverConn.serve", + "serverConn.upgradeRequest" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/63417" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/534215" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/534235" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2102", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2687", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-04-03T21:12:01Z", + "aliases": [ + "CVE-2023-45288", + "GHSA-4v7x-pqxf-cx7m" + ], + "summary": "HTTP/2 CONTINUATION flood in net/http", + "details": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.\n\nMaintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.\n\nThis permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.\n\nThe fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.9" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "CanonicalHeaderKey", + "Client.CloseIdleConnections", + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Cookie.String", + "Cookie.Valid", + "Dir.Open", + "Error", + "Get", + "HandlerFunc.ServeHTTP", + "Head", + "Header.Add", + "Header.Del", + "Header.Get", + "Header.Set", + "Header.Values", + "Header.Write", + "Header.WriteSubset", + "ListenAndServe", + "ListenAndServeTLS", + "NewRequest", + "NewRequestWithContext", + "NotFound", + "ParseTime", + "Post", + "PostForm", + "ProxyFromEnvironment", + "ReadRequest", + "ReadResponse", + "Redirect", + "Request.AddCookie", + "Request.BasicAuth", + "Request.FormFile", + "Request.FormValue", + "Request.MultipartReader", + "Request.ParseForm", + "Request.ParseMultipartForm", + "Request.PostFormValue", + "Request.Referer", + "Request.SetBasicAuth", + "Request.UserAgent", + "Request.Write", + "Request.WriteProxy", + "Response.Cookies", + "Response.Location", + "Response.Write", + "ResponseController.EnableFullDuplex", + "ResponseController.Flush", + "ResponseController.Hijack", + "ResponseController.SetReadDeadline", + "ResponseController.SetWriteDeadline", + "Serve", + "ServeContent", + "ServeFile", + "ServeMux.ServeHTTP", + "ServeTLS", + "Server.Close", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "Server.SetKeepAlivesEnabled", + "Server.Shutdown", + "SetCookie", + "Transport.CancelRequest", + "Transport.Clone", + "Transport.CloseIdleConnections", + "Transport.RoundTrip", + "body.Close", + "body.Read", + "bodyEOFSignal.Close", + "bodyEOFSignal.Read", + "bodyLocked.Read", + "bufioFlushWriter.Write", + "cancelTimerBody.Close", + "cancelTimerBody.Read", + "checkConnErrorWriter.Write", + "chunkWriter.Write", + "connReader.Read", + "connectMethodKey.String", + "expectContinueReader.Close", + "expectContinueReader.Read", + "extraHeader.Write", + "fileHandler.ServeHTTP", + "fileTransport.RoundTrip", + "globalOptionsHandler.ServeHTTP", + "gzipReader.Close", + "gzipReader.Read", + "http2ClientConn.Close", + "http2ClientConn.Ping", + "http2ClientConn.RoundTrip", + "http2ClientConn.Shutdown", + "http2ConnectionError.Error", + "http2ErrCode.String", + "http2FrameHeader.String", + "http2FrameType.String", + "http2FrameWriteRequest.String", + "http2Framer.ReadFrame", + "http2Framer.WriteContinuation", + "http2Framer.WriteData", + "http2Framer.WriteDataPadded", + "http2Framer.WriteGoAway", + "http2Framer.WriteHeaders", + "http2Framer.WritePing", + "http2Framer.WritePriority", + "http2Framer.WritePushPromise", + "http2Framer.WriteRSTStream", + "http2Framer.WriteRawFrame", + "http2Framer.WriteSettings", + "http2Framer.WriteSettingsAck", + "http2Framer.WriteWindowUpdate", + "http2Framer.readMetaFrame", + "http2GoAwayError.Error", + "http2Server.ServeConn", + "http2Setting.String", + "http2SettingID.String", + "http2SettingsFrame.ForeachSetting", + "http2StreamError.Error", + "http2Transport.CloseIdleConnections", + "http2Transport.NewClientConn", + "http2Transport.RoundTrip", + "http2Transport.RoundTripOpt", + "http2bufferedWriter.Flush", + "http2bufferedWriter.Write", + "http2chunkWriter.Write", + "http2clientConnPool.GetClientConn", + "http2connError.Error", + "http2dataBuffer.Read", + "http2duplicatePseudoHeaderError.Error", + "http2gzipReader.Close", + "http2gzipReader.Read", + "http2headerFieldNameError.Error", + "http2headerFieldValueError.Error", + "http2noDialClientConnPool.GetClientConn", + "http2noDialH2RoundTripper.RoundTrip", + "http2pipe.Read", + "http2priorityWriteScheduler.CloseStream", + "http2priorityWriteScheduler.OpenStream", + "http2pseudoHeaderError.Error", + "http2requestBody.Close", + "http2requestBody.Read", + "http2responseWriter.Flush", + "http2responseWriter.FlushError", + "http2responseWriter.Push", + "http2responseWriter.SetReadDeadline", + "http2responseWriter.SetWriteDeadline", + "http2responseWriter.Write", + "http2responseWriter.WriteHeader", + "http2responseWriter.WriteString", + "http2roundRobinWriteScheduler.OpenStream", + "http2serverConn.CloseConn", + "http2serverConn.Flush", + "http2stickyErrWriter.Write", + "http2transportResponseBody.Close", + "http2transportResponseBody.Read", + "http2writeData.String", + "initALPNRequest.ServeHTTP", + "loggingConn.Close", + "loggingConn.Read", + "loggingConn.Write", + "maxBytesReader.Close", + "maxBytesReader.Read", + "onceCloseListener.Close", + "persistConn.Read", + "persistConnWriter.ReadFrom", + "persistConnWriter.Write", + "populateResponse.Write", + "populateResponse.WriteHeader", + "readTrackingBody.Close", + "readTrackingBody.Read", + "readWriteCloserBody.Read", + "redirectHandler.ServeHTTP", + "response.Flush", + "response.FlushError", + "response.Hijack", + "response.ReadFrom", + "response.Write", + "response.WriteHeader", + "response.WriteString", + "serverHandler.ServeHTTP", + "socksDialer.DialWithConn", + "socksUsernamePassword.Authenticate", + "stringWriter.WriteString", + "timeoutHandler.ServeHTTP", + "timeoutWriter.Write", + "timeoutWriter.WriteHeader", + "transportReadFromServerError.Error" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.23.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "ClientConn.Close", + "ClientConn.Ping", + "ClientConn.RoundTrip", + "ClientConn.Shutdown", + "ConfigureServer", + "ConfigureTransport", + "ConfigureTransports", + "ConnectionError.Error", + "ErrCode.String", + "FrameHeader.String", + "FrameType.String", + "FrameWriteRequest.String", + "Framer.ReadFrame", + "Framer.WriteContinuation", + "Framer.WriteData", + "Framer.WriteDataPadded", + "Framer.WriteGoAway", + "Framer.WriteHeaders", + "Framer.WritePing", + "Framer.WritePriority", + "Framer.WritePushPromise", + "Framer.WriteRSTStream", + "Framer.WriteRawFrame", + "Framer.WriteSettings", + "Framer.WriteSettingsAck", + "Framer.WriteWindowUpdate", + "Framer.readMetaFrame", + "GoAwayError.Error", + "ReadFrameHeader", + "Server.ServeConn", + "Setting.String", + "SettingID.String", + "SettingsFrame.ForeachSetting", + "StreamError.Error", + "Transport.CloseIdleConnections", + "Transport.NewClientConn", + "Transport.RoundTrip", + "Transport.RoundTripOpt", + "bufferedWriter.Flush", + "bufferedWriter.Write", + "chunkWriter.Write", + "clientConnPool.GetClientConn", + "connError.Error", + "dataBuffer.Read", + "duplicatePseudoHeaderError.Error", + "gzipReader.Close", + "gzipReader.Read", + "headerFieldNameError.Error", + "headerFieldValueError.Error", + "noDialClientConnPool.GetClientConn", + "noDialH2RoundTripper.RoundTrip", + "pipe.Read", + "priorityWriteScheduler.CloseStream", + "priorityWriteScheduler.OpenStream", + "pseudoHeaderError.Error", + "requestBody.Close", + "requestBody.Read", + "responseWriter.Flush", + "responseWriter.FlushError", + "responseWriter.Push", + "responseWriter.SetReadDeadline", + "responseWriter.SetWriteDeadline", + "responseWriter.Write", + "responseWriter.WriteHeader", + "responseWriter.WriteString", + "roundRobinWriteScheduler.OpenStream", + "serverConn.CloseConn", + "serverConn.Flush", + "stickyErrWriter.Write", + "transportResponseBody.Close", + "transportResponseBody.Read", + "writeData.String" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/65051" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/576155" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M" + } + ], + "credits": [ + { + "name": "Bartek Nowotarski (https://nowotarski.info/)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2687", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-3333", + "modified": "2024-12-20T20:37:27Z", + "published": "2024-12-18T20:22:06Z", + "aliases": [ + "CVE-2024-45338", + "GHSA-w32m-9786-jp63" + ], + "summary": "Non-linear parsing of case-insensitive content in golang.org/x/net/html", + "details": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.33.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "ParseFragmentWithOptions", + "ParseWithOptions", + "htmlIntegrationPoint", + "inBodyIM", + "inTableIM", + "parseDoctype" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/637536" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/70906" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3333", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3503", + "modified": "2025-03-12T18:17:07Z", + "published": "2025-03-12T18:17:07Z", + "aliases": [ + "CVE-2025-22870" + ], + "summary": "HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net", + "details": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.36.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http/httpproxy", + "symbols": [ + "config.useProxy", + "domainMatch.match" + ] + }, + { + "path": "golang.org/x/net/proxy", + "symbols": [ + "Dial", + "FromEnvironment", + "FromEnvironmentUsing", + "PerHost.AddFromString", + "PerHost.Dial", + "PerHost.DialContext", + "PerHost.dialerForRequest" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/654697" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/71984" + } + ], + "credits": [ + { + "name": "Juho Forsén of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3503", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3595", + "modified": "2025-04-16T16:54:55Z", + "published": "2025-04-16T16:54:55Z", + "aliases": [ + "CVE-2025-22872" + ], + "summary": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net", + "details": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.38.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "ParseFragmentWithOptions", + "ParseWithOptions", + "Tokenizer.Next", + "Tokenizer.readStartTag" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/662715" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/73070" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA" + } + ], + "credits": [ + { + "name": "Sean Ng (https://ensy.zip)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3595", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4440", + "modified": "2026-02-05T17:23:14Z", + "published": "2026-02-05T17:23:14Z", + "aliases": [ + "CVE-2025-47911" + ], + "summary": "Quadratic parsing complexity in golang.org/x/net/html", + "details": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.45.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "ParseFragmentWithOptions", + "ParseWithOptions", + "parser.parse" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/709876" + }, + { + "type": "REPORT", + "url": "https://github.com/golang/vulndb/issues/4440" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c" + } + ], + "credits": [ + { + "name": "Guido Vranken" + }, + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4440", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4441", + "modified": "2026-02-05T17:23:17Z", + "published": "2026-02-05T17:23:17Z", + "aliases": [ + "CVE-2025-58190" + ], + "summary": "Infinite parsing loop in golang.org/x/net", + "details": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.45.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/html", + "symbols": [ + "Parse", + "ParseFragment", + "ParseFragmentWithOptions", + "ParseWithOptions", + "inRowIM" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c" + }, + { + "type": "REPORT", + "url": "https://github.com/golang/vulndb/issues/4441" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/709875" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4441", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4559", + "modified": "2026-02-26T18:24:17Z", + "published": "2026-02-26T18:24:17Z", + "aliases": [ + "CVE-2026-27141" + ], + "summary": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net", + "details": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic", + "affected": [ + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0.50.0" + }, + { + "fixed": "0.51.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "ClientConn.Close", + "ClientConn.Ping", + "ClientConn.RoundTrip", + "ClientConn.Shutdown", + "ConfigureServer", + "ConfigureTransport", + "ConfigureTransports", + "ConnectionError.Error", + "ErrCode.String", + "FrameHeader.String", + "FrameType.String", + "FrameWriteRequest.String", + "Framer.ReadFrame", + "Framer.ReadFrameForHeader", + "Framer.ReadFrameHeader", + "Framer.WriteContinuation", + "Framer.WriteData", + "Framer.WriteDataPadded", + "Framer.WriteGoAway", + "Framer.WriteHeaders", + "Framer.WritePing", + "Framer.WritePriority", + "Framer.WritePriorityUpdate", + "Framer.WritePushPromise", + "Framer.WriteRSTStream", + "Framer.WriteRawFrame", + "Framer.WriteSettings", + "Framer.WriteSettingsAck", + "Framer.WriteWindowUpdate", + "GoAwayError.Error", + "ReadFrameHeader", + "Server.ServeConn", + "Setting.String", + "SettingID.String", + "SettingsFrame.ForeachSetting", + "StreamError.Error", + "Transport.CloseIdleConnections", + "Transport.NewClientConn", + "Transport.RoundTrip", + "Transport.RoundTripOpt", + "bufferedWriter.Flush", + "bufferedWriter.Write", + "bufferedWriterTimeoutWriter.Write", + "chunkWriter.Write", + "clientConnPool.GetClientConn", + "connError.Error", + "dataBuffer.Read", + "duplicatePseudoHeaderError.Error", + "gzipReader.Close", + "gzipReader.Read", + "headerFieldNameError.Error", + "headerFieldValueError.Error", + "netHTTPClientConn.Close", + "netHTTPClientConn.RoundTrip", + "noDialClientConnPool.GetClientConn", + "noDialH2RoundTripper.NewClientConn", + "noDialH2RoundTripper.RoundTrip", + "pipe.Read", + "priorityWriteSchedulerRFC7540.CloseStream", + "priorityWriteSchedulerRFC7540.OpenStream", + "priorityWriteSchedulerRFC9218.OpenStream", + "pseudoHeaderError.Error", + "requestBody.Close", + "requestBody.Read", + "responseWriter.Flush", + "responseWriter.FlushError", + "responseWriter.Push", + "responseWriter.SetReadDeadline", + "responseWriter.SetWriteDeadline", + "responseWriter.Write", + "responseWriter.WriteHeader", + "responseWriter.WriteString", + "roundRobinWriteScheduler.OpenStream", + "serverConn.CloseConn", + "serverConn.Flush", + "stickyErrWriter.Write", + "transportResponseBody.Close", + "transportResponseBody.Read", + "typeFrameParser", + "unencryptedTransport.RoundTrip", + "writeData.String" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/746180" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77652" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4559", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2020-0036", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2019-11254", + "GHSA-wxc4-f4m6-wwqv" + ], + "summary": "Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2", + "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.8" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "yaml_parser_decrease_flow_level", + "yaml_parser_fetch_more_tokens", + "yaml_parser_fetch_stream_start", + "yaml_parser_fetch_value", + "yaml_parser_remove_simple_key", + "yaml_parser_save_simple_key" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/go-yaml/yaml", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/go-yaml/yaml", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "yaml_parser_decrease_flow_level", + "yaml_parser_fetch_more_tokens", + "yaml_parser_fetch_stream_start", + "yaml_parser_fetch_value", + "yaml_parser_remove_simple_key", + "yaml_parser_save_simple_key" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/555" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" + }, + { + "type": "WEB", + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0036", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0061", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2021-4235", + "GHSA-r88r-gmrh-7j83" + ], + "summary": "Denial of service in gopkg.in/yaml.v2", + "details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal" + ] + } + ] + } + }, + { + "package": { + "name": "github.com/go-yaml/yaml", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/go-yaml/yaml", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/375" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" + } + ], + "credits": [ + { + "name": "@simonferquel" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0061", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0956", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-08-29T22:15:46Z", + "aliases": [ + "CVE-2022-3064", + "GHSA-6q6q-88xp-6f2r" + ], + "summary": "Excessive resource consumption in gopkg.in/yaml.v2", + "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal", + "yaml_parser_increase_flow_level", + "yaml_parser_roll_indent" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" + }, + { + "type": "WEB", + "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0956", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2020-0015", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2020-14040", + "GHSA-5rcv-m4m3-hfh7" + ], + "summary": "Infinite loop when decoding some inputs in golang.org/x/text", + "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/encoding/unicode", + "symbols": [ + "bomOverride.Transform", + "utf16Decoder.Transform" + ] + }, + { + "path": "golang.org/x/text/transform", + "symbols": [ + "String" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/238238" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/39491" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0" + } + ], + "credits": [ + { + "name": "@abacabadabacaba" + }, + { + "name": "Anton Gyllenberg" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0015", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0113", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-10-06T17:51:21Z", + "aliases": [ + "CVE-2021-38561", + "GHSA-ppp9-7jff-5vj2" + ], + "summary": "Out-of-bounds read in golang.org/x/text/language", + "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "MustParse", + "Parse", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/340830" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0113", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1059", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-10-11T18:16:24Z", + "aliases": [ + "CVE-2022-32149", + "GHSA-69ch-w2m2-3vjp" + ], + "summary": "Denial of service via crafted Accept-Language header in golang.org/x/text/language", + "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.8" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56152" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/442235" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" + } + ], + "credits": [ + { + "name": "Adam Korczynski (ADA Logics)" + }, + { + "name": "OSS-Fuzz" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1059", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2020-0012", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2020-9283", + "GHSA-ffhg-7mh4-33c4" + ], + "summary": "Panic due to improper verification of cryptographic signatures in golang.org/x/crypto/ssh", + "details": "An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20200220183623-bac4c82f6975" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "CertChecker.Authenticate", + "CertChecker.CheckCert", + "CertChecker.CheckHostKey", + "Certificate.Verify", + "Dial", + "NewClientConn", + "NewPublicKey", + "NewServerConn", + "NewSignerFromKey", + "NewSignerFromSigner", + "ParseAuthorizedKey", + "ParseKnownHosts", + "ParsePrivateKey", + "ParsePrivateKeyWithPassphrase", + "ParsePublicKey", + "ParseRawPrivateKey", + "ParseRawPrivateKeyWithPassphrase", + "ed25519PublicKey.Verify", + "parseED25519", + "parseSKEd25519", + "skEd25519PublicKey.Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/220357" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/3L45YRc91SY" + } + ], + "credits": [ + { + "name": "Alex Gaynor, Fish in a Barrel" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0012", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2020-0013", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2017-3204", + "GHSA-xhjq-w7xm-p8qj" + ], + "summary": "Man-in-the-middle attack in golang.org/x/crypto/ssh", + "details": "By default host key verification is disabled which allows for man-in-the-middle attacks against SSH clients if ClientConfig.HostKeyCallback is not set.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20170330155735-e4e2799dd7aa" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "Dial", + "NewClientConn" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/38701" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/19767" + }, + { + "type": "WEB", + "url": "https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/" + } + ], + "credits": [ + { + "name": "Phil Pennock" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0013", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0227", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:35:32Z", + "aliases": [ + "CVE-2020-29652", + "GHSA-3vm4-22fp-5rfm" + ], + "summary": "Panic on crafted authentication request message in golang.org/x/crypto/ssh", + "details": "Clients can cause a panic in SSH servers. An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20201216223049-8b5274cf687f" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "NewServerConn", + "connection.serverAuthenticate" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/278852" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1" + } + ], + "credits": [ + { + "name": "Joern Schneewesiz (GitLab Security Research Team)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0227", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0356", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-04-25T20:38:40Z", + "aliases": [ + "CVE-2022-27191", + "GHSA-8c26-wmh5-6g9v" + ], + "summary": "Denial of service via crafted Signer in golang.org/x/crypto/ssh", + "details": "Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that\n1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and\n2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method.\n\nServers that only use Signer implementations provided by the ssh package are unaffected.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220314234659-1baeb1ce4c0b" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "ServerConfig.AddHostKey" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/392355" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/-cp44ypCT5s" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0356", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0209", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-01T20:15:25Z", + "aliases": [ + "CVE-2019-11840", + "GHSA-r5c5-pr8j-pfp7" + ], + "summary": "Insufficiently random values in golang.org/x/crypto/salsa20", + "details": "XORKeyStream generates incorrect and insecure output for very large inputs.\n\nIf more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.\n\nThe issue might affect uses of golang.org/x/crypto/nacl with extremely large messages.\n\nArchitectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream invocation are unaffected.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190320223903-b7391e95e576" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/salsa20/salsa", + "goarch": [ + "amd64" + ], + "symbols": [ + "XORKeyStream" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/168406" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/30965" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJ" + } + ], + "credits": [ + { + "name": "Michael McLoughlin" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0209", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0229", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-06T18:23:48Z", + "aliases": [ + "CVE-2020-7919", + "GHSA-cjjc-xp8v-855w" + ], + "summary": "Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte", + "details": "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.16" + }, + { + "introduced": "1.13.0-0" + }, + { + "fixed": "1.13.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509" + } + ] + } + }, + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20200124225646-8b5121be2f68" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/cryptobyte" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/216680" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/216677" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/36837" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470" + } + ], + "credits": [ + { + "name": "Project Wycheproof" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0229", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0968", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-09-13T03:32:38Z", + "aliases": [ + "CVE-2021-43565", + "GHSA-gwc9-m7rh-j2ww" + ], + "summary": "Panic on malformed packets in golang.org/x/crypto/ssh", + "details": "Unauthenticated clients can cause a panic in SSH servers.\n\nWhen using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20211202192323-5770296d904e" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "Dial", + "NewClientConn", + "NewServerConn", + "chacha20Poly1305Cipher.readCipherPacket", + "curve25519sha256.Client", + "curve25519sha256.Server", + "dhGEXSHA.Client", + "dhGEXSHA.Server", + "dhGroup.Client", + "dhGroup.Server", + "ecdh.Client", + "ecdh.Server", + "gcmCipher.readCipherPacket" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs" + }, + { + "type": "REPORT", + "url": "https://go.dev/issues/49932" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/368814/" + } + ], + "credits": [ + { + "name": "Rod Hynes (Psiphon Inc)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0968", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1992", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-08-23T14:38:42Z", + "aliases": [ + "CVE-2019-11841", + "GHSA-x3jr-pf6g-c48f" + ], + "summary": "Misleading message verification in golang.org/x/crypto/openpgp/clearsign", + "details": "The clearsign package accepts some malformed messages, making it possible for an attacker to trick a human user (but not a Go program) into thinking unverified text is part of the message.\n\nWith fix, messages with malformed headers in the SIGNED MESSAGE section are rejected.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190424203555-c05e17bb3b2d" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/openpgp/clearsign", + "symbols": [ + "Decode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go-review.git.corp.google.com/c/crypto/+/173778" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442" + }, + { + "type": "WEB", + "url": "https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ" + } + ], + "credits": [ + { + "name": "Aida Mynzhasova (SEC Consult Vulnerability Lab)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1992", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2402", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-12-18T21:18:26Z", + "aliases": [ + "CVE-2023-48795", + "GHSA-45x7-px36-x8w8" + ], + "summary": "Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto", + "details": "A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware.\n\nThe impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features.\n\nThis protocol weakness was also fixed in OpenSSH 9.6.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.17.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "Client.Dial", + "Client.DialContext", + "Client.DialTCP", + "Client.Listen", + "Client.ListenTCP", + "Client.ListenUnix", + "Client.NewSession", + "Dial", + "DiscardRequests", + "NewClient", + "NewClientConn", + "NewServerConn", + "Request.Reply", + "Session.Close", + "Session.CombinedOutput", + "Session.Output", + "Session.RequestPty", + "Session.RequestSubsystem", + "Session.Run", + "Session.SendRequest", + "Session.Setenv", + "Session.Shell", + "Session.Signal", + "Session.Start", + "Session.WindowChange", + "channel.Accept", + "channel.Close", + "channel.CloseWrite", + "channel.Read", + "channel.ReadExtended", + "channel.Reject", + "channel.SendRequest", + "channel.Write", + "channel.WriteExtended", + "connectionState.readPacket", + "connectionState.writePacket", + "curve25519sha256.Client", + "curve25519sha256.Server", + "dhGEXSHA.Client", + "dhGEXSHA.Server", + "dhGroup.Client", + "dhGroup.Server", + "ecdh.Client", + "ecdh.Server", + "extChannel.Read", + "extChannel.Write", + "handshakeTransport.enterKeyExchange", + "handshakeTransport.readLoop", + "handshakeTransport.sendKexInit", + "mux.OpenChannel", + "mux.SendRequest", + "sessionStdin.Close", + "sshClientKeyboardInteractive.Challenge", + "tcpListener.Accept", + "tcpListener.Close", + "transport.readPacket", + "transport.writePacket", + "unixListener.Accept", + "unixListener.Close" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/64784" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/550715" + }, + { + "type": "FIX", + "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" + }, + { + "type": "WEB", + "url": "https://www.openssh.com/txt/release-9.6" + } + ], + "credits": [ + { + "name": "Fabian Bäumer (Ruhr University Bochum)" + }, + { + "name": "Marcus Brinkmann (Ruhr University Bochum)" + }, + { + "name": "Jörg Schwenk (Ruhr University Bochum)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2402", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2961", + "modified": "2024-07-02T19:27:52Z", + "published": "2024-07-02T19:27:52Z", + "aliases": [ + "CVE-2022-30636" + ], + "summary": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto", + "details": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened.\n\nSince the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220525230936-793ad666bf5e" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/acme/autocert", + "goos": [ + "windows" + ], + "symbols": [ + "DirCache.Delete", + "DirCache.Get", + "DirCache.Put", + "HostWhitelist", + "Manager.GetCertificate", + "Manager.Listener", + "NewListener", + "listener.Accept", + "listener.Close" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/408694" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53082" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2961", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-3321", + "modified": "2025-02-18T20:32:01Z", + "published": "2024-12-11T18:40:19Z", + "aliases": [ + "CVE-2024-45337", + "GHSA-v778-237x-gjrc" + ], + "summary": "Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto", + "details": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass.\n\nThe documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\nFor example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\nSince this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\nUsers should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.31.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "NewServerConn", + "ServerConfig.PublicKeyCallback", + "connection.serverAuthenticate" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/635315" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/70779" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ" + } + ], + "credits": [ + { + "name": "Damien Tournoud (Platform.sh / Upsun)" + }, + { + "name": "Patrick Dawkins (Platform.sh / Upsun)" + }, + { + "name": "Vince Parker (Platform.sh / Upsun)" + }, + { + "name": "Jules Duvivier (Platform.sh / Upsun)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3321", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3487", + "modified": "2025-02-26T02:51:51Z", + "published": "2025-02-26T02:51:51Z", + "aliases": [ + "CVE-2025-22869" + ], + "summary": "Potential denial of service in golang.org/x/crypto", + "details": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.35.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "Client.Dial", + "Client.DialContext", + "Client.DialTCP", + "Client.Listen", + "Client.ListenTCP", + "Client.ListenUnix", + "Client.NewSession", + "Dial", + "DiscardRequests", + "NewClient", + "NewClientConn", + "NewServerConn", + "Request.Reply", + "Session.Close", + "Session.CombinedOutput", + "Session.Output", + "Session.RequestPty", + "Session.RequestSubsystem", + "Session.Run", + "Session.SendRequest", + "Session.Setenv", + "Session.Shell", + "Session.Signal", + "Session.Start", + "Session.WindowChange", + "channel.Accept", + "channel.Close", + "channel.CloseWrite", + "channel.Read", + "channel.ReadExtended", + "channel.Reject", + "channel.SendRequest", + "channel.Write", + "channel.WriteExtended", + "connection.SendAuthBanner", + "curve25519sha256.Client", + "curve25519sha256.Server", + "dhGEXSHA.Client", + "dhGEXSHA.Server", + "dhGroup.Client", + "dhGroup.Server", + "ecdh.Client", + "ecdh.Server", + "extChannel.Read", + "extChannel.Write", + "handshakeTransport.kexLoop", + "handshakeTransport.recordWriteError", + "handshakeTransport.writePacket", + "mux.OpenChannel", + "mux.SendRequest", + "newHandshakeTransport", + "sessionStdin.Close", + "sshClientKeyboardInteractive.Challenge", + "tcpListener.Accept", + "tcpListener.Close", + "unixListener.Accept", + "unixListener.Close" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/652135" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/71931" + } + ], + "credits": [ + { + "name": "Yuichi Watanabe" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3487", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4116", + "modified": "2025-12-16T16:23:22Z", + "published": "2025-11-13T21:12:03Z", + "aliases": [ + "CVE-2025-47913" + ], + "summary": "Potential denial of service in golang.org/x/crypto/ssh/agent", + "details": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.43.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh/agent", + "symbols": [ + "agentKeyringSigner.Sign", + "agentKeyringSigner.SignWithAlgorithm", + "client.List", + "client.Sign", + "client.SignWithFlags", + "client.Signers" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/700295" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/75178" + }, + { + "type": "WEB", + "url": "https://github.com/advisories/GHSA-56w8-48fp-6mgv" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + }, + { + "name": "Nicola Murino" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4116", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4134", + "modified": "2025-11-20T16:52:31Z", + "published": "2025-11-19T20:11:57Z", + "aliases": [ + "CVE-2025-58181", + "GHSA-j5w8-q4qc-rx2x" + ], + "summary": "Unbounded memory consumption in golang.org/x/crypto/ssh", + "details": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.45.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh", + "symbols": [ + "NewServerConn", + "parseGSSAPIPayload" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/721961" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/76363" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4134", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4135", + "modified": "2025-11-20T16:52:31Z", + "published": "2025-11-19T20:11:57Z", + "aliases": [ + "CVE-2025-47914", + "GHSA-f6x5-jh6r-wrfv" + ], + "summary": "Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent", + "details": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.", + "affected": [ + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.45.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/ssh/agent", + "symbols": [ + "ForwardToAgent", + "ServeAgent", + "parseConstraints" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/721960" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/76364" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4135", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2020-0001", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2020-36567", + "GHSA-6vm3-jj99-7229" + ], + "summary": "Arbitrary log line injection in github.com/gin-gonic/gin", + "details": "The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.", + "affected": [ + { + "package": { + "name": "github.com/gin-gonic/gin", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gin-gonic/gin", + "symbols": [ + "Default", + "Logger", + "LoggerWithConfig", + "LoggerWithFormatter", + "LoggerWithWriter" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/2237" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d" + } + ], + "credits": [ + { + "name": "@thinkerou \u003cthinkerou@gmail.com\u003e" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0001", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0052", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2020-28483", + "GHSA-h395-qcrw-5vmq" + ], + "summary": "Inconsistent interpretation of HTTP Requests in github.com/gin-gonic/gin", + "details": "Due to improper HTTP header sanitization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source.", + "affected": [ + { + "package": { + "name": "github.com/gin-gonic/gin", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.7.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gin-gonic/gin", + "symbols": [ + "Context.ClientIP", + "Context.Next", + "Context.RemoteIP", + "Engine.HandleContext", + "Engine.Run", + "Engine.RunFd", + "Engine.RunListener", + "Engine.RunTLS", + "Engine.RunUnix", + "Engine.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://github.com/gin-gonic/gin/issues/2862" + }, + { + "type": "REPORT", + "url": "https://github.com/gin-gonic/gin/issues/2473" + }, + { + "type": "REPORT", + "url": "https://github.com/gin-gonic/gin/issues/2232" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/2844" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/commit/5929d521715610c9dd14898ebbe1d188d5de8937" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/2632" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/2675" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/commit/03e5e05ae089bc989f1ca41841f05504d29e3fd9" + }, + { + "type": "WEB", + "url": "https://github.com/gin-gonic/gin/pull/2474" + } + ], + "credits": [ + { + "name": "@sorenisanerd" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0052", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1737", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-05-11T18:59:56Z", + "aliases": [ + "CVE-2023-29401", + "GHSA-2c4m-59x9-fr2g" + ], + "summary": "Improper handling of filenames in Content-Disposition HTTP header in github.com/gin-gonic/gin", + "details": "The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\".\n\nIf the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.", + "affected": [ + { + "package": { + "name": "github.com/gin-gonic/gin", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.3.1-0.20190301021747-ccb9e902956d" + }, + { + "fixed": "1.9.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gin-gonic/gin", + "symbols": [ + "Context.FileAttachment" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://github.com/gin-gonic/gin/issues/3555" + }, + { + "type": "FIX", + "url": "https://github.com/gin-gonic/gin/pull/3556" + }, + { + "type": "WEB", + "url": "https://github.com/gin-gonic/gin/releases/tag/v1.9.1" + } + ], + "credits": [ + { + "name": "motoyasu-saburi" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1737", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0067", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2021-27919" + ], + "summary": "Panic when opening archives in archive/zip", + "details": "Using Reader.Open on an archive containing a file with a path prefixed by \"../\" will cause a panic due to a stack overflow. If parsing user supplied archives, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "toValidName" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/300489" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/44916" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw/m/zzhWj5jPAQAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0067", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0069", + "modified": "2024-05-20T16:03:47Z", + "published": "2021-04-14T20:04:52Z", + "aliases": [ + "CVE-2020-28362" + ], + "summary": "Panic during division of very large numbers in math/big", + "details": "A number of math/big.Int methods can panic when provided large inputs due to a flawed division method.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.14.0-0" + }, + { + "fixed": "1.14.12" + }, + { + "introduced": "1.15.0-0" + }, + { + "fixed": "1.15.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "nat.divRecursiveStep" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/269657" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/1e1fa5903b760c6714ba17e50bf850b01f49135c" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/42552" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0069", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0142", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-01T20:11:09Z", + "aliases": [ + "CVE-2020-16845", + "GHSA-q6gq-997w-f55g" + ], + "summary": "Unbounded read from invalid inputs in encoding/binary", + "details": "ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs.\n\nCertain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.15" + }, + { + "introduced": "1.14.0-0" + }, + { + "fixed": "1.14.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/binary", + "symbols": [ + "ReadUvarint", + "ReadVarint" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/247120" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/40618" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo" + } + ], + "credits": [ + { + "name": "Diederik Loerakker" + }, + { + "name": "Jonny Rhea" + }, + { + "name": "Raúl Kripalani" + }, + { + "name": "Preston Van Loon" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0142", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0154", + "modified": "2024-06-03T20:51:31Z", + "published": "2022-05-25T21:11:41Z", + "aliases": [ + "CVE-2014-7189" + ], + "summary": "Man-in-the-middle attack with SessionTicketsDisabled in crypto/tls", + "details": "When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors.\n\nIf the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.1.0-0" + }, + { + "fixed": "1.3.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "checkForResumption", + "decryptTicket" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/148080043" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53085" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ" + } + ], + "credits": [ + { + "name": "Go Team" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0154", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0159", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-01-05T21:39:14Z", + "aliases": [ + "CVE-2015-5739", + "CVE-2015-5740", + "CVE-2015-5741" + ], + "summary": "Request smuggling due to improper header parsing in net/http", + "details": "HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "CanonicalMIMEHeaderKey", + "body.readLocked", + "canonicalMIMEHeaderKey", + "chunkWriter.writeHeader", + "fixLength", + "fixTransferEncoding", + "readTransfer", + "transferWriter.shouldSendContentLength", + "validHeaderFieldByte" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/13148" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/11772" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/11810" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/12865" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/12027" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/11930" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ" + } + ], + "credits": [ + { + "name": "Jed Denlea" + }, + { + "name": "Régis Leroy" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0159", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0160", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-01-05T15:31:16Z", + "aliases": [ + "CVE-2015-8618" + ], + "summary": "Incorrect calculation affecting RSA computations in math/big", + "details": "Int.Exp Montgomery mishandled carry propagation and produced an incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.\n\nThis issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way.\n\nSpecifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used.\n\nNote that on 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.5.0-0" + }, + { + "fixed": "1.5.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "nat.expNNMontgomery", + "nat.montgomery" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/18491" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/1e066cad1ba23f4064545355b8737e4762dd6838" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/4306352182bf94f86f0cfc6a8b0ed461cbf1d82c" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/17672" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/13515" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MEATuOi_ei4" + } + ], + "credits": [ + { + "name": "Nick Craig-Wood" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0160", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0163", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-01-05T22:41:50Z", + "aliases": [ + "CVE-2016-3958" + ], + "summary": "Privilege escalation on Windows via malicious DLL in syscall", + "details": "Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.4" + }, + { + "introduced": "1.6.0-0" + }, + { + "fixed": "1.6.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "symbols": [ + "LoadLibrary" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/21428" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/6a0bb87bd0bf0fdf8ddbd35f77a75ebd412f61b0" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/14959" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/9eqIHqaWvck" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0163", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0172", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-15T23:56:14Z", + "aliases": [ + "CVE-2017-1000098" + ], + "summary": "Denial of service when parsing large forms in mime/multipart", + "details": "When parsing large multipart/form-data, an attacker can cause a HTTP server to open a large number of file descriptors. This may be used as a denial-of-service vector.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.4" + }, + { + "introduced": "1.7.0-0" + }, + { + "fixed": "1.7.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "mime/multipart", + "symbols": [ + "Reader.readForm" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/30410" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/16296" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ" + } + ], + "credits": [ + { + "name": "Simon Rawet" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0172", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0178", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-01-07T20:35:00Z", + "aliases": [ + "CVE-2017-15042" + ], + "summary": "Cleartext transmission of credentials in net/smtp", + "details": "SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured with TLS, exposing passwords to man-in-the-middle SMTP servers.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.1.0-0" + }, + { + "fixed": "1.8.4" + }, + { + "introduced": "1.9.0-0" + }, + { + "fixed": "1.9.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/smtp", + "symbols": [ + "plainAuth.Start" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/68170" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/ec3b6131de8f9c9c25283260c95c616c74f6d790" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/22134" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ" + } + ], + "credits": [ + { + "name": "Stevie Johnstone" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0178", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0223", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:46:03Z", + "aliases": [ + "CVE-2020-14039" + ], + "summary": "Certificate verification error on Windows in crypto/x509", + "details": "On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages. This may allow a certificate to be used for an unintended purpose.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.13" + }, + { + "introduced": "1.14.0-0" + }, + { + "fixed": "1.14.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "goos": [ + "windows" + ], + "symbols": [ + "Certificate.systemVerify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/242597" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/39360" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w" + } + ], + "credits": [ + { + "name": "Niall Newman" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0223", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0224", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:36:04Z", + "aliases": [ + "CVE-2020-15586" + ], + "summary": "Data race and crash in net/http", + "details": "HTTP servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.13" + }, + { + "introduced": "1.14.0-0" + }, + { + "fixed": "1.14.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "expectContinueReader.Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/242598" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/fa98f46741f818913a8c11b877520a548715131f" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/34902" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w" + } + ], + "credits": [ + { + "name": "Mikael Manukyan" + }, + { + "name": "Andrew Kutz" + }, + { + "name": "Dave McClure" + }, + { + "name": "Tim Downey" + }, + { + "name": "Clay Kauzlaric" + }, + { + "name": "Gabe Rosenhouse" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0224", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0226", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-01-13T03:44:58Z", + "aliases": [ + "CVE-2020-24553" + ], + "summary": "Cross-site scripting in net/http/cgi and net/http/fcgi", + "details": "When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.\n\nThe Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.\n\nAlthough this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.8" + }, + { + "introduced": "1.15.0-0" + }, + { + "fixed": "1.15.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/cgi", + "symbols": [ + "response.Write", + "response.WriteHeader", + "response.writeCGIHeader" + ] + }, + { + "path": "net/http/fcgi", + "symbols": [ + "response.Write", + "response.WriteHeader", + "response.writeCGIHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/252179" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/40928" + } + ], + "credits": [ + { + "name": "RedTeam Pentesting GmbH" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0226", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0234", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:34:24Z", + "aliases": [ + "CVE-2021-27918" + ], + "summary": "Infinite loop when decoding inputs in encoding/xml", + "details": "The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.9" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/xml", + "symbols": [ + "Decoder.Token" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/300391" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/d0b79e3513a29628f3599dc8860666b6eed75372" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/44913" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw" + } + ], + "credits": [ + { + "name": "Sam Whited" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0234", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0235", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:34:14Z", + "aliases": [ + "CVE-2021-3114" + ], + "summary": "Incorrect operations on the P-224 curve in crypto/elliptic", + "details": "The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.14.14" + }, + { + "introduced": "1.15.0-0" + }, + { + "fixed": "1.15.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "symbols": [ + "p224Contract" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/284779" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/d95ca9138026cbe40e0857d76a81a16d03230871" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/43786" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w" + } + ], + "credits": [ + { + "name": "The elliptic-curve-differential-fuzzer project running on OSS-Fuzz" + }, + { + "name": "Philippe Antoine (Catena cyber)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0235", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0239", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:33:35Z", + "aliases": [ + "CVE-2021-33195" + ], + "summary": "Improper sanitization when resolving values from DNS in net", + "details": "The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.13" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net", + "symbols": [ + "Resolver.LookupAddr", + "Resolver.LookupCNAME", + "Resolver.LookupMX", + "Resolver.LookupNS", + "Resolver.LookupSRV" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/320949" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46241" + } + ], + "credits": [ + { + "name": "Philipp Jeitner" + }, + { + "name": "Haya Shulman from Fraunhofer SIT" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0239", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0240", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:33:25Z", + "aliases": [ + "CVE-2021-33196" + ], + "summary": "Panic when reading certain archives in archive/zip", + "details": "NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.13" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "Reader.init" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/318909" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/74242baa4136c7a9132a8ccd9881354442788c8c" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46242" + } + ], + "credits": [ + { + "name": "OSS-Fuzz (discovery)" + }, + { + "name": "Emmanuel Odeke (reporter)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0240", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0241", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:33:16Z", + "aliases": [ + "CVE-2021-33197" + ], + "summary": "Attacker can drop certain headers in net/http/httputil", + "details": "ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the ReverseProxy is itself a reverse proxy, this lets an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.13" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/httputil", + "symbols": [ + "ReverseProxy.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/321929" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/950fa11c4cb01a145bb07eeb167d90a1846061b3" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46313" + } + ], + "credits": [ + { + "name": "Mattias Grenfeldt (https://grenfeldt.dev)" + }, + { + "name": "Asta Olofsson" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0241", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0242", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:33:07Z", + "aliases": [ + "CVE-2021-33198" + ], + "summary": "Panic on inputs with large exponents in math/big", + "details": "Rat.SetString and Rat.UnmarshalText may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.13" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "Rat.SetString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/316149" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/6c591f79b0b5327549bd4e94970f7a279efb4ab0" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/45910" + } + ], + "credits": [ + { + "name": "The OSS-Fuzz project (discovery)" + }, + { + "name": "Emmanuel Odeke (reporter)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0242", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0243", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:32:57Z", + "aliases": [ + "CVE-2021-34558" + ], + "summary": "Panic on certain certificates in crypto/tls", + "details": "crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.14" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.6" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "rsaKeyAgreement.generateClientKeyExchange" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/334031" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/a98589711da5e9d935e8d690cfca92892e86d557" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/47143" + } + ], + "credits": [ + { + "name": "Imre Rad" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0243", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0245", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-02-17T17:32:24Z", + "aliases": [ + "CVE-2021-36221" + ], + "summary": "Panic in ReverseProxy in net/http/httputil", + "details": "ReverseProxy can panic after encountering a problem copying a proxied response body.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.15" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/httputil", + "symbols": [ + "ReverseProxy.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/333191" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/uHACNfXAZqk" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/46866" + } + ], + "credits": [ + { + "name": "Andrew Crump" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0245", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0263", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-01-13T03:45:03Z", + "aliases": [ + "CVE-2021-41771" + ], + "summary": "Panic on invalid symbol tables in debug/macho", + "details": "Calling File.ImportedSymbols on a loaded file which contains an invalid dynamic symbol table command can cause a panic, in particular if the encoded number of undefined symbols is larger than the number of symbols in the symbol table.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.10" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "debug/macho", + "symbols": [ + "NewFile" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/367075" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/61536ec03063b4951163bd09609c86d82631fa27" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/48990" + } + ], + "credits": [ + { + "name": "Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0263", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0264", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-01-13T20:54:43Z", + "aliases": [ + "CVE-2021-41772" + ], + "summary": "Panic when opening certain archives in archive/zip", + "details": "Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or \"..\" path elements.\n\nOpen could also panic if passed the empty string directly as an argument.\n\nNow, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File.\n\nNote that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one.\n\nFinally, the actual panic site was made robust as a defense-in-depth measure.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.10" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "Reader.Open", + "split" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/349770" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/48085" + } + ], + "credits": [ + { + "name": "Colin Arnott (SiteHost)" + }, + { + "name": "Noah Santschi-Cooney (Sourcegraph Code Intelligence Team)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0264", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0317", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-23T22:15:42Z", + "aliases": [ + "CVE-2022-23772" + ], + "summary": "Uncontrolled memory consumption in math/big", + "details": "Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.14" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "Rat.SetString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/379537" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/ad345c265916bbf6c646865e4642eafce6d39e78" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50699" + } + ], + "credits": [ + { + "name": "Emmanuel Odeke" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0317", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0319", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-23T22:15:21Z", + "aliases": [ + "CVE-2022-23806" + ], + "summary": "Incorrect computation for some invalid field elements in crypto/elliptic", + "details": "Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.14" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "symbols": [ + "CurveParams.IsOnCurve", + "p384PointFromAffine", + "p521PointFromAffine" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/382455" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/7f9494c277a471f6f47f4af3036285c0b1419816" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50974" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0319", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2021-0347", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-23T22:15:47Z", + "aliases": [ + "CVE-2022-24921" + ], + "summary": "Stack exhaustion when compiling deeply nested expressions in regexp", + "details": "On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.15" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.8" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "regexp", + "symbols": [ + "regexp.Compile" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/384616" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/51112" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk" + } + ], + "credits": [ + { + "name": "Juho Nurminen" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0347", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0166", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-24T22:06:33Z", + "aliases": [ + "CVE-2016-3959" + ], + "summary": "Denial of service due to unchecked parameters in crypto/dsa", + "details": "The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.4" + }, + { + "introduced": "1.6.0-0" + }, + { + "fixed": "1.6.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/dsa", + "symbols": [ + "Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/21533" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/eb876dd83cb8413335d64e50aae5d38337d1ebb4" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/15184" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/9eqIHqaWvck" + } + ], + "credits": [ + { + "name": "David Wong" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0166", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0171", + "modified": "2024-06-03T20:51:31Z", + "published": "2022-05-24T20:17:59Z", + "aliases": [ + "CVE-2017-1000097" + ], + "summary": "Mishandled trust preferences for root certificates on Darwin in crypto/x509", + "details": "On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.4" + }, + { + "introduced": "1.7.0-0" + }, + { + "fixed": "1.7.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "goos": [ + "darwin" + ], + "symbols": [ + "FetchPEMRoots", + "execSecurityRoots" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/18141" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ" + } + ], + "credits": [ + { + "name": "Xy Ziemba" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0171", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0187", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-01T20:11:15Z", + "aliases": [ + "CVE-2017-8932" + ], + "summary": "Incorrect computation for P-256 curves in crypto/elliptic", + "details": "The ScalarMult implementation of curve P-256 for amd64 architectures generates incorrect results for certain specific input points. An adaptive attack can progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.6.0-0" + }, + { + "fixed": "1.7.6" + }, + { + "introduced": "1.8.0-0" + }, + { + "fixed": "1.8.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "goarch": [ + "amd64" + ], + "symbols": [ + "p256SubInternal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/41070" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/9294fa2749ffee7edbbb817a0ef9fe633136fa9c" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/20040" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/B5ww0iFt1_Q/m/TgUFJV14BgAJ" + } + ], + "credits": [ + { + "name": "Vlad Krasnov" + }, + { + "name": "Filippo Valsorda at Cloudflare" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0187", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0191", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-15T23:03:26Z", + "aliases": [ + "CVE-2018-16875" + ], + "summary": "Denial of service in chain verification in crypto/x509", + "details": "The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.6" + }, + { + "introduced": "1.11.0-0" + }, + { + "fixed": "1.11.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "CertPool.findVerifiedParents", + "Certificate.buildChains" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/154105" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/770130659b6fb2acf271476579a3644e093dda7f" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/29233" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0" + } + ], + "credits": [ + { + "name": "Netflix" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0191", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0211", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-01T20:15:30Z", + "aliases": [ + "CVE-2019-14809" + ], + "summary": "Incorrect parsing validation in net/url", + "details": "The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.13" + }, + { + "introduced": "1.12.0-0" + }, + { + "fixed": "1.12.8" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/url", + "symbols": [ + "URL.Hostname", + "URL.Port", + "parseHost" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/189258" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/29098" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg" + } + ], + "credits": [ + { + "name": "Julian Hector" + }, + { + "name": "Nikolai Krein from Cure53" + }, + { + "name": "Adi Cohen (adico.me)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0211", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0212", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-23T22:46:20Z", + "aliases": [ + "CVE-2019-16276" + ], + "summary": "Request smuggling due to accepting invalid headers in net/http via net/textproto", + "details": "net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.\n\nIf a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.10" + }, + { + "introduced": "1.13.0-0" + }, + { + "fixed": "1.13.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/textproto", + "symbols": [ + "Reader.ReadMimeHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/197503" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/41b1f88efab9d263408448bf139659119002ea50" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/34540" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/cszieYyuL9Q/m/g4Z7pKaqAgAJ" + } + ], + "credits": [ + { + "name": "Andrew Stucki (99designs.com)" + }, + { + "name": "Adam Scarr (99designs.com)" + }, + { + "name": "Jan Masarik (masarik.sh)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0212", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0213", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-24T20:14:11Z", + "aliases": [ + "CVE-2019-17596" + ], + "summary": "Panic on invalid DSA public keys in crypto/dsa", + "details": "Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.\n\nMoreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.11" + }, + { + "introduced": "1.13.0-0" + }, + { + "fixed": "1.13.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/dsa", + "symbols": [ + "Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/205441" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/552987fdbf4c2bc9641016fd323c3ae5d3a0d9a3" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/34960" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/lVEm7llp0w0/m/VbafyRkgCgAJ" + } + ], + "credits": [ + { + "name": "Daniel M" + }, + { + "name": "ragona" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0213", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0217", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-24T15:21:01Z", + "aliases": [ + "CVE-2019-6486" + ], + "summary": "Denial of service affecting P-521 and P-384 curves in crypto/elliptic", + "details": "A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.\n\nThese inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.8" + }, + { + "introduced": "1.11.0-0" + }, + { + "fixed": "1.11.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "symbols": [ + "curve.doubleJacobian" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/159218" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/193c16a3648b8670a762e925b6ac6e074f468a20" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/29903" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/mVeX35iXuSw" + } + ], + "credits": [ + { + "name": "Wycheproof Project" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0217", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0220", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-25T18:01:46Z", + "aliases": [ + "CVE-2019-9634" + ], + "summary": "DLL injection on Windows in runtime and syscall", + "details": "Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.10" + }, + { + "introduced": "1.12.0-0" + }, + { + "fixed": "1.12.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "runtime", + "goos": [ + "windows" + ] + }, + { + "path": "syscall", + "goos": [ + "windows" + ], + "symbols": [ + "LoadDLL" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/165798" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/28978" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/z9eTD34GEIs/m/Z_XmhTrVAwAJ" + } + ], + "credits": [ + { + "name": "Samuel Cochran" + }, + { + "name": "Jason Donenfeld" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0220", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0229", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-06T18:23:48Z", + "aliases": [ + "CVE-2020-7919", + "GHSA-cjjc-xp8v-855w" + ], + "summary": "Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte", + "details": "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.16" + }, + { + "introduced": "1.13.0-0" + }, + { + "fixed": "1.13.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509" + } + ] + } + }, + { + "package": { + "name": "golang.org/x/crypto", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20200124225646-8b5121be2f68" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/crypto/cryptobyte" + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/216680" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/216677" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/36837" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470" + } + ], + "credits": [ + { + "name": "Project Wycheproof" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0229", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0236", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-15T23:04:18Z", + "aliases": [ + "CVE-2021-31525", + "GHSA-h86h-8ppg-mxmh" + ], + "summary": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts", + "details": "A malicious HTTP server or client can cause the net/http client or server to panic.\n\nReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.\n\nThis also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.15.12" + }, + { + "introduced": "1.16.0-0" + }, + { + "fixed": "1.16.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2clientStream.writeRequest", + "http2isConnectionCloseRequest", + "isProtocolSwitchHeader", + "shouldClose" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20210428140749-89ef3d95e781" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http/httpguts", + "symbols": [ + "HeaderValuesContainsToken", + "headerValueContainsToken" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/313069" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/45710" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0236", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0273", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-18T18:23:31Z", + "aliases": [ + "CVE-2021-39293" + ], + "summary": "Panic due to crafted inputs in archive/zip", + "details": "The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.8" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "NewReader", + "OpenReader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/343434" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/bacbc33439b124ffd7392c91a5f5d96eca8c0c0b" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/47801" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/dx9d7IOseHw" + } + ], + "credits": [ + { + "name": "OSS-Fuzz Project" + }, + { + "name": "Emmanuel Odeke" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0273", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0288", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-15T23:08:33Z", + "aliases": [ + "CVE-2021-44716", + "GHSA-vc3p-29h2-gpcp" + ], + "summary": "Unbounded memory growth in net/http and golang.org/x/net/http2", + "details": "An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.12" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20211209124913-491a49abca63" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/369794" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50058" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k" + } + ], + "credits": [ + { + "name": "murakmii" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0288", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0289", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-18T18:23:23Z", + "aliases": [ + "CVE-2021-44717" + ], + "summary": "Misdirected I/O in syscall", + "details": "When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.\n\nFor users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.12" + }, + { + "introduced": "1.17.0-0" + }, + { + "fixed": "1.17.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "symbols": [ + "ForkExec" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/370576" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/50057" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/370577" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/370795" + } + ], + "credits": [ + { + "name": "Tomasz Maczukin" + }, + { + "name": "Kamil Trzciński of GitLab" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0289", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0433", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-20T21:17:25Z", + "aliases": [ + "CVE-2022-24675" + ], + "summary": "Stack overflow from a large amount of PEM data in encoding/pem", + "details": "encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.9" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/pem", + "symbols": [ + "Decode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/399820" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/45c3387d777caf28f4b992ad9a6216e3085bb8fe" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/51853" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0433", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0434", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-23T21:59:00Z", + "aliases": [ + "CVE-2022-27536" + ], + "summary": "Panic during certificate parsing on Darwin in crypto/x509", + "details": "Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS.\n\nThese chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "goos": [ + "darwin" + ], + "symbols": [ + "Certificate.Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/393655" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/0fca8a8f25cf4636fd980e72ba0bded4230922de" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/51759" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" + } + ], + "credits": [ + { + "name": "Tailscale" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0434", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0435", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-05-20T21:17:46Z", + "aliases": [ + "CVE-2022-28327" + ], + "summary": "Panic due to large inputs affecting P-256 curves in crypto/elliptic", + "details": "A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.9" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/elliptic", + "symbols": [ + "CurveParams.ScalarBaseMult", + "CurveParams.ScalarMult", + "p256Curve.CombinedMult", + "p256Curve.ScalarBaseMult", + "p256Curve.ScalarMult", + "p256GetScalar" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/397135" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/37065847d87df92b5eb246c88ba2085efcf0b331" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52075" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" + } + ], + "credits": [ + { + "name": "Project Wycheproof" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0435", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0477", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-06-09T01:43:37Z", + "aliases": [ + "CVE-2022-30634" + ], + "summary": "Indefinite hang with large buffers on Windows in crypto/rand", + "details": "On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 \u003c\u003c 32 - 1 bytes.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.11" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/rand", + "goos": [ + "windows" + ], + "symbols": [ + "Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/402257" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52561" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" + } + ], + "credits": [ + { + "name": "Davis Goodin" + }, + { + "name": "Quim Muntal of Microsoft" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0477", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0493", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-15T23:30:12Z", + "aliases": [ + "CVE-2022-29526", + "GHSA-p782-xgp4-8hr8" + ], + "summary": "Incorrect privilege reporting in syscall and golang.org/x/sys/unix", + "details": "When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.10" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "symbols": [ + "Faccessat" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/sys", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220412211240-33da011f77ad" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/sys/unix", + "symbols": [ + "Faccessat" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/399539" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52313" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/400074" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU" + } + ], + "credits": [ + { + "name": "Joël Gähwiler (@256dpi)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0493", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0515", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-20T17:01:45Z", + "aliases": [ + "CVE-2022-1962" + ], + "summary": "Stack exhaustion due to deeply nested types in go/parser", + "details": "Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "go/parser", + "symbols": [ + "ParseExprFrom", + "ParseFile", + "parser.parseBinaryExpr", + "parser.parseIfStmt", + "parser.parsePrimaryExpr", + "parser.parseStmt", + "parser.parseUnaryExpr", + "parser.tryIdentOrType", + "resolver.closeScope", + "resolver.openScope" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417063" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53616" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0515", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0520", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-28T17:23:05Z", + "aliases": [ + "CVE-2022-32148" + ], + "summary": "Exposure of client IP addresses in net/http", + "details": "Client IP adresses may be unintentionally exposed via X-Forwarded-For headers.\n\nWhen httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation.\n\nIn the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Header.Clone" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/412857" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53423" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "credits": [ + { + "name": "Christian Mehlmauer" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0520", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0521", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-20T17:02:04Z", + "aliases": [ + "CVE-2022-28131" + ], + "summary": "Stack exhaustion from deeply nested XML documents in encoding/xml", + "details": "Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/xml", + "symbols": [ + "Decoder.Skip" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417062" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53614" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "credits": [ + { + "name": "Go Security Team" + }, + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0521", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0522", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-20T17:02:29Z", + "aliases": [ + "CVE-2022-30632" + ], + "summary": "Stack exhaustion on crafted paths in path/filepath", + "details": "Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "symbols": [ + "Glob" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417066" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/ac68c6c683409f98250d34ad282b9e1b0c9095ef" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53416" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0522", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0523", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-20T20:52:06Z", + "aliases": [ + "CVE-2022-30633" + ], + "summary": "Stack exhaustion when unmarshaling certain documents in encoding/xml", + "details": "Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/xml", + "symbols": [ + "Decoder.DecodeElement", + "Decoder.unmarshal", + "Decoder.unmarshalPath" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417061" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53611" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0523", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0524", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-20T20:52:11Z", + "aliases": [ + "CVE-2022-30631" + ], + "summary": "Stack exhaustion when reading certain archives in compress/gzip", + "details": "Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "compress/gzip", + "symbols": [ + "Reader.Read" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417067" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53168" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0524", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0525", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-25T17:34:18Z", + "aliases": [ + "CVE-2022-1705" + ], + "summary": "Improper sanitization of Transfer-Encoding headers in net/http", + "details": "The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a \"chunked\" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "transferReader.parseTransferEncoding" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/409874" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53188" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/410714" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "credits": [ + { + "name": "Zeyu Zhang (https://www.zeyu2001.com/)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0525", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0526", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-20T20:52:17Z", + "aliases": [ + "CVE-2022-30635" + ], + "summary": "Stack exhaustion when decoding certain messages in encoding/gob", + "details": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/gob", + "symbols": [ + "Decoder.compileDec", + "Decoder.compileIgnoreSingle", + "Decoder.decIgnoreOpFor" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417064" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53615" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0526", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0527", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-20T20:52:22Z", + "aliases": [ + "CVE-2022-30630" + ], + "summary": "Stack exhaustion in Glob on certain paths in io/fs", + "details": "Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.12" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "io/fs", + "symbols": [ + "Glob" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417065" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53415" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0527", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0531", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-28T17:24:57Z", + "aliases": [ + "CVE-2022-30629" + ], + "summary": "Session tickets lack random ticket_age_add in crypto/tls", + "details": "An attacker can correlate a resumed TLS session with a previous connection.\n\nSession tickets generated by crypto/tls do not contain a randomly generated ticket_age_add, which allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.11" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "serverHandshakeStateTLS13.sendSessionTickets" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/405994" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52814" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" + } + ], + "credits": [ + { + "name": "Github user @nervuri" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0531", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0532", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-26T21:41:20Z", + "aliases": [ + "CVE-2022-30580" + ], + "summary": "Empty Cmd.Path can trigger unintended binary in os/exec on Windows", + "details": "On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either \"..com\" or \"..exe\".", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.11" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "os/exec", + "goos": [ + "windows" + ], + "symbols": [ + "Cmd.Start" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/403759" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52574" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" + } + ], + "credits": [ + { + "name": "Chris Darroch (chrisd8088@github.com)" + }, + { + "name": "brian m. carlson (bk2204@github.com)" + }, + { + "name": "Mikhail Shcherbakov (https://twitter.com/yu5k3)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0532", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0533", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-07-28T17:25:07Z", + "aliases": [ + "CVE-2022-29804" + ], + "summary": "Path traversal via Clean on Windows in path/filepath", + "details": "On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack.\n\nFor example, Clean(\".\\c:\") returns \"c:\".", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.11" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "goos": [ + "windows" + ], + "symbols": [ + "Clean" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/401595" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/52476" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" + } + ], + "credits": [ + { + "name": "Unrud" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0533", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0535", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-08-01T22:21:17Z", + "aliases": [ + "CVE-2020-0601" + ], + "summary": "Certificate validation bypass on Windows in crypto/x509", + "details": "A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use.\n\nA workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should additionally install the Windows security update to protect their system.\n\nSee https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 for details on the Windows vulnerability.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.16" + }, + { + "introduced": "1.13.0-0" + }, + { + "fixed": "1.13.7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "goos": [ + "windows" + ], + "symbols": [ + "Certificate.systemVerify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/215905" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/36834" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0535", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0536", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-08-01T22:20:53Z", + "aliases": [ + "CVE-2019-9512", + "CVE-2019-9514", + "GHSA-39qc-96h7-956f", + "GHSA-hgr8-6h9x-f7q9" + ], + "summary": "Reset flood in net/http and golang.org/x/net/http", + "details": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.\n\nServers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.13" + }, + { + "introduced": "1.12.0-0" + }, + { + "fixed": "1.12.8" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "http2serverConn.scheduleFrameWrite", + "http2serverConn.serve", + "http2serverConn.writeFrame" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20190813141303-74dc4d7220e7" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.scheduleFrameWrite", + "serverConn.serve", + "serverConn.writeFrame" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/190137" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/33606" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJ" + } + ], + "credits": [ + { + "name": "Jonathan Looney of Netflix" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0536", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0537", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-08-01T22:21:06Z", + "aliases": [ + "CVE-2022-32189" + ], + "summary": "Panic when decoding Float and Rat types in math/big", + "details": "Decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.13" + }, + { + "introduced": "1.18.0-0" + }, + { + "fixed": "1.18.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "math/big", + "symbols": [ + "Float.GobDecode", + "Rat.GobDecode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/417774" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/53871" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/YqYYG87xB10" + } + ], + "credits": [ + { + "name": "@catenacyber" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0537", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0761", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-08-09T17:05:15Z", + "aliases": [ + "CVE-2016-5386" + ], + "summary": "Improper input validation in net/http and net/http/cgi", + "details": "An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests.\n\nThis environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.\n\nRead more about \"httpoxy\" here: https://httpoxy.org.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Handler.ServeHTTP" + ] + }, + { + "path": "net/http/cgi", + "symbols": [ + "ProxyFromEnvironment" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/25010" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d52329223" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/16405" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ" + } + ], + "credits": [ + { + "name": "Dominic Scheirlinck" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0761", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0969", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-09-12T20:23:06Z", + "aliases": [ + "CVE-2022-27664", + "GHSA-69cg-p879-7622" + ], + "summary": "Denial of service in net/http and golang.org/x/net/http2", + "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.6" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.goAway" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.0-20220906165146-f3363e06e74c" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.goAway" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/54658" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/428735" + } + ], + "credits": [ + { + "name": "Bahruz Jabiyev" + }, + { + "name": "Tommaso Innocenti" + }, + { + "name": "Anthony Gavazzi" + }, + { + "name": "Steven Sprecher" + }, + { + "name": "Kaan Onarlioglu" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0969", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-0988", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-09-12T20:23:15Z", + "aliases": [ + "CVE-2022-32190" + ], + "summary": "Failure to strip relative path components in net/url", + "details": "JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath(\"https://go.dev\", \"../go\") returns the URL \"https://go.dev/../go\", despite the JoinPath documentation stating that ../ path elements are removed from the result.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/url", + "symbols": [ + "JoinPath", + "URL.JoinPath" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/54385" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/423514" + } + ], + "credits": [ + { + "name": "@q0jt" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0988", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1037", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-10-06T16:26:05Z", + "aliases": [ + "CVE-2022-2879" + ], + "summary": "Unbounded memory consumption when reading headers in archive/tar", + "details": "Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.7" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/tar", + "symbols": [ + "Reader.Next", + "Reader.next", + "Writer.WriteHeader", + "Writer.writePAXHeader", + "parsePAX" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/54853" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/439355" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU" + } + ], + "credits": [ + { + "name": "Adam Korczynski (ADA Logics)" + }, + { + "name": "OSS-Fuzz" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1037", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1038", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-10-06T16:42:43Z", + "aliases": [ + "CVE-2022-2880" + ], + "summary": "Incorrect sanitization of forwarded query parameters in net/http/httputil", + "details": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value.\n\nAfter fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.7" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/httputil", + "symbols": [ + "ReverseProxy.ServeHTTP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/54663" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/432976" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU" + } + ], + "credits": [ + { + "name": "Gal Goldstein (Security Researcher, Oxeye)" + }, + { + "name": "Daniel Abeles (Head of Research, Oxeye)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1038", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1039", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-10-06T16:42:07Z", + "aliases": [ + "CVE-2022-41715" + ], + "summary": "Memory exhaustion when compiling regular expressions in regexp/syntax", + "details": "Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service.\n\nThe parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.\n\nAfter fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.7" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "regexp/syntax", + "symbols": [ + "Parse", + "parse", + "parser.factor", + "parser.push", + "parser.repeat" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/55949" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/439356" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU" + } + ], + "credits": [ + { + "name": "Adam Korczynski (ADA Logics)" + }, + { + "name": "OSS-Fuzz" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1039", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1095", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-11-01T23:55:57Z", + "aliases": [ + "CVE-2022-41716" + ], + "summary": "Unsanitized NUL in environment variables on Windows in syscall and os/exec", + "details": "Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.\n\nIn syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string \"A=B\\x00C=D\" sets the variables \"A=B\" and \"C=D\".", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.8" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "goos": [ + "windows" + ], + "symbols": [ + "StartProcess" + ] + }, + { + "path": "os/exec", + "goos": [ + "windows" + ], + "symbols": [ + "Cmd.CombinedOutput", + "Cmd.Environ", + "Cmd.Output", + "Cmd.Run", + "Cmd.Start", + "Cmd.environ", + "dedupEnv", + "dedupEnvCase" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56284" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/446916" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ" + } + ], + "credits": [ + { + "name": "RyotaK (https://twitter.com/ryotkak)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1095", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1143", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-12-07T16:08:45Z", + "aliases": [ + "CVE-2022-41720" + ], + "summary": "Restricted file access on Windows in os and net/http", + "details": "On Windows, restricted files can be accessed via os.DirFS and http.Dir.\n\nThe os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access.\n\nIn addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.\n\nWith fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.9" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "os", + "goos": [ + "windows" + ], + "symbols": [ + "DirFS", + "dirFS.Open", + "dirFS.Stat" + ] + }, + { + "path": "net/http", + "goos": [ + "windows" + ], + "symbols": [ + "Dir.Open", + "ServeFile", + "fileHandler.ServeHTTP", + "fileTransport.RoundTrip" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56694" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455716" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1143", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2022-1144", + "modified": "2024-05-20T16:03:47Z", + "published": "2022-12-08T19:01:21Z", + "aliases": [ + "CVE-2022-41717", + "GHSA-xrjj-mj9h-534m" + ], + "summary": "Excessive memory growth in net/http and golang.org/x/net/http2", + "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.18.9" + }, + { + "introduced": "1.19.0-0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.canonicalHeader" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.4.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.canonicalHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56350" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455717" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/455635" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" + } + ], + "credits": [ + { + "name": "Josselin Costanzi" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1144", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1568", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-02-16T19:49:19Z", + "aliases": [ + "CVE-2022-41722" + ], + "summary": "Path traversal on Windows in path/filepath", + "details": "A path traversal vulnerability exists in filepath.Clean on Windows.\n\nOn Windows, the filepath.Clean function could transform an invalid path such as \"a/../c:/b\" into the valid path \"c:\\b\". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.\n\nAfter fix, the filepath.Clean function transforms this path into the relative (but still invalid) path \".\\c:\\b\".", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "goos": [ + "windows" + ], + "symbols": [ + "Abs", + "Clean", + "Dir", + "EvalSymlinks", + "Glob", + "IsLocal", + "Join", + "Rel", + "Walk", + "WalkDir" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/57274" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468123" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ], + "credits": [ + { + "name": "RyotaK (https://ryotak.net)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1568", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1569", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-02-21T20:44:30Z", + "aliases": [ + "CVE-2022-41725" + ], + "summary": "Excessive resource consumption in mime/multipart", + "details": "A denial of service is possible from excessive resource consumption in net/http and mime/multipart.\n\nMultipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.\n\nReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files.\n\nWith fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous.\n\nIn addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, \"If stored on disk, the File's underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct.\n\nUsers should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "mime/multipart", + "symbols": [ + "Reader.ReadForm" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/58006" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468124" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ], + "credits": [ + { + "name": "Arpad Ryszka" + }, + { + "name": "Jakob Ackermann (@das7pad)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1569", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1570", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-02-16T22:24:51Z", + "aliases": [ + "CVE-2022-41724" + ], + "summary": "Panic on large handshake records in crypto/tls", + "details": "Large handshake records may cause panics in crypto/tls.\n\nBoth clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.\n\nThis affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth \u003e= RequestClientCert).", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "Conn.Handshake", + "Conn.HandshakeContext", + "Conn.Read", + "Conn.Write", + "Conn.clientHandshake", + "Conn.handleKeyUpdate", + "Conn.handlePostHandshakeMessage", + "Conn.handleRenegotiation", + "Conn.loadSession", + "Conn.readClientHello", + "Conn.readHandshake", + "Conn.writeRecord", + "ConnectionState.ExportKeyingMaterial", + "Dial", + "DialWithDialer", + "Dialer.Dial", + "Dialer.DialContext", + "certificateMsg.marshal", + "certificateMsgTLS13.marshal", + "certificateRequestMsg.marshal", + "certificateRequestMsgTLS13.marshal", + "certificateStatusMsg.marshal", + "certificateVerifyMsg.marshal", + "cipherSuiteTLS13.expandLabel", + "clientHandshakeState.doFullHandshake", + "clientHandshakeState.handshake", + "clientHandshakeState.readFinished", + "clientHandshakeState.readSessionTicket", + "clientHandshakeState.sendFinished", + "clientHandshakeStateTLS13.handshake", + "clientHandshakeStateTLS13.processHelloRetryRequest", + "clientHandshakeStateTLS13.readServerCertificate", + "clientHandshakeStateTLS13.readServerFinished", + "clientHandshakeStateTLS13.readServerParameters", + "clientHandshakeStateTLS13.sendClientCertificate", + "clientHandshakeStateTLS13.sendClientFinished", + "clientHandshakeStateTLS13.sendDummyChangeCipherSpec", + "clientHelloMsg.marshal", + "clientHelloMsg.marshalWithoutBinders", + "clientHelloMsg.updateBinders", + "clientKeyExchangeMsg.marshal", + "encryptedExtensionsMsg.marshal", + "endOfEarlyDataMsg.marshal", + "finishedMsg.marshal", + "handshakeMessage.marshal", + "helloRequestMsg.marshal", + "keyUpdateMsg.marshal", + "newSessionTicketMsg.marshal", + "newSessionTicketMsgTLS13.marshal", + "serverHandshakeState.doFullHandshake", + "serverHandshakeState.doResumeHandshake", + "serverHandshakeState.readFinished", + "serverHandshakeState.sendFinished", + "serverHandshakeState.sendSessionTicket", + "serverHandshakeStateTLS13.checkForResumption", + "serverHandshakeStateTLS13.doHelloRetryRequest", + "serverHandshakeStateTLS13.readClientCertificate", + "serverHandshakeStateTLS13.readClientFinished", + "serverHandshakeStateTLS13.sendDummyChangeCipherSpec", + "serverHandshakeStateTLS13.sendServerCertificate", + "serverHandshakeStateTLS13.sendServerFinished", + "serverHandshakeStateTLS13.sendServerParameters", + "serverHandshakeStateTLS13.sendSessionTickets", + "serverHelloDoneMsg.marshal", + "serverHelloMsg.marshal", + "serverKeyExchangeMsg.marshal", + "sessionState.marshal", + "sessionStateTLS13.marshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/58001" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468125" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ], + "credits": [ + { + "name": "Marten Seemann" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1570", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1571", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-02-16T22:31:36Z", + "aliases": [ + "CVE-2022-41723", + "GHSA-vvpx-j8f3-3w6h" + ], + "summary": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", + "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.6" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Get", + "Head", + "ListenAndServe", + "ListenAndServeTLS", + "Post", + "PostForm", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "Transport.RoundTrip" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "ClientConn.Close", + "ClientConn.Ping", + "ClientConn.RoundTrip", + "ClientConn.Shutdown", + "ConfigureServer", + "ConfigureTransport", + "ConfigureTransports", + "ConnectionError.Error", + "ErrCode.String", + "FrameHeader.String", + "FrameType.String", + "FrameWriteRequest.String", + "Framer.ReadFrame", + "Framer.WriteContinuation", + "Framer.WriteData", + "Framer.WriteDataPadded", + "Framer.WriteGoAway", + "Framer.WriteHeaders", + "Framer.WritePing", + "Framer.WritePriority", + "Framer.WritePushPromise", + "Framer.WriteRSTStream", + "Framer.WriteRawFrame", + "Framer.WriteSettings", + "Framer.WriteSettingsAck", + "Framer.WriteWindowUpdate", + "GoAwayError.Error", + "ReadFrameHeader", + "Server.ServeConn", + "Setting.String", + "SettingID.String", + "SettingsFrame.ForeachSetting", + "StreamError.Error", + "Transport.CloseIdleConnections", + "Transport.NewClientConn", + "Transport.RoundTrip", + "Transport.RoundTripOpt", + "bufferedWriter.Flush", + "bufferedWriter.Write", + "chunkWriter.Write", + "clientConnPool.GetClientConn", + "connError.Error", + "dataBuffer.Read", + "duplicatePseudoHeaderError.Error", + "gzipReader.Close", + "gzipReader.Read", + "headerFieldNameError.Error", + "headerFieldValueError.Error", + "noDialClientConnPool.GetClientConn", + "noDialH2RoundTripper.RoundTrip", + "pipe.Read", + "priorityWriteScheduler.CloseStream", + "priorityWriteScheduler.OpenStream", + "pseudoHeaderError.Error", + "requestBody.Close", + "requestBody.Read", + "responseWriter.Flush", + "responseWriter.FlushError", + "responseWriter.Push", + "responseWriter.SetReadDeadline", + "responseWriter.SetWriteDeadline", + "responseWriter.Write", + "responseWriter.WriteHeader", + "responseWriter.WriteString", + "serverConn.CloseConn", + "serverConn.Flush", + "stickyErrWriter.Write", + "transportResponseBody.Close", + "transportResponseBody.Read", + "writeData.String" + ] + }, + { + "path": "golang.org/x/net/http2/hpack", + "symbols": [ + "Decoder.DecodeFull", + "Decoder.Write", + "Decoder.parseFieldLiteral", + "Decoder.readString" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/57855" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468135" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/468295" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" + } + ], + "credits": [ + { + "name": "Philippe Antoine (Catena cyber)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1571", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1621", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-03-08T19:30:53Z", + "aliases": [ + "CVE-2023-24532" + ], + "summary": "Incorrect calculation on P256 curves in crypto/internal/nistec", + "details": "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).\n\nThis does not impact usages of crypto/ecdsa or crypto/ecdh.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.7" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/internal/nistec", + "symbols": [ + "P256OrdInverse", + "P256Point.ScalarBaseMult", + "P256Point.ScalarMult" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/58647" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/471255" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/3-TpUx48iQY" + } + ], + "credits": [ + { + "name": "Guido Vranken, via the Ethereum Foundation bug bounty program" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1621", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1702", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-04-05T21:05:07Z", + "aliases": [ + "CVE-2023-24537" + ], + "summary": "Infinite loop in parsing in go/scanner", + "details": "Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.8" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "go/scanner", + "symbols": [ + "Scanner.Scan", + "Scanner.updateLineInfo" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/59180" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/482078" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" + } + ], + "credits": [ + { + "name": "Philippe Antoine (Catena cyber)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1702", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1703", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-04-05T21:05:27Z", + "aliases": [ + "CVE-2023-24538" + ], + "summary": "Backticks not treated as string delimiters in html/template", + "details": "Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected.\n\nBackticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template.\n\nAs ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. \"var a = {{.}}\"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml.\n\nWith fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21.\n\nUsers who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.8" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Template.Execute", + "Template.ExecuteTemplate", + "tJS", + "tJSDelimited" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/59234" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/482079" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" + } + ], + "credits": [ + { + "name": "Sohom Datta, Manipal Institute of Technology" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1703", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1704", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-04-05T21:04:28Z", + "aliases": [ + "CVE-2023-24534" + ], + "summary": "Excessive memory allocation in net/http and net/textproto", + "details": "HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service.\n\nCertain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.\n\nWith fix, header parsing now correctly allocates only the memory required to hold parsed headers.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.8" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/textproto", + "symbols": [ + "Reader.ReadMIMEHeader", + "Reader.upcomingHeaderNewlines", + "readMIMEHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/58975" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/481994" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" + } + ], + "credits": [ + { + "name": "Jakob Ackermann (@das7pad)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1704", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1705", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-04-05T21:04:39Z", + "aliases": [ + "CVE-2023-24536" + ], + "summary": "Excessive resource consumption in net/http, net/textproto and mime/multipart", + "details": "Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts.\n\nThis stems from several causes:\n\n1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended.\n2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.\n3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.\n\nThe combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.\n\nWith fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations.\n\nIn addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms:\n\n1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=.\n2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.8" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "mime/multipart", + "symbols": [ + "Part.populateHeaders", + "Reader.NextPart", + "Reader.NextRawPart", + "Reader.ReadForm", + "Reader.nextPart", + "Reader.readForm", + "mimeHeaderSize", + "newPart", + "readMIMEHeader" + ] + }, + { + "path": "net/textproto", + "symbols": [ + "Reader.ReadMIMEHeader", + "readMIMEHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/59153" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/482076" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/482075" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/482077" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" + } + ], + "credits": [ + { + "name": "Jakob Ackermann (@das7pad)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1705", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1751", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-05-05T21:10:20Z", + "aliases": [ + "CVE-2023-24539" + ], + "summary": "Improper sanitization of CSS values in html/template", + "details": "Angle brackets (\u003c\u003e) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.9" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Template.Execute", + "Template.ExecuteTemplate", + "cssValueFilter", + "escaper.commit" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/59720" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/491615" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1751", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1752", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-05-05T21:10:22Z", + "aliases": [ + "CVE-2023-24540" + ], + "summary": "Improper handling of JavaScript whitespace in html/template", + "details": "Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.9" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Template.Execute", + "Template.ExecuteTemplate", + "nextJSCtx" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/59721" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/491616" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1752", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1753", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-05-05T21:10:24Z", + "aliases": [ + "CVE-2023-29400" + ], + "summary": "Improper handling of empty HTML attributes in html/template", + "details": "Templates containing actions in unquoted HTML attributes (e.g. \"attr={{.}}\") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.9" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Template.Execute", + "Template.ExecuteTemplate", + "appendCmd", + "htmlNospaceEscaper" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/59722" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/491617" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1753", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1840", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-06-08T20:16:06Z", + "aliases": [ + "CVE-2023-29403" + ], + "summary": "Unsafe behavior in setuid/setgid binaries in runtime", + "details": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.\n\nIf a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.10" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "runtime" + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/60272" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/501223" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ" + } + ], + "credits": [ + { + "name": "Vincent Dehors from Synacktiv" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1840", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1878", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-07-11T19:19:08Z", + "aliases": [ + "CVE-2023-29406" + ], + "summary": "Insufficient sanitization of Host header in net/http", + "details": "The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests.\n\nWith fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.11" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.6" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Client.CloseIdleConnections", + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Get", + "Head", + "Post", + "PostForm", + "Request.Write", + "Request.WriteProxy", + "Request.write", + "Transport.CancelRequest", + "Transport.CloseIdleConnections", + "Transport.RoundTrip" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/60374" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/506996" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/2q13H6LEEx0" + } + ], + "credits": [ + { + "name": "Bartek Nowotarski" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1878", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1987", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-08-02T17:25:58Z", + "aliases": [ + "CVE-2023-29409" + ], + "summary": "Large RSA keys can cause high CPU usage in crypto/tls", + "details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.\n\nWith fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits.\n\nBased on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.12" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.7" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.0-rc.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "Conn.Handshake", + "Conn.HandshakeContext", + "Conn.Read", + "Conn.Write", + "Conn.processCertsFromClient", + "Conn.verifyServerCertificate", + "Dial", + "DialWithDialer", + "Dialer.Dial", + "Dialer.DialContext" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/61460" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/515257" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ" + } + ], + "credits": [ + { + "name": "Mateusz Poliwczak" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1987", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2041", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-09-07T16:11:17Z", + "aliases": [ + "CVE-2023-39318" + ], + "summary": "Improper handling of HTML-like comments in script contexts in html/template", + "details": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in \u003cscript\u003e contexts. This may cause the template parser to improperly interpret the contents of \u003cscript\u003e contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.8" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Template.Execute", + "Template.ExecuteTemplate", + "escaper.escapeText", + "isComment", + "tJS", + "tLineCmt" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/62196" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/526156" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" + } + ], + "credits": [ + { + "name": "Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2041", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2043", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-09-07T16:11:59Z", + "aliases": [ + "CVE-2023-39319" + ], + "summary": "Improper handling of special tags within script contexts in html/template", + "details": "The html/template package does not apply the proper rules for handling occurrences of \"\u003cscript\", \"\u003c!--\", and \"\u003c/script\" within JS literals in \u003cscript\u003e contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.8" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Template.Execute", + "Template.ExecuteTemplate", + "escaper.escapeText", + "indexTagEnd", + "tSpecialTagEnd" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/62197" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/526157" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" + } + ], + "credits": [ + { + "name": "Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2043", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2044", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-09-07T16:12:03Z", + "aliases": [ + "CVE-2023-39321" + ], + "summary": "Panic when processing post-handshake message on QUIC connections in crypto/tls", + "details": "Processing an incomplete post-handshake message for a QUIC connection can cause a panic.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "QUICConn.HandleData" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/62266" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/523039" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" + } + ], + "credits": [ + { + "name": "Marten Seemann" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2044", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2045", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-09-07T16:12:01Z", + "aliases": [ + "CVE-2023-39322" + ], + "summary": "Memory exhaustion in QUIC connection handling in crypto/tls", + "details": "QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth.\n\nWith fix, connections now consistently reject messages larger than 65KiB in size.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "QUICConn.HandleData" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/62266" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/523039" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" + } + ], + "credits": [ + { + "name": "Marten Seemann" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2045", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2102", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-10-11T16:49:53Z", + "aliases": [ + "CVE-2023-39325", + "GHSA-4374-p667-p6c8" + ], + "summary": "HTTP/2 rapid reset can cause excessive work in net/http", + "details": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.\n\nWith the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.\n\nThis issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.\n\nThe default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.10" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "ListenAndServe", + "ListenAndServeTLS", + "Serve", + "ServeTLS", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "http2Server.ServeConn", + "http2serverConn.processHeaders", + "http2serverConn.runHandler", + "http2serverConn.serve", + "http2serverConn.upgradeRequest" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.17.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "Server.ServeConn", + "serverConn.processHeaders", + "serverConn.runHandler", + "serverConn.serve", + "serverConn.upgradeRequest" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/63417" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/534215" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/534235" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2102", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2185", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-11-08T22:42:14Z", + "aliases": [ + "CVE-2023-45283" + ], + "summary": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath", + "details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.\n\nUPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "goos": [ + "windows" + ], + "symbols": [ + "Abs", + "Base", + "Clean", + "Dir", + "EvalSymlinks", + "Glob", + "IsLocal", + "Join", + "Rel", + "Split", + "VolumeName", + "Walk", + "WalkDir", + "join", + "volumeNameLen" + ] + }, + { + "path": "internal/safefilepath", + "goos": [ + "windows" + ], + "symbols": [ + "FromFS", + "fromFS" + ] + } + ] + } + }, + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.20.11" + }, + { + "fixed": "1.20.12" + }, + { + "introduced": "1.21.4" + }, + { + "fixed": "1.21.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "goos": [ + "windows" + ], + "symbols": [ + "Abs", + "Base", + "Clean", + "Dir", + "EvalSymlinks", + "Glob", + "IsLocal", + "Join", + "Rel", + "Split", + "VolumeName", + "Walk", + "WalkDir", + "volumeNameLen" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/63713" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/540277" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/64028" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/541175" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2185", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2185", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-11-08T22:42:14Z", + "aliases": [ + "CVE-2023-45283" + ], + "summary": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath", + "details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.\n\nUPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "goos": [ + "windows" + ], + "symbols": [ + "Abs", + "Base", + "Clean", + "Dir", + "EvalSymlinks", + "Glob", + "IsLocal", + "Join", + "Rel", + "Split", + "VolumeName", + "Walk", + "WalkDir", + "join", + "volumeNameLen" + ] + }, + { + "path": "internal/safefilepath", + "goos": [ + "windows" + ], + "symbols": [ + "FromFS", + "fromFS" + ] + } + ] + } + }, + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.20.11" + }, + { + "fixed": "1.20.12" + }, + { + "introduced": "1.21.4" + }, + { + "fixed": "1.21.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "goos": [ + "windows" + ], + "symbols": [ + "Abs", + "Base", + "Clean", + "Dir", + "EvalSymlinks", + "Glob", + "IsLocal", + "Join", + "Rel", + "Split", + "VolumeName", + "Walk", + "WalkDir", + "volumeNameLen" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/63713" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/540277" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/64028" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/541175" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2185", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2186", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-11-08T22:42:19Z", + "aliases": [ + "CVE-2023-45284" + ], + "summary": "Incorrect detection of reserved device names on Windows in path/filepath", + "details": "On Windows, The IsLocal function does not correctly detect reserved device names in some cases.\n\nReserved names followed by spaces, such as \"COM1 \", and reserved names \"COM\" and \"LPT\" followed by superscript 1, 2, or 3, are incorrectly reported as local.\n\nWith fix, IsLocal now correctly reports these names as non-local.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "path/filepath", + "symbols": [ + "IsLocal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/63713" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/540277" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2186", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2375", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-12-05T16:16:44Z", + "aliases": [ + "CVE-2023-45287" + ], + "summary": "Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel", + "details": "Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits.\n\nIn Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "Conn.Handshake", + "Conn.HandshakeContext", + "Conn.Read", + "Conn.Write", + "Dial", + "DialWithDialer", + "Dialer.Dial", + "Dialer.DialContext", + "rsaKeyAgreement.generateClientKeyExchange", + "rsaKeyAgreement.processClientKeyExchange" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/20654" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/326012/26" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/QMK8IQALDvA" + }, + { + "type": "ARTICLE", + "url": "https://people.redhat.com/~hkario/marvin/" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2375", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-2382", + "modified": "2024-05-20T16:03:47Z", + "published": "2023-12-06T16:22:36Z", + "aliases": [ + "CVE-2023-39326" + ], + "summary": "Denial of service via chunk extensions in net/http", + "details": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.\n\nA malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.\n\nChunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.12" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/internal", + "symbols": [ + "chunkedReader.Read", + "chunkedReader.beginChunk", + "readChunkLine" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/64433" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/547335" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" + } + ], + "credits": [ + { + "name": "Bartek Nowotarski" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2382", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2598", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-03-05T22:14:58Z", + "aliases": [ + "CVE-2024-24783" + ], + "summary": "Verify panics on certificates with an unknown public key algorithm in crypto/x509", + "details": "Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.\n\nThis affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.8" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "Certificate.buildChains" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/65390" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/569339" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" + } + ], + "credits": [ + { + "name": "John Howard (Google)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2598", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2599", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-03-05T22:15:00Z", + "aliases": [ + "CVE-2023-45290" + ], + "summary": "Memory exhaustion in multipart form parsing in net/textproto and net/http", + "details": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.\n\nWith fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.8" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/textproto", + "symbols": [ + "Reader.ReadCodeLine", + "Reader.ReadContinuedLine", + "Reader.ReadContinuedLineBytes", + "Reader.ReadDotLines", + "Reader.ReadLine", + "Reader.ReadLineBytes", + "Reader.ReadMIMEHeader", + "Reader.ReadResponse", + "Reader.readContinuedLineSlice", + "Reader.readLineSlice" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/65383" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/569341" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" + } + ], + "credits": [ + { + "name": "Bartek Nowotarski" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2599", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2600", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-03-05T22:15:02Z", + "aliases": [ + "CVE-2023-45289" + ], + "summary": "Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http", + "details": "When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as \"Authorization\" or \"Cookie\". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.\n\nA maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.8" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Get", + "Head", + "Post", + "PostForm", + "isDomainOrSubdomain" + ] + }, + { + "path": "net/http/cookiejar", + "symbols": [ + "Jar.Cookies", + "Jar.SetCookies", + "isIP" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/65065" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/569340" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2600", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2609", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-03-05T22:15:04Z", + "aliases": [ + "CVE-2024-24784" + ], + "summary": "Comments in display names are incorrectly handled in net/mail", + "details": "The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.8" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/mail", + "symbols": [ + "Address.String", + "AddressParser.Parse", + "AddressParser.ParseList", + "Header.AddressList", + "ParseAddress", + "ParseAddressList", + "addrParser.consumeGroupList", + "addrParser.consumePhrase", + "isAtext" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/65083" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/555596" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" + } + ], + "credits": [ + { + "name": "Juho Nurminen of Mattermost" + }, + { + "name": "Slonser (https://github.com/Slonser)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2609", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2610", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-03-05T22:15:40Z", + "aliases": [ + "CVE-2024-24785" + ], + "summary": "Errors returned from JSON marshaling may break template escaping in html/template", + "details": "If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.8" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Template.Execute", + "Template.ExecuteTemplate", + "escaper.commit", + "jsValEscaper" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/65697" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/564196" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" + } + ], + "credits": [ + { + "name": "RyotaK (https://ryotak.net)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2610", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2687", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-04-03T21:12:01Z", + "aliases": [ + "CVE-2023-45288", + "GHSA-4v7x-pqxf-cx7m" + ], + "summary": "HTTP/2 CONTINUATION flood in net/http", + "details": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.\n\nMaintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.\n\nThis permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.\n\nThe fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.9" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "CanonicalHeaderKey", + "Client.CloseIdleConnections", + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Cookie.String", + "Cookie.Valid", + "Dir.Open", + "Error", + "Get", + "HandlerFunc.ServeHTTP", + "Head", + "Header.Add", + "Header.Del", + "Header.Get", + "Header.Set", + "Header.Values", + "Header.Write", + "Header.WriteSubset", + "ListenAndServe", + "ListenAndServeTLS", + "NewRequest", + "NewRequestWithContext", + "NotFound", + "ParseTime", + "Post", + "PostForm", + "ProxyFromEnvironment", + "ReadRequest", + "ReadResponse", + "Redirect", + "Request.AddCookie", + "Request.BasicAuth", + "Request.FormFile", + "Request.FormValue", + "Request.MultipartReader", + "Request.ParseForm", + "Request.ParseMultipartForm", + "Request.PostFormValue", + "Request.Referer", + "Request.SetBasicAuth", + "Request.UserAgent", + "Request.Write", + "Request.WriteProxy", + "Response.Cookies", + "Response.Location", + "Response.Write", + "ResponseController.EnableFullDuplex", + "ResponseController.Flush", + "ResponseController.Hijack", + "ResponseController.SetReadDeadline", + "ResponseController.SetWriteDeadline", + "Serve", + "ServeContent", + "ServeFile", + "ServeMux.ServeHTTP", + "ServeTLS", + "Server.Close", + "Server.ListenAndServe", + "Server.ListenAndServeTLS", + "Server.Serve", + "Server.ServeTLS", + "Server.SetKeepAlivesEnabled", + "Server.Shutdown", + "SetCookie", + "Transport.CancelRequest", + "Transport.Clone", + "Transport.CloseIdleConnections", + "Transport.RoundTrip", + "body.Close", + "body.Read", + "bodyEOFSignal.Close", + "bodyEOFSignal.Read", + "bodyLocked.Read", + "bufioFlushWriter.Write", + "cancelTimerBody.Close", + "cancelTimerBody.Read", + "checkConnErrorWriter.Write", + "chunkWriter.Write", + "connReader.Read", + "connectMethodKey.String", + "expectContinueReader.Close", + "expectContinueReader.Read", + "extraHeader.Write", + "fileHandler.ServeHTTP", + "fileTransport.RoundTrip", + "globalOptionsHandler.ServeHTTP", + "gzipReader.Close", + "gzipReader.Read", + "http2ClientConn.Close", + "http2ClientConn.Ping", + "http2ClientConn.RoundTrip", + "http2ClientConn.Shutdown", + "http2ConnectionError.Error", + "http2ErrCode.String", + "http2FrameHeader.String", + "http2FrameType.String", + "http2FrameWriteRequest.String", + "http2Framer.ReadFrame", + "http2Framer.WriteContinuation", + "http2Framer.WriteData", + "http2Framer.WriteDataPadded", + "http2Framer.WriteGoAway", + "http2Framer.WriteHeaders", + "http2Framer.WritePing", + "http2Framer.WritePriority", + "http2Framer.WritePushPromise", + "http2Framer.WriteRSTStream", + "http2Framer.WriteRawFrame", + "http2Framer.WriteSettings", + "http2Framer.WriteSettingsAck", + "http2Framer.WriteWindowUpdate", + "http2Framer.readMetaFrame", + "http2GoAwayError.Error", + "http2Server.ServeConn", + "http2Setting.String", + "http2SettingID.String", + "http2SettingsFrame.ForeachSetting", + "http2StreamError.Error", + "http2Transport.CloseIdleConnections", + "http2Transport.NewClientConn", + "http2Transport.RoundTrip", + "http2Transport.RoundTripOpt", + "http2bufferedWriter.Flush", + "http2bufferedWriter.Write", + "http2chunkWriter.Write", + "http2clientConnPool.GetClientConn", + "http2connError.Error", + "http2dataBuffer.Read", + "http2duplicatePseudoHeaderError.Error", + "http2gzipReader.Close", + "http2gzipReader.Read", + "http2headerFieldNameError.Error", + "http2headerFieldValueError.Error", + "http2noDialClientConnPool.GetClientConn", + "http2noDialH2RoundTripper.RoundTrip", + "http2pipe.Read", + "http2priorityWriteScheduler.CloseStream", + "http2priorityWriteScheduler.OpenStream", + "http2pseudoHeaderError.Error", + "http2requestBody.Close", + "http2requestBody.Read", + "http2responseWriter.Flush", + "http2responseWriter.FlushError", + "http2responseWriter.Push", + "http2responseWriter.SetReadDeadline", + "http2responseWriter.SetWriteDeadline", + "http2responseWriter.Write", + "http2responseWriter.WriteHeader", + "http2responseWriter.WriteString", + "http2roundRobinWriteScheduler.OpenStream", + "http2serverConn.CloseConn", + "http2serverConn.Flush", + "http2stickyErrWriter.Write", + "http2transportResponseBody.Close", + "http2transportResponseBody.Read", + "http2writeData.String", + "initALPNRequest.ServeHTTP", + "loggingConn.Close", + "loggingConn.Read", + "loggingConn.Write", + "maxBytesReader.Close", + "maxBytesReader.Read", + "onceCloseListener.Close", + "persistConn.Read", + "persistConnWriter.ReadFrom", + "persistConnWriter.Write", + "populateResponse.Write", + "populateResponse.WriteHeader", + "readTrackingBody.Close", + "readTrackingBody.Read", + "readWriteCloserBody.Read", + "redirectHandler.ServeHTTP", + "response.Flush", + "response.FlushError", + "response.Hijack", + "response.ReadFrom", + "response.Write", + "response.WriteHeader", + "response.WriteString", + "serverHandler.ServeHTTP", + "socksDialer.DialWithConn", + "socksUsernamePassword.Authenticate", + "stringWriter.WriteString", + "timeoutHandler.ServeHTTP", + "timeoutWriter.Write", + "timeoutWriter.WriteHeader", + "transportReadFromServerError.Error" + ] + } + ] + } + }, + { + "package": { + "name": "golang.org/x/net", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.23.0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/net/http2", + "symbols": [ + "ClientConn.Close", + "ClientConn.Ping", + "ClientConn.RoundTrip", + "ClientConn.Shutdown", + "ConfigureServer", + "ConfigureTransport", + "ConfigureTransports", + "ConnectionError.Error", + "ErrCode.String", + "FrameHeader.String", + "FrameType.String", + "FrameWriteRequest.String", + "Framer.ReadFrame", + "Framer.WriteContinuation", + "Framer.WriteData", + "Framer.WriteDataPadded", + "Framer.WriteGoAway", + "Framer.WriteHeaders", + "Framer.WritePing", + "Framer.WritePriority", + "Framer.WritePushPromise", + "Framer.WriteRSTStream", + "Framer.WriteRawFrame", + "Framer.WriteSettings", + "Framer.WriteSettingsAck", + "Framer.WriteWindowUpdate", + "Framer.readMetaFrame", + "GoAwayError.Error", + "ReadFrameHeader", + "Server.ServeConn", + "Setting.String", + "SettingID.String", + "SettingsFrame.ForeachSetting", + "StreamError.Error", + "Transport.CloseIdleConnections", + "Transport.NewClientConn", + "Transport.RoundTrip", + "Transport.RoundTripOpt", + "bufferedWriter.Flush", + "bufferedWriter.Write", + "chunkWriter.Write", + "clientConnPool.GetClientConn", + "connError.Error", + "dataBuffer.Read", + "duplicatePseudoHeaderError.Error", + "gzipReader.Close", + "gzipReader.Read", + "headerFieldNameError.Error", + "headerFieldValueError.Error", + "noDialClientConnPool.GetClientConn", + "noDialH2RoundTripper.RoundTrip", + "pipe.Read", + "priorityWriteScheduler.CloseStream", + "priorityWriteScheduler.OpenStream", + "pseudoHeaderError.Error", + "requestBody.Close", + "requestBody.Read", + "responseWriter.Flush", + "responseWriter.FlushError", + "responseWriter.Push", + "responseWriter.SetReadDeadline", + "responseWriter.SetWriteDeadline", + "responseWriter.Write", + "responseWriter.WriteHeader", + "responseWriter.WriteString", + "roundRobinWriteScheduler.OpenStream", + "serverConn.CloseConn", + "serverConn.Flush", + "stickyErrWriter.Write", + "transportResponseBody.Close", + "transportResponseBody.Read", + "writeData.String" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/65051" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/576155" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M" + } + ], + "credits": [ + { + "name": "Bartek Nowotarski (https://nowotarski.info/)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2687", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2824", + "modified": "2024-05-20T16:03:47Z", + "published": "2024-05-07T22:33:51Z", + "aliases": [ + "CVE-2024-24788" + ], + "summary": "Malformed DNS message can cause infinite loop in net", + "details": "A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net", + "symbols": [ + "Dial", + "DialTimeout", + "Dialer.Dial", + "Dialer.DialContext", + "Listen", + "ListenConfig.Listen", + "ListenConfig.ListenPacket", + "ListenPacket", + "LookupAddr", + "LookupCNAME", + "LookupHost", + "LookupIP", + "LookupMX", + "LookupNS", + "LookupSRV", + "LookupTXT", + "ResolveIPAddr", + "ResolveTCPAddr", + "ResolveUDPAddr", + "Resolver.LookupAddr", + "Resolver.LookupCNAME", + "Resolver.LookupHost", + "Resolver.LookupIP", + "Resolver.LookupIPAddr", + "Resolver.LookupMX", + "Resolver.LookupNS", + "Resolver.LookupNetIP", + "Resolver.LookupSRV", + "Resolver.LookupTXT", + "extractExtendedRCode" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/66754" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/578375" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0" + } + ], + "credits": [ + { + "name": "@long-name-let-people-remember-you" + }, + { + "name": "Mateusz Poliwczak" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2824", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2887", + "modified": "2024-06-04T22:48:55Z", + "published": "2024-06-04T22:48:55Z", + "aliases": [ + "CVE-2024-24790" + ], + "summary": "Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip", + "details": "The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.11" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/netip", + "symbols": [ + "Addr.IsGlobalUnicast", + "Addr.IsInterfaceLocalMulticast", + "Addr.IsLinkLocalMulticast", + "Addr.IsLoopback", + "Addr.IsMulticast", + "Addr.IsPrivate" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/590316" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/67680" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ" + } + ], + "credits": [ + { + "name": "Enze Wang of Alioth (@zer0yu)" + }, + { + "name": "Jianjun Chen of Zhongguancun Lab (@chenjj)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2887", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2888", + "modified": "2024-06-04T22:48:55Z", + "published": "2024-06-04T22:48:55Z", + "aliases": [ + "CVE-2024-24789" + ], + "summary": "Mishandling of corrupt central directory record in archive/zip", + "details": "The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.11" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "NewReader", + "OpenReader", + "findSignatureInBlock" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/585397" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/66869" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ" + } + ], + "credits": [ + { + "name": "Yufan You (@ouuan)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2888", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-2963", + "modified": "2024-07-02T20:11:00Z", + "published": "2024-07-02T20:11:00Z", + "aliases": [ + "CVE-2024-24791" + ], + "summary": "Denial of service due to improper 100-continue handling in net/http", + "details": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.\n\nAn attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.12" + }, + { + "introduced": "1.22.0-0" + }, + { + "fixed": "1.22.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Client.CloseIdleConnections", + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Get", + "Head", + "Post", + "PostForm", + "Transport.CancelRequest", + "Transport.CloseIdleConnections", + "Transport.RoundTrip", + "persistConn.readResponse" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/591255" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/67555" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ" + } + ], + "credits": [ + { + "name": "Geoff Franks" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2963", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-3105", + "modified": "2024-09-06T19:15:23Z", + "published": "2024-09-06T19:15:23Z", + "aliases": [ + "CVE-2024-34155" + ], + "summary": "Stack exhaustion in all Parse functions in go/parser", + "details": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.7" + }, + { + "introduced": "1.23.0-0" + }, + { + "fixed": "1.23.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "go/parser", + "symbols": [ + "ParseDir", + "ParseExpr", + "ParseExprFrom", + "ParseFile", + "parser.parseLiteralValue" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/611238" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/69138" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3105", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-3106", + "modified": "2024-09-06T19:15:23Z", + "published": "2024-09-06T19:15:23Z", + "aliases": [ + "CVE-2024-34156" + ], + "summary": "Stack exhaustion in Decoder.Decode in encoding/gob", + "details": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.7" + }, + { + "introduced": "1.23.0-0" + }, + { + "fixed": "1.23.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/gob", + "symbols": [ + "Decoder.Decode", + "Decoder.DecodeValue", + "Decoder.decIgnoreOpFor" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/611239" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/69139" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk" + } + ], + "credits": [ + { + "name": "Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3106", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2024-3107", + "modified": "2024-09-06T19:15:23Z", + "published": "2024-09-06T19:15:23Z", + "aliases": [ + "CVE-2024-34158" + ], + "summary": "Stack exhaustion in Parse in go/build/constraint", + "details": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.7" + }, + { + "introduced": "1.23.0-0" + }, + { + "fixed": "1.23.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "go/build/constraint", + "symbols": [ + "Parse", + "exprParser.not", + "parsePlusBuildExpr" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/611240" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/69141" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-3107", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3373", + "modified": "2025-01-30T18:58:58Z", + "published": "2025-01-28T00:47:30Z", + "aliases": [ + "CVE-2024-45341" + ], + "summary": "Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509", + "details": "A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.\n\nCertificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.11" + }, + { + "introduced": "1.23.0-0" + }, + { + "fixed": "1.23.5" + }, + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.0-rc.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "CertPool.AppendCertsFromPEM", + "Certificate.CheckCRLSignature", + "Certificate.CheckSignature", + "Certificate.CheckSignatureFrom", + "Certificate.CreateCRL", + "Certificate.Verify", + "Certificate.VerifyHostname", + "CertificateRequest.CheckSignature", + "CreateCertificate", + "CreateCertificateRequest", + "CreateRevocationList", + "DecryptPEMBlock", + "EncryptPEMBlock", + "HostnameError.Error", + "MarshalECPrivateKey", + "MarshalPKCS1PrivateKey", + "MarshalPKCS1PublicKey", + "MarshalPKCS8PrivateKey", + "MarshalPKIXPublicKey", + "ParseCRL", + "ParseCertificate", + "ParseCertificateRequest", + "ParseCertificates", + "ParseDERCRL", + "ParseECPrivateKey", + "ParsePKCS1PrivateKey", + "ParsePKCS1PublicKey", + "ParsePKCS8PrivateKey", + "ParsePKIXPublicKey", + "ParseRevocationList", + "RevocationList.CheckSignatureFrom", + "SetFallbackRoots", + "SystemCertPool", + "matchURIConstraint" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/643099" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/71156" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" + } + ], + "credits": [ + { + "name": "Juho Forsén of Mattermost" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3373", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3420", + "modified": "2025-01-30T18:58:58Z", + "published": "2025-01-28T00:47:30Z", + "aliases": [ + "CVE-2024-45336" + ], + "summary": "Sensitive headers incorrectly sent after cross-domain redirect in net/http", + "details": "The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.\n\nIn the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.11" + }, + { + "introduced": "1.23.0-0" + }, + { + "fixed": "1.23.5" + }, + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.0-rc.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Client.do", + "Client.makeHeadersCopier", + "Get", + "Head", + "Post", + "PostForm", + "shouldCopyHeaderOnRedirect" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/643100" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/70530" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ" + } + ], + "credits": [ + { + "name": "Kyle Seely" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3420", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3421", + "modified": "2025-01-30T18:58:58Z", + "published": "2025-01-28T00:47:30Z", + "aliases": [ + "CVE-2025-22865" + ], + "summary": "ParsePKCS1PrivateKey panic with partial keys in crypto/x509", + "details": "Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.0-rc.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "ParsePKCS1PrivateKey" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/643098" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/71216" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" + } + ], + "credits": [ + { + "name": "Philippe Antoine (Catena cyber)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3421", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3447", + "modified": "2025-02-06T16:38:14Z", + "published": "2025-02-06T16:38:14Z", + "aliases": [ + "CVE-2025-22866" + ], + "summary": "Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec", + "details": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.22.12" + }, + { + "introduced": "1.23.0-0" + }, + { + "fixed": "1.23.6" + }, + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.0-rc.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/internal/nistec", + "goarch": [ + "ppc64le" + ], + "symbols": [ + "P256Point.ScalarBaseMult", + "P256Point.ScalarMult", + "P256Point.SetBytes", + "p256NegCond" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/643735" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/71383" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3447", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3563", + "modified": "2025-04-08T19:46:23Z", + "published": "2025-04-08T19:46:23Z", + "aliases": [ + "CVE-2025-22871" + ], + "summary": "Request smuggling due to acceptance of invalid chunked data in net/http", + "details": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.23.8" + }, + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http/internal", + "symbols": [ + "chunkedReader.Read", + "readChunkLine" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/652998" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/71988" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk" + } + ], + "credits": [ + { + "name": "Jeppe Bonde Weikop" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3563", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3749", + "modified": "2025-06-16T20:08:41Z", + "published": "2025-06-11T16:23:50Z", + "aliases": [ + "CVE-2025-22874" + ], + "summary": "Usage of ExtKeyUsageAny disables policy validation in crypto/x509", + "details": "Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/670375" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/73612" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A" + } + ], + "credits": [ + { + "name": "Krzysztof Skrzętnicki (@Tener) of Teleport" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3749", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3750", + "modified": "2025-06-11T16:59:06Z", + "published": "2025-06-11T16:59:06Z", + "aliases": [ + "CVE-2025-0913" + ], + "summary": "Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall", + "details": "os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.23.10" + }, + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "syscall", + "goos": [ + "windows" + ], + "symbols": [ + "Open" + ] + }, + { + "path": "os", + "goos": [ + "windows" + ], + "symbols": [ + "Chdir", + "Chmod", + "Chown", + "CopyFS", + "Create", + "CreateTemp", + "File.ReadDir", + "File.Readdir", + "File.Readdirnames", + "Getwd", + "Lchown", + "Link", + "Lstat", + "Mkdir", + "MkdirAll", + "MkdirTemp", + "NewFile", + "Open", + "OpenFile", + "OpenInRoot", + "OpenRoot", + "Pipe", + "ReadDir", + "ReadFile", + "Remove", + "RemoveAll", + "Rename", + "Root.Create", + "Root.Lstat", + "Root.Mkdir", + "Root.Open", + "Root.OpenFile", + "Root.OpenRoot", + "Root.Remove", + "Root.Stat", + "StartProcess", + "Stat", + "Symlink", + "Truncate", + "WriteFile", + "dirFS.Open", + "dirFS.ReadDir", + "dirFS.ReadFile", + "dirFS.Stat", + "rootFS.Open", + "rootFS.ReadDir", + "rootFS.ReadFile", + "rootFS.Stat", + "unixDirent.Info" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/672396" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/73702" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A" + } + ], + "credits": [ + { + "name": "Junyoung Park and Dong-uk Kim of KAIST Hacking Lab" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3750", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3751", + "modified": "2025-06-11T16:23:58Z", + "published": "2025-06-11T16:23:58Z", + "aliases": [ + "CVE-2025-4673" + ], + "summary": "Sensitive headers not cleared on cross-origin redirect in net/http", + "details": "Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.23.10" + }, + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Client.makeHeadersCopier", + "Get", + "Head", + "Post", + "PostForm" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/679257" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/73816" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A" + } + ], + "credits": [ + { + "name": "Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3751", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3849", + "modified": "2025-08-07T15:07:27Z", + "published": "2025-08-07T15:07:27Z", + "aliases": [ + "CVE-2025-47907" + ], + "summary": "Incorrect results returned from Rows.Scan in database/sql", + "details": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.23.12" + }, + { + "introduced": "1.24.0" + }, + { + "fixed": "1.24.6" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "database/sql", + "symbols": [ + "Row.Scan", + "Rows.Scan" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/693735" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/74831" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM" + } + ], + "credits": [ + { + "name": "Spike Curtis from Coder" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3849", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3955", + "modified": "2025-09-22T20:48:35Z", + "published": "2025-09-22T20:48:35Z", + "aliases": [ + "CVE-2025-47910", + "CVE-2025-47910" + ], + "summary": "CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http", + "details": "When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "CrossOriginProtection.AddInsecureBypassPattern" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/699275" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/75054" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3955", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-3956", + "modified": "2025-09-18T18:21:44Z", + "published": "2025-09-18T18:21:44Z", + "aliases": [ + "CVE-2025-47906", + "CVE-2025-47906" + ], + "summary": "Unexpected paths returned from LookPath in os/exec", + "details": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.23.12" + }, + { + "introduced": "1.24.0" + }, + { + "fixed": "1.24.6" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "os/exec", + "symbols": [ + "LookPath" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/691775" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/74466" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-3956", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4006", + "modified": "2025-12-09T17:20:47Z", + "published": "2025-10-29T21:48:35Z", + "aliases": [ + "CVE-2025-61725", + "CVE-2025-61725" + ], + "summary": "Excessive CPU consumption in ParseAddress in net/mail", + "details": "The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/mail", + "symbols": [ + "AddressParser.Parse", + "AddressParser.ParseList", + "Header.AddressList", + "ParseAddress", + "ParseAddressList", + "addrParser.consumeDomainLiteral" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/709860" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/75680" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "Philippe Antoine (Catena cyber)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4006", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4007", + "modified": "2025-11-20T22:03:19Z", + "published": "2025-10-29T21:49:50Z", + "aliases": [ + "CVE-2025-58187", + "CVE-2025-58187" + ], + "summary": "Quadratic complexity when checking name constraints in crypto/x509", + "details": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.\n\nThis affects programs which validate arbitrary certificate chains.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.9" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "CertPool.AppendCertsFromPEM", + "Certificate.CheckCRLSignature", + "Certificate.CheckSignature", + "Certificate.CheckSignatureFrom", + "Certificate.CreateCRL", + "Certificate.Verify", + "CertificateRequest.CheckSignature", + "CreateCertificate", + "CreateCertificateRequest", + "CreateRevocationList", + "DecryptPEMBlock", + "EncryptPEMBlock", + "MarshalECPrivateKey", + "MarshalPKCS1PrivateKey", + "MarshalPKCS1PublicKey", + "MarshalPKCS8PrivateKey", + "MarshalPKIXPublicKey", + "ParseCRL", + "ParseCertificate", + "ParseCertificateRequest", + "ParseCertificates", + "ParseDERCRL", + "ParseECPrivateKey", + "ParsePKCS1PrivateKey", + "ParsePKCS1PublicKey", + "ParsePKCS8PrivateKey", + "ParsePKIXPublicKey", + "ParseRevocationList", + "RevocationList.CheckSignatureFrom", + "SetFallbackRoots", + "SystemCertPool", + "domainToReverseLabels", + "parseSANExtension" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/75681" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/709854" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4007", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4008", + "modified": "2025-10-29T21:49:53Z", + "published": "2025-10-29T21:49:53Z", + "aliases": [ + "CVE-2025-58189", + "CVE-2025-58189" + ], + "summary": "ALPN negotiation error contains attacker controlled information in crypto/tls", + "details": "When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "Conn.Handshake", + "Conn.HandshakeContext", + "Conn.Read", + "Conn.Write", + "Dial", + "DialWithDialer", + "Dialer.Dial", + "Dialer.DialContext", + "QUICConn.Start", + "negotiateALPN" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/707776" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/75652" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "National Cyber Security Centre Finland" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4008", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4009", + "modified": "2025-10-29T21:49:55Z", + "published": "2025-10-29T21:49:55Z", + "aliases": [ + "CVE-2025-61723", + "CVE-2025-61723" + ], + "summary": "Quadratic complexity when parsing some invalid inputs in encoding/pem", + "details": "The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.\n\nThis affects programs which parse untrusted PEM inputs.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/pem", + "symbols": [ + "Decode", + "getLine" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/75676" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/709858" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4009", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4010", + "modified": "2025-10-29T21:49:58Z", + "published": "2025-10-29T21:49:58Z", + "aliases": [ + "CVE-2025-47912", + "CVE-2025-47912" + ], + "summary": "Insufficient validation of bracketed IPv6 hostnames in net/url", + "details": "The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: \"http://[::1]/\". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/url", + "symbols": [ + "JoinPath", + "Parse", + "ParseRequestURI", + "URL.Parse", + "URL.UnmarshalBinary", + "parseHost" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/75678" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/709857" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4010", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4011", + "modified": "2025-10-29T21:50:00Z", + "published": "2025-10-29T21:50:00Z", + "aliases": [ + "CVE-2025-58185", + "CVE-2025-58185" + ], + "summary": "Parsing DER payload can cause memory exhaustion in encoding/asn1", + "details": "Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "encoding/asn1", + "symbols": [ + "Unmarshal", + "UnmarshalWithParams", + "parseSequenceOf" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/75671" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/709856" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4011", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4012", + "modified": "2025-10-29T21:50:05Z", + "published": "2025-10-29T21:50:05Z", + "aliases": [ + "CVE-2025-58186", + "CVE-2025-58186" + ], + "summary": "Lack of limit when parsing cookies can cause memory exhaustion in net/http", + "details": "Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as \"a=;\", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/http", + "symbols": [ + "Client.Do", + "Client.Get", + "Client.Head", + "Client.Post", + "Client.PostForm", + "Get", + "Head", + "ParseCookie", + "Post", + "PostForm", + "Request.Cookie", + "Request.Cookies", + "Request.CookiesNamed", + "Response.Cookies", + "readCookies", + "readSetCookies" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/75672" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/709855" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "jub0bs" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4012", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4013", + "modified": "2025-10-29T21:50:08Z", + "published": "2025-10-29T21:50:08Z", + "aliases": [ + "CVE-2025-58188", + "CVE-2025-58188" + ], + "summary": "Panic when validating certificates with DSA public keys in crypto/x509", + "details": "Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.\n\nThis affects programs which validate arbitrary certificate chains.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "alreadyInChain" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/709853" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/75675" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4013", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4014", + "modified": "2025-10-29T21:51:04Z", + "published": "2025-10-29T21:51:04Z", + "aliases": [ + "CVE-2025-58183", + "CVE-2025-58183" + ], + "summary": "Unbounded allocation when parsing GNU sparse map in archive/tar", + "details": "tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/tar", + "symbols": [ + "Reader.Next", + "readGNUSparseMap1x0" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/709861" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/75677" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "Harshit Gupta (Mr HAX)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4014", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4015", + "modified": "2025-10-29T21:51:07Z", + "published": "2025-10-29T21:51:07Z", + "aliases": [ + "CVE-2025-61724", + "CVE-2025-61724" + ], + "summary": "Excessive CPU consumption in Reader.ReadResponse in net/textproto", + "details": "The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.8" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/textproto", + "symbols": [ + "Reader.ReadResponse" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/709859" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/75716" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4015", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4155", + "modified": "2025-12-03T17:43:24Z", + "published": "2025-12-02T18:30:24Z", + "aliases": [ + "CVE-2025-61729", + "CVE-2025-61729" + ], + "summary": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509", + "details": "Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.11" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "Certificate.VerifyHostname" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/725920" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/76445" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4" + } + ], + "credits": [ + { + "name": "Philippe Antoine (Catena cyber)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4155", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2025-4175", + "modified": "2025-12-02T20:55:55Z", + "published": "2025-12-02T20:55:55Z", + "aliases": [ + "CVE-2025-61727" + ], + "summary": "Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509", + "details": "An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.11" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/723900" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/76442" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2025-4175", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4337", + "modified": "2026-02-05T17:23:09Z", + "published": "2026-02-05T17:23:09Z", + "aliases": [ + "CVE-2025-68121" + ], + "summary": "Unexpected session resumption in crypto/tls", + "details": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.13" + }, + { + "introduced": "1.25.0-0" + }, + { + "fixed": "1.25.7" + }, + { + "introduced": "1.26.0-rc.1" + }, + { + "fixed": "1.26.0-rc.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "Conn.Handshake", + "Conn.HandshakeContext", + "Conn.Read", + "Conn.Write", + "Conn.handshakeContext", + "Dial", + "DialWithDialer", + "Dialer.Dial", + "Dialer.DialContext", + "QUICConn.Start" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/737700" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77217" + } + ], + "credits": [ + { + "name": "Coia Prant (github.com/rbqvq)" + }, + { + "name": "Go Security Team" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4337", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4340", + "modified": "2026-01-28T19:08:09Z", + "published": "2026-01-28T19:08:09Z", + "aliases": [ + "CVE-2025-61730", + "CVE-2025-61730" + ], + "summary": "Handshake messages may be processed at the incorrect encryption level in crypto/tls", + "details": "During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.12" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.6" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "Conn.Handshake", + "Conn.HandshakeContext", + "Conn.Read", + "Conn.Write", + "Conn.handleKeyUpdate", + "Conn.handshakeContext", + "Conn.quicSetReadSecret", + "Dial", + "DialWithDialer", + "Dialer.Dial", + "Dialer.DialContext", + "QUICConn.HandleData", + "QUICConn.Start", + "clientHandshakeStateTLS13.establishHandshakeKeys", + "clientHandshakeStateTLS13.readServerFinished", + "clientHandshakeStateTLS13.sendClientFinished", + "serverHandshakeStateTLS13.checkForResumption", + "serverHandshakeStateTLS13.doHelloRetryRequest", + "serverHandshakeStateTLS13.readClientFinished", + "serverHandshakeStateTLS13.sendServerFinished", + "serverHandshakeStateTLS13.sendServerParameters" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/724120" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/76443" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc" + } + ], + "credits": [ + { + "name": "Coia Prant (github.com/rbqvq)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4340", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4341", + "modified": "2026-01-28T19:08:18Z", + "published": "2026-01-28T19:08:18Z", + "aliases": [ + "CVE-2025-61726", + "CVE-2025-61726" + ], + "summary": "Memory exhaustion in query parameter parsing in net/url", + "details": "The net/url package does not set a limit on the number of query parameters in a query.\n\nWhile the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.12" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.6" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/url", + "symbols": [ + "ParseQuery", + "URL.Query", + "parseQuery" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/736712" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77101" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc" + } + ], + "credits": [ + { + "name": "jub0bs" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4341", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4342", + "modified": "2026-01-28T19:08:28Z", + "published": "2026-01-28T19:08:28Z", + "aliases": [ + "CVE-2025-61728", + "CVE-2025-61728" + ], + "summary": "Excessive CPU consumption when building archive index in archive/zip", + "details": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.12" + }, + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.6" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/zip", + "symbols": [ + "Reader.Open", + "Reader.initFileList" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/736713" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77102" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4342", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4403", + "modified": "2026-02-04T22:42:26Z", + "published": "2026-02-04T22:42:26Z", + "aliases": [ + "CVE-2025-22873" + ], + "summary": "Improper access to parent directory of root in os", + "details": "It was possible to improperly access the parent directory of an os.Root by opening a filename ending in \"../\". For example, Root.Open(\"../\") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.23.9" + }, + { + "introduced": "1.24.0-0" + }, + { + "fixed": "1.24.3" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "os", + "symbols": [ + "checkPathEscapesInternal", + "doInRoot", + "splitPathInRoot" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/670036" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/73555" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ" + } + ], + "credits": [ + { + "name": "Dan Sebastian Thrane of SDU eScience Center" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4403", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4599", + "modified": "2026-03-07T17:04:32Z", + "published": "2026-03-06T21:03:42Z", + "aliases": [ + "CVE-2026-27137" + ], + "summary": "Incorrect enforcement of email constraints in crypto/x509", + "details": "When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "checkChainConstraints", + "checkConstraints", + "emailConstraints.query", + "newEmailConstraints", + "parseMailboxes" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/752182" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77952" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4599", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4600", + "modified": "2026-03-07T17:04:32Z", + "published": "2026-03-06T21:03:42Z", + "aliases": [ + "CVE-2026-27138" + ], + "summary": "Panic in name constraint checking for malformed certificates in crypto/x509", + "details": "Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "dnsConstraints.query" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77953" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/752183" + } + ], + "credits": [ + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4600", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4601", + "modified": "2026-03-06T21:03:42Z", + "published": "2026-03-06T21:03:42Z", + "aliases": [ + "CVE-2026-25679" + ], + "summary": "Incorrect parsing of IPv6 host literals in net/url", + "details": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.8" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/url", + "symbols": [ + "JoinPath", + "Parse", + "ParseRequestURI", + "URL.Parse", + "URL.UnmarshalBinary", + "parseHost" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/752180" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77578" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" + } + ], + "credits": [ + { + "name": "Masaki Hara (https://github.com/qnighy) of Wantedly" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4601", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4602", + "modified": "2026-03-06T21:03:42Z", + "published": "2026-03-06T21:03:42Z", + "aliases": [ + "CVE-2026-27139" + ], + "summary": "FileInfo can escape from a Root in os", + "details": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.\n\nThe impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.8" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "os", + "symbols": [ + "File.ReadDir", + "File.Readdir", + "ReadDir", + "dirFS.ReadDir", + "rootFS.ReadDir" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77827" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/749480" + } + ], + "credits": [ + { + "name": "Miloslav Trmač of Red Hat" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4602", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4603", + "modified": "2026-03-06T21:03:42Z", + "published": "2026-03-06T21:03:42Z", + "aliases": [ + "CVE-2026-27142" + ], + "summary": "URLs in meta content attribute actions are not escaped in html/template", + "details": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\".\n\nA new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.8" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Template.Execute", + "Template.ExecuteTemplate", + "escaper.escapeAction", + "tTag" + ] + } + ] + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/77954" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/752081" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4603", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4864", + "modified": "2026-04-07T22:53:49Z", + "published": "2026-04-07T22:53:49Z", + "aliases": [ + "CVE-2026-32282" + ], + "summary": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix", + "details": "On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.\n\nThe Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.9" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "internal/syscall/unix", + "goos": [ + "linux" + ], + "symbols": [ + "Fchmodat" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/763761" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/78293" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" + } + ], + "credits": [ + { + "name": "Uuganbayar Lkhamsuren (https://github.com/uug4na)" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4864", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4865", + "modified": "2026-04-07T22:53:49Z", + "published": "2026-04-07T22:53:49Z", + "aliases": [ + "CVE-2026-32289" + ], + "summary": "JsBraceDepth Context Tracking Bugs (XSS) in html/template", + "details": "Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.\n\nThese issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.9" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "html/template", + "symbols": [ + "Error.Error", + "HTMLEscaper", + "JSEscape", + "JSEscapeString", + "JSEscaper", + "ParseFS", + "ParseFiles", + "ParseGlob", + "Template.AddParseTree", + "Template.Clone", + "Template.DefinedTemplates", + "Template.Execute", + "Template.ExecuteTemplate", + "Template.Funcs", + "Template.Parse", + "Template.ParseFS", + "Template.ParseFiles", + "Template.ParseGlob", + "URLQueryEscaper", + "context.String", + "context.mangle", + "escaper.escapeBranch" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/763762" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/78331" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4865", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4866", + "modified": "2026-04-07T22:53:49Z", + "published": "2026-04-07T22:53:49Z", + "aliases": [ + "CVE-2026-33810" + ], + "summary": "Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509", + "details": "When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint.\n\nThis only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "dnsConstraints.query", + "newDNSConstraints" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/763763" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/78332" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" + } + ], + "credits": [ + { + "name": "Riyas from Saintgits College of Engineering" + }, + { + "name": "k1rnt" + }, + { + "name": "@1seal" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4866", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4869", + "modified": "2026-04-07T22:53:49Z", + "published": "2026-04-07T22:53:49Z", + "aliases": [ + "CVE-2026-32288" + ], + "summary": "Unbounded allocation for old GNU sparse in archive/tar", + "details": "tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the \"old GNU sparse map\" format.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.9" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "archive/tar", + "symbols": [ + "Reader.Next", + "Reader.readOldGNUSparseMap", + "readGNUSparseMap1x0" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/763766" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/78301" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" + } + ], + "credits": [ + { + "name": "Colin Walters (walters@verbum.org)" + }, + { + "name": "Uuganbayar Lkhamsuren (https://github.com/uug4na)" + }, + { + "name": "Jakub Ciolek" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4869", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4870", + "modified": "2026-04-07T22:53:49Z", + "published": "2026-04-07T22:53:49Z", + "aliases": [ + "CVE-2026-32283" + ], + "summary": "Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls", + "details": "If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.\n\nThis only affects TLS 1.3.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.9" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "Conn.Handshake", + "Conn.HandshakeContext", + "Conn.Read", + "Conn.Write", + "Conn.handleKeyUpdate", + "Dial", + "DialWithDialer", + "Dialer.Dial", + "Dialer.DialContext", + "QUICConn.HandleData", + "QUICConn.Start", + "clientHandshakeStateTLS13.establishHandshakeKeys", + "clientHandshakeStateTLS13.readServerFinished", + "serverHandshakeStateTLS13.readClientFinished", + "serverHandshakeStateTLS13.sendServerParameters" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/763767" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/78334" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" + } + ], + "credits": [ + { + "name": "Jakub Ciolek - https://ciolek.dev/" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4870", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4946", + "modified": "2026-04-07T22:53:49Z", + "published": "2026-04-07T22:53:49Z", + "aliases": [ + "CVE-2026-32281" + ], + "summary": "Inefficient policy validation in crypto/x509", + "details": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.\n\nThis only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.9" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "policiesValid" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/758061" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/78281" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" + } + ], + "credits": [ + { + "name": "Jakub Ciolek - https://ciolek.dev" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4946", + "review_status": "REVIEWED" + } + } +} +{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2026-4947", + "modified": "2026-04-07T22:53:49Z", + "published": "2026-04-07T22:53:49Z", + "aliases": [ + "CVE-2026-32280" + ], + "summary": "Unexpected work during chain building in crypto/x509", + "details": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.9" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.2" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "Certificate.buildChains" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/758320" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/78282" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" + } + ], + "credits": [ + { + "name": "Jakub Ciolek - https://ciolek.dev" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-4947", + "review_status": "REVIEWED" + } + } +} +{ + "progress": { + "message": "Checking the code against the vulnerabilities..." + } +} +{ + "finding": { + "osv": "GO-2026-4771", + "trace": [ + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4772", + "trace": [ + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3553", + "trace": [ + { + "module": "github.com/golang-jwt/jwt", + "version": "v3.2.2+incompatible" + } + ] + } +} +{ + "finding": { + "osv": "GO-2024-3333", + "fixed_version": "v0.33.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3503", + "fixed_version": "v0.36.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3595", + "fixed_version": "v0.38.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4440", + "fixed_version": "v0.45.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4441", + "fixed_version": "v0.45.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2024-3321", + "fixed_version": "v0.31.0", + "trace": [ + { + "module": "golang.org/x/crypto", + "version": "v0.23.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3487", + "fixed_version": "v0.35.0", + "trace": [ + { + "module": "golang.org/x/crypto", + "version": "v0.23.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4116", + "fixed_version": "v0.43.0", + "trace": [ + { + "module": "golang.org/x/crypto", + "version": "v0.23.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4134", + "fixed_version": "v0.45.0", + "trace": [ + { + "module": "golang.org/x/crypto", + "version": "v0.23.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4135", + "fixed_version": "v0.45.0", + "trace": [ + { + "module": "golang.org/x/crypto", + "version": "v0.23.0" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3849", + "fixed_version": "v1.24.6", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3956", + "fixed_version": "v1.24.6", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4006", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4008", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4009", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4010", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4011", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4012", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4013", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4014", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4015", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4155", + "fixed_version": "v1.24.11", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4175", + "fixed_version": "v1.24.11", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4337", + "fixed_version": "v1.24.13", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4340", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4341", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4342", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4601", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4602", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4603", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4864", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4865", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4869", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4870", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4946", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4947", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4012", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4602", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "os" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4864", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "internal/syscall/unix" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4015", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/textproto" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4008", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4337", + "fixed_version": "v1.24.13", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4340", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4870", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4013", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4155", + "fixed_version": "v1.24.11", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4175", + "fixed_version": "v1.24.11", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4946", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4947", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4011", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "encoding/asn1" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4009", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "encoding/pem" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4010", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/url" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4341", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/url" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4601", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/url" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4603", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "html/template" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4865", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "html/template" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3849", + "fixed_version": "v1.24.6", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "database/sql" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4771", + "trace": [ + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgproto3" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4772", + "trace": [ + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgproto3" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3553", + "trace": [ + { + "module": "github.com/golang-jwt/jwt", + "version": "v3.2.2+incompatible", + "package": "github.com/golang-jwt/jwt" + } + ] + } +} +{ + "finding": { + "osv": "GO-2024-3333", + "fixed_version": "v0.33.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0", + "package": "golang.org/x/net/html" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3595", + "fixed_version": "v0.38.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0", + "package": "golang.org/x/net/html" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4440", + "fixed_version": "v0.45.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0", + "package": "golang.org/x/net/html" + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4441", + "fixed_version": "v0.45.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0", + "package": "golang.org/x/net/html" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3956", + "fixed_version": "v1.24.6", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "os/exec" + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3553", + "trace": [ + { + "module": "github.com/golang-jwt/jwt", + "version": "v3.2.2+incompatible", + "package": "github.com/golang-jwt/jwt", + "function": "Error", + "receiver": "ValidationError", + "position": { + "filename": "errors.go", + "offset": 1617, + "line": 46, + "column": 26 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api/helper", + "function": "TranslateErrorToStatusCode", + "position": { + "filename": "api/helper/statuse_code_maping.go", + "offset": 545, + "line": 21, + "column": 42 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4865", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "html/template", + "function": "String", + "receiver": "context", + "position": { + "filename": "src/html/template/context.go", + "offset": 1070, + "line": 35, + "column": 18 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "fmt", + "function": "handleMethods", + "receiver": "*pp", + "position": { + "filename": "src/fmt/print.go", + "offset": 18440, + "line": 673, + "column": 25 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "fmt", + "function": "printArg", + "receiver": "*pp", + "position": { + "filename": "src/fmt/print.go", + "offset": 20160, + "line": 749, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "fmt", + "function": "doPrintf", + "receiver": "*pp", + "position": { + "filename": "src/fmt/print.go", + "offset": 28862, + "line": 1074, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "fmt", + "function": "Sprintf", + "position": { + "filename": "src/fmt/print.go", + "offset": 7132, + "line": 239, + "column": 12 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "RegisterSwagger", + "position": { + "filename": "api/api.go", + "offset": 1410, + "line": 52, + "column": 37 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4602", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "os", + "function": "ReadDir", + "position": { + "filename": "src/os/dir.go", + "offset": 4320, + "line": 118, + "column": 6 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "readUniqueDirectoryEntries", + "position": { + "filename": "src/crypto/x509/root_unix.go", + "offset": 2240, + "line": 87, + "column": 26 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "loadSystemRoots", + "position": { + "filename": "src/crypto/x509/root_unix.go", + "offset": 1684, + "line": 62, + "column": 41 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "initSystemRoots", + "position": { + "filename": "src/crypto/x509/root.go", + "offset": 924, + "line": 40, + "column": 47 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "sync", + "function": "doSlow", + "receiver": "*Once", + "position": { + "filename": "src/sync/once.go", + "offset": 2517, + "line": 78, + "column": 4 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "sync", + "function": "Do", + "receiver": "*Once", + "position": { + "filename": "src/sync/once.go", + "offset": 2389, + "line": 69, + "column": 11 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "syscall", + "function": "Getenv", + "position": { + "filename": "src/syscall/env_unix.go", + "offset": 1519, + "line": 70, + "column": 12 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "os", + "function": "Getenv", + "position": { + "filename": "src/os/env.go", + "offset": 2946, + "line": 103, + "column": 24 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "GetConfig", + "position": { + "filename": "config/config.go", + "offset": 1046, + "line": 59, + "column": 36 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4011", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "encoding/asn1", + "function": "Unmarshal", + "position": { + "filename": "src/encoding/asn1/asn1.go", + "offset": 31419, + "line": 1085, + "column": 6 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "getSignatureAlgorithmFromAI", + "position": { + "filename": "src/crypto/x509/x509.go", + "offset": 15759, + "line": 438, + "column": 29 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "parseCertificate", + "position": { + "filename": "src/crypto/x509/parser.go", + "offset": 30403, + "line": 953, + "column": 55 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "ParseCertificate", + "position": { + "filename": "src/crypto/x509/parser.go", + "offset": 34126, + "line": 1074, + "column": 31 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "AppendCertsFromPEM$1$1", + "position": { + "filename": "src/crypto/x509/cert_pool.go", + "offset": 7667, + "line": 242, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "sync", + "function": "doSlow", + "receiver": "*Once", + "position": { + "filename": "src/sync/once.go", + "offset": 2517, + "line": 78, + "column": 4 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "sync", + "function": "Do", + "receiver": "*Once", + "position": { + "filename": "src/sync/once.go", + "offset": 2389, + "line": 69, + "column": 11 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "syscall", + "function": "Getenv", + "position": { + "filename": "src/syscall/env_unix.go", + "offset": 1519, + "line": 70, + "column": 12 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "os", + "function": "Getenv", + "position": { + "filename": "src/os/env.go", + "offset": 2946, + "line": 103, + "column": 24 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "GetConfig", + "position": { + "filename": "config/config.go", + "offset": 1046, + "line": 59, + "column": 36 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4947", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "Verify", + "receiver": "*Certificate", + "position": { + "filename": "src/crypto/x509/verify.go", + "offset": 25747, + "line": 780, + "column": 23 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "verifyServerCertificate", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 34784, + "line": 1122, + "column": 34 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "readServerCertificate", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 20912, + "line": 658, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handshake", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 3797, + "line": 136, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "clientHandshake", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 12424, + "line": 379, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handleRenegotiation", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40534, + "line": 1291, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handlePostHandshakeMessage", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40901, + "line": 1301, + "column": 31 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43525, + "line": 1389, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4340", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "HandshakeContext", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 47404, + "line": 1505, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "serve", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 61884, + "line": 1971, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Serve", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 113612, + "line": 3454, + "column": 3 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 110321, + "line": 3350, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "position": { + "filename": "src/net/http/server.go", + "offset": 119930, + "line": 3665, + "column": 30 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Run", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 13453, + "line": 399, + "column": 27 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "InitServer", + "position": { + "filename": "api/api.go", + "offset": 718, + "line": 25, + "column": 7 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4865", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "html/template", + "function": "Parse", + "receiver": "*Template", + "position": { + "filename": "src/html/template/template.go", + "offset": 6097, + "line": 186, + "column": 20 + } + }, + { + "module": "github.com/swaggo/gin-swagger", + "version": "v1.6.0", + "package": "github.com/swaggo/gin-swagger", + "function": "CustomWrapHandler", + "position": { + "filename": "swagger.go", + "offset": 3949, + "line": 141, + "column": 54 + } + }, + { + "module": "github.com/swaggo/gin-swagger", + "version": "v1.6.0", + "package": "github.com/swaggo/gin-swagger", + "function": "WrapHandler", + "position": { + "filename": "swagger.go", + "offset": 3544, + "line": 125, + "column": 26 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "RegisterSwagger", + "position": { + "filename": "api/api.go", + "offset": 1544, + "line": 55, + "column": 47 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "ParsePKCS1PrivateKey", + "position": { + "filename": "src/crypto/x509/pkcs1.go", + "offset": 1418, + "line": 54, + "column": 6 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "parsePrivateKey", + "position": { + "filename": "src/crypto/tls/tls.go", + "offset": 12058, + "line": 356, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "X509KeyPair", + "position": { + "filename": "src/crypto/tls/tls.go", + "offset": 10627, + "line": 315, + "column": 40 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "configTLS", + "position": { + "filename": "pgconn/config.go", + "offset": 24313, + "line": 765, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "ParseConfigWithOptions", + "position": { + "filename": "pgconn/config.go", + "offset": 13356, + "line": 353, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfigWithOptions", + "position": { + "filename": "conn.go", + "offset": 5498, + "line": 147, + "column": 46 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfig", + "position": { + "filename": "conn.go", + "offset": 8098, + "line": 218, + "column": 31 + } + }, + { + "module": "gorm.io/driver/postgres", + "version": "v1.5.11", + "package": "gorm.io/driver/postgres", + "function": "Initialize", + "receiver": "Dialector", + "position": { + "filename": "postgres.go", + "offset": 2344, + "line": 94, + "column": 32 + } + }, + { + "module": "gorm.io/gorm", + "version": "v1.25.12", + "package": "gorm.io/gorm", + "function": "Open", + "position": { + "filename": "gorm.go", + "offset": 4536, + "line": 185, + "column": 36 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/data/db", + "function": "InitDb", + "position": { + "filename": "data/db/postgres.go", + "offset": 543, + "line": 23, + "column": 27 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4009", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "encoding/pem", + "function": "Decode", + "position": { + "filename": "src/encoding/pem/pem.go", + "offset": 2538, + "line": 89, + "column": 6 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "configTLS", + "position": { + "filename": "pgconn/config.go", + "offset": 22893, + "line": 723, + "column": 25 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "ParseConfigWithOptions", + "position": { + "filename": "pgconn/config.go", + "offset": 13356, + "line": 353, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfigWithOptions", + "position": { + "filename": "conn.go", + "offset": 5498, + "line": 147, + "column": 46 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfig", + "position": { + "filename": "conn.go", + "offset": 8098, + "line": 218, + "column": 31 + } + }, + { + "module": "gorm.io/driver/postgres", + "version": "v1.5.11", + "package": "gorm.io/driver/postgres", + "function": "Initialize", + "receiver": "Dialector", + "position": { + "filename": "postgres.go", + "offset": 2344, + "line": 94, + "column": 32 + } + }, + { + "module": "gorm.io/gorm", + "version": "v1.25.12", + "package": "gorm.io/gorm", + "function": "Open", + "position": { + "filename": "gorm.go", + "offset": 4536, + "line": 185, + "column": 36 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/data/db", + "function": "InitDb", + "position": { + "filename": "data/db/postgres.go", + "offset": 543, + "line": 23, + "column": 27 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3553", + "trace": [ + { + "module": "github.com/golang-jwt/jwt", + "version": "v3.2.2+incompatible", + "package": "github.com/golang-jwt/jwt", + "function": "SignedString", + "receiver": "*Token", + "position": { + "filename": "token.go", + "offset": 1676, + "line": 49, + "column": 17 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/services", + "function": "GenerateToken", + "receiver": "*TokenService", + "position": { + "filename": "services/token_service.go", + "offset": 1125, + "line": 39, + "column": 39 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4865", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "html/template", + "function": "Error", + "receiver": "*Error", + "position": { + "filename": "src/html/template/error.go", + "offset": 8839, + "line": 231, + "column": 17 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/repository", + "function": "ListExpenses", + "receiver": "*expenseTrackerRepository", + "position": { + "filename": "repository/expense.go", + "offset": 2727, + "line": 89, + "column": 91 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3553", + "trace": [ + { + "module": "github.com/golang-jwt/jwt", + "version": "v3.2.2+incompatible", + "package": "github.com/golang-jwt/jwt", + "function": "init", + "position": { + "filename": "claims.go", + "offset": 0, + "line": 1, + "column": 1 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/services", + "function": "init", + "position": { + "filename": "services/token_service.go", + "offset": 313, + "line": 11, + "column": 2 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4870", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Write", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 38284, + "line": 1196, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "fmt", + "function": "Fprintf", + "position": { + "filename": "src/fmt/print.go", + "offset": 6683, + "line": 225, + "column": 18 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "Error", + "receiver": "*ConnectError", + "position": { + "filename": "pgconn/errors.go", + "offset": 1760, + "line": 69, + "column": 13 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/repository", + "function": "ListExpenses", + "receiver": "*expenseTrackerRepository", + "position": { + "filename": "repository/expense.go", + "offset": 2727, + "line": 89, + "column": 91 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4008", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Write", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 38284, + "line": 1196, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "fmt", + "function": "Fprintf", + "position": { + "filename": "src/fmt/print.go", + "offset": 6683, + "line": 225, + "column": 18 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "Error", + "receiver": "*ConnectError", + "position": { + "filename": "pgconn/errors.go", + "offset": 1760, + "line": 69, + "column": 13 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/repository", + "function": "ListExpenses", + "receiver": "*expenseTrackerRepository", + "position": { + "filename": "repository/expense.go", + "offset": 2727, + "line": 89, + "column": 91 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4008", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "HandshakeContext", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 47404, + "line": 1505, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "serve", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 61884, + "line": 1971, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Serve", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 113612, + "line": 3454, + "column": 3 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 110321, + "line": 3350, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "position": { + "filename": "src/net/http/server.go", + "offset": 119930, + "line": 3665, + "column": 30 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Run", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 13453, + "line": 399, + "column": 27 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "InitServer", + "position": { + "filename": "api/api.go", + "offset": 718, + "line": 25, + "column": 7 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4337", + "fixed_version": "v1.24.13", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43098, + "line": 1371, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4865", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "html/template", + "function": "Execute", + "receiver": "*Template", + "position": { + "filename": "src/html/template/template.go", + "offset": 3516, + "line": 120, + "column": 20 + } + }, + { + "module": "github.com/swaggo/gin-swagger", + "version": "v1.6.0", + "package": "github.com/swaggo/gin-swagger", + "function": "CustomWrapHandler$1", + "position": { + "filename": "swagger.go", + "offset": 5141, + "line": 180, + "column": 21 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Next", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 4878, + "line": 185, + "column": 22 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "handleHTTPRequest", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 21094, + "line": 633, + "column": 10 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "ServeHTTP", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 19963, + "line": 589, + "column": 26 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ServeHTTP", + "receiver": "serverHandler", + "position": { + "filename": "src/net/http/server.go", + "offset": 108777, + "line": 3301, + "column": 19 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "serve", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 66470, + "line": 2102, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Serve", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 113612, + "line": 3454, + "column": 3 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 110321, + "line": 3350, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "position": { + "filename": "src/net/http/server.go", + "offset": 119930, + "line": 3665, + "column": 30 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Run", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 13453, + "line": 399, + "column": 27 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "InitServer", + "position": { + "filename": "api/api.go", + "offset": 718, + "line": 25, + "column": 7 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4337", + "fixed_version": "v1.24.13", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "HandshakeContext", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 47404, + "line": 1505, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "serve", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 61884, + "line": 1971, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Serve", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 113612, + "line": 3454, + "column": 3 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 110321, + "line": 3350, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "position": { + "filename": "src/net/http/server.go", + "offset": 119930, + "line": 3665, + "column": 30 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Run", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 13453, + "line": 399, + "column": 27 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "InitServer", + "position": { + "filename": "api/api.go", + "offset": 718, + "line": 25, + "column": 7 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "ParseECPrivateKey", + "position": { + "filename": "src/crypto/x509/sec1.go", + "offset": 927, + "line": 37, + "column": 6 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "parsePrivateKey", + "position": { + "filename": "src/crypto/tls/tls.go", + "offset": 12411, + "line": 367, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "X509KeyPair", + "position": { + "filename": "src/crypto/tls/tls.go", + "offset": 10627, + "line": 315, + "column": 40 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "configTLS", + "position": { + "filename": "pgconn/config.go", + "offset": 24313, + "line": 765, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "ParseConfigWithOptions", + "position": { + "filename": "pgconn/config.go", + "offset": 13356, + "line": 353, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfigWithOptions", + "position": { + "filename": "conn.go", + "offset": 5498, + "line": 147, + "column": 46 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfig", + "position": { + "filename": "conn.go", + "offset": 8098, + "line": 218, + "column": 31 + } + }, + { + "module": "gorm.io/driver/postgres", + "version": "v1.5.11", + "package": "gorm.io/driver/postgres", + "function": "Initialize", + "receiver": "Dialector", + "position": { + "filename": "postgres.go", + "offset": 2344, + "line": 94, + "column": 32 + } + }, + { + "module": "gorm.io/gorm", + "version": "v1.25.12", + "package": "gorm.io/gorm", + "function": "Open", + "position": { + "filename": "gorm.go", + "offset": 4536, + "line": 185, + "column": 36 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/data/db", + "function": "InitDb", + "position": { + "filename": "data/db/postgres.go", + "offset": 543, + "line": 23, + "column": 27 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4155", + "fixed_version": "v1.24.11", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "VerifyHostname", + "receiver": "*Certificate", + "position": { + "filename": "src/crypto/x509/verify.go", + "offset": 36083, + "line": 1162, + "column": 23 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "loadSession", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 14771, + "line": 453, + "column": 55 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "clientHandshake", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 9312, + "line": 280, + "column": 55 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handleRenegotiation", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40534, + "line": 1291, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handlePostHandshakeMessage", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40901, + "line": 1301, + "column": 31 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43525, + "line": 1389, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4340", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Write", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 38284, + "line": 1196, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "fmt", + "function": "Fprintf", + "position": { + "filename": "src/fmt/print.go", + "offset": 6683, + "line": 225, + "column": 18 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "Error", + "receiver": "*ConnectError", + "position": { + "filename": "pgconn/errors.go", + "offset": 1760, + "line": 69, + "column": 13 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/repository", + "function": "ListExpenses", + "receiver": "*expenseTrackerRepository", + "position": { + "filename": "repository/expense.go", + "offset": 2727, + "line": 89, + "column": 91 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4601", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/url", + "function": "Parse", + "position": { + "filename": "src/net/url/url.go", + "offset": 13775, + "line": 475, + "column": 6 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "redactPW", + "position": { + "filename": "pgconn/errors.go", + "offset": 5191, + "line": 194, + "column": 25 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "Error", + "receiver": "*ParseConfigError", + "position": { + "filename": "pgconn/errors.go", + "offset": 2899, + "line": 103, + "column": 24 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/repository", + "function": "ListExpenses", + "receiver": "*expenseTrackerRepository", + "position": { + "filename": "repository/expense.go", + "offset": 2727, + "line": 89, + "column": 91 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3553", + "trace": [ + { + "module": "github.com/golang-jwt/jwt", + "version": "v3.2.2+incompatible", + "package": "github.com/golang-jwt/jwt", + "function": "NewWithClaims", + "position": { + "filename": "token.go", + "offset": 1428, + "line": 37, + "column": 6 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/services", + "function": "GenerateToken", + "receiver": "*TokenService", + "position": { + "filename": "services/token_service.go", + "offset": 1041, + "line": 36, + "column": 25 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "Verify", + "receiver": "*Certificate", + "position": { + "filename": "src/crypto/x509/verify.go", + "offset": 25747, + "line": 780, + "column": 23 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "verifyServerCertificate", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 34784, + "line": 1122, + "column": 34 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "readServerCertificate", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 20912, + "line": 658, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handshake", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 3797, + "line": 136, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "clientHandshake", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 12424, + "line": 379, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handleRenegotiation", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40534, + "line": 1291, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handlePostHandshakeMessage", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40901, + "line": 1301, + "column": 31 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43525, + "line": 1389, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3595", + "fixed_version": "v0.38.0", + "trace": [ + { + "module": "golang.org/x/net", + "version": "v0.25.0", + "package": "golang.org/x/net/html", + "function": "Next", + "receiver": "*Tokenizer", + "position": { + "filename": "html/token.go", + "offset": 24814, + "line": 998, + "column": 21 + } + }, + { + "module": "github.com/gabriel-vasile/mimetype", + "version": "v1.4.3", + "package": "github.com/gabriel-vasile/mimetype/internal/charset", + "function": "fromHTML", + "position": { + "filename": "internal/charset/charset.go", + "offset": 4660, + "line": 177, + "column": 16 + } + }, + { + "module": "github.com/gabriel-vasile/mimetype", + "version": "v1.4.3", + "package": "github.com/gabriel-vasile/mimetype/internal/charset", + "function": "FromHTML", + "position": { + "filename": "internal/charset/charset.go", + "offset": 4478, + "line": 168, + "column": 21 + } + }, + { + "module": "github.com/gabriel-vasile/mimetype", + "version": "v1.4.3", + "package": "github.com/gabriel-vasile/mimetype", + "function": "match", + "receiver": "*MIME", + "position": { + "filename": "mime.go", + "offset": 3088, + "line": 109, + "column": 15 + } + }, + { + "module": "github.com/gabriel-vasile/mimetype", + "version": "v1.4.3", + "package": "github.com/gabriel-vasile/mimetype", + "function": "DetectReader", + "position": { + "filename": "mimetype.go", + "offset": 2066, + "line": 69, + "column": 19 + } + }, + { + "module": "github.com/go-playground/validator/v10", + "version": "v10.20.0", + "package": "github.com/go-playground/validator/v10", + "function": "isImage", + "position": { + "filename": "baked_in.go", + "offset": 47985, + "line": 1601, + "column": 37 + } + }, + { + "module": "github.com/go-playground/validator/v10", + "version": "v10.20.0", + "package": "github.com/go-playground/validator/v10", + "function": "wrapFunc$1", + "position": { + "filename": "baked_in.go", + "offset": 953, + "line": 43, + "column": 12 + } + }, + { + "module": "github.com/go-playground/validator/v10", + "version": "v10.20.0", + "package": "github.com/go-playground/validator/v10", + "function": "traverseField", + "receiver": "*validate", + "position": { + "filename": "validator.go", + "offset": 9394, + "line": 359, + "column": 13 + } + }, + { + "module": "github.com/go-playground/validator/v10", + "version": "v10.20.0", + "package": "github.com/go-playground/validator/v10", + "function": "validateStruct", + "receiver": "*validate", + "position": { + "filename": "validator.go", + "offset": 2100, + "line": 78, + "column": 19 + } + }, + { + "module": "github.com/go-playground/validator/v10", + "version": "v10.20.0", + "package": "github.com/go-playground/validator/v10", + "function": "StructCtx", + "receiver": "*Validate", + "position": { + "filename": "validator_instance.go", + "offset": 13294, + "line": 395, + "column": 19 + } + }, + { + "module": "github.com/go-playground/validator/v10", + "version": "v10.20.0", + "package": "github.com/go-playground/validator/v10", + "function": "Struct", + "receiver": "*Validate", + "position": { + "filename": "validator_instance.go", + "offset": 12309, + "line": 368, + "column": 20 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin/binding", + "function": "validateStruct", + "receiver": "*defaultValidator", + "position": { + "filename": "binding/default_validator.go", + "offset": 1881, + "line": 83, + "column": 26 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin/binding", + "function": "ValidateStruct", + "receiver": "*defaultValidator", + "position": { + "filename": "binding/default_validator.go", + "offset": 1327, + "line": 60, + "column": 26 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin/binding", + "function": "validate", + "position": { + "filename": "binding/binding.go", + "offset": 4125, + "line": 121, + "column": 33 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin/binding", + "function": "decodeJSON", + "position": { + "filename": "binding/json.go", + "offset": 1534, + "line": 55, + "column": 17 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin/binding", + "function": "Bind", + "receiver": "jsonBinding", + "position": { + "filename": "binding/json.go", + "offset": 1121, + "line": 37, + "column": 19 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "ShouldBindWith", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 23007, + "line": 752, + "column": 15 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "ShouldBindJSON", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 21645, + "line": 712, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api/handlers", + "function": "RegisterByUsername", + "receiver": "*UsersHandler", + "position": { + "filename": "api/handlers/user.go", + "offset": 2601, + "line": 74, + "column": 25 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4603", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "html/template", + "function": "Execute", + "receiver": "*Template", + "position": { + "filename": "src/html/template/template.go", + "offset": 3516, + "line": 120, + "column": 20 + } + }, + { + "module": "github.com/swaggo/gin-swagger", + "version": "v1.6.0", + "package": "github.com/swaggo/gin-swagger", + "function": "CustomWrapHandler$1", + "position": { + "filename": "swagger.go", + "offset": 5141, + "line": 180, + "column": 21 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Next", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 4878, + "line": 185, + "column": 22 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "handleHTTPRequest", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 21094, + "line": 633, + "column": 10 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "ServeHTTP", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 19963, + "line": 589, + "column": 26 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ServeHTTP", + "receiver": "serverHandler", + "position": { + "filename": "src/net/http/server.go", + "offset": 108777, + "line": 3301, + "column": 19 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "serve", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 66470, + "line": 2102, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Serve", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 113612, + "line": 3454, + "column": 3 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 110321, + "line": 3350, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "position": { + "filename": "src/net/http/server.go", + "offset": 119930, + "line": 3665, + "column": 30 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Run", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 13453, + "line": 399, + "column": 27 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "InitServer", + "position": { + "filename": "api/api.go", + "offset": 718, + "line": 25, + "column": 7 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "ParseCertificate", + "position": { + "filename": "src/crypto/x509/parser.go", + "offset": 34043, + "line": 1073, + "column": 6 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "AppendCertsFromPEM$1$1", + "position": { + "filename": "src/crypto/x509/cert_pool.go", + "offset": 7667, + "line": 242, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "sync", + "function": "doSlow", + "receiver": "*Once", + "position": { + "filename": "src/sync/once.go", + "offset": 2517, + "line": 78, + "column": 4 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "sync", + "function": "Do", + "receiver": "*Once", + "position": { + "filename": "src/sync/once.go", + "offset": 2389, + "line": 69, + "column": 11 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "syscall", + "function": "Getenv", + "position": { + "filename": "src/syscall/env_unix.go", + "offset": 1519, + "line": 70, + "column": 12 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "os", + "function": "Getenv", + "position": { + "filename": "src/os/env.go", + "offset": 2946, + "line": 103, + "column": 24 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "GetConfig", + "position": { + "filename": "config/config.go", + "offset": 1046, + "line": 59, + "column": 36 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4337", + "fixed_version": "v1.24.13", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Write", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 38284, + "line": 1196, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "fmt", + "function": "Fprintf", + "position": { + "filename": "src/fmt/print.go", + "offset": 6683, + "line": 225, + "column": 18 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "Error", + "receiver": "*ConnectError", + "position": { + "filename": "pgconn/errors.go", + "offset": 1760, + "line": 69, + "column": 13 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/repository", + "function": "ListExpenses", + "receiver": "*expenseTrackerRepository", + "position": { + "filename": "repository/expense.go", + "offset": 2727, + "line": 89, + "column": 91 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4946", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "Verify", + "receiver": "*Certificate", + "position": { + "filename": "src/crypto/x509/verify.go", + "offset": 25747, + "line": 780, + "column": 23 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "verifyServerCertificate", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 34784, + "line": 1122, + "column": 34 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "readServerCertificate", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 20912, + "line": 658, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handshake", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 3797, + "line": 136, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "clientHandshake", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 12424, + "line": 379, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handleRenegotiation", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40534, + "line": 1291, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handlePostHandshakeMessage", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40901, + "line": 1301, + "column": 31 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43525, + "line": 1389, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4870", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43098, + "line": 1371, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "AppendCertsFromPEM", + "receiver": "*CertPool", + "position": { + "filename": "src/crypto/x509/cert_pool.go", + "offset": 7034, + "line": 219, + "column": 20 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "configTLS", + "position": { + "filename": "pgconn/config.go", + "offset": 22424, + "line": 706, + "column": 36 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "ParseConfigWithOptions", + "position": { + "filename": "pgconn/config.go", + "offset": 13356, + "line": 353, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfigWithOptions", + "position": { + "filename": "conn.go", + "offset": 5498, + "line": 147, + "column": 46 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfig", + "position": { + "filename": "conn.go", + "offset": 8098, + "line": 218, + "column": 31 + } + }, + { + "module": "gorm.io/driver/postgres", + "version": "v1.5.11", + "package": "gorm.io/driver/postgres", + "function": "Initialize", + "receiver": "Dialector", + "position": { + "filename": "postgres.go", + "offset": 2344, + "line": 94, + "column": 32 + } + }, + { + "module": "gorm.io/gorm", + "version": "v1.25.12", + "package": "gorm.io/gorm", + "function": "Open", + "position": { + "filename": "gorm.go", + "offset": 4536, + "line": 185, + "column": 36 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/data/db", + "function": "InitDb", + "position": { + "filename": "data/db/postgres.go", + "offset": 543, + "line": 23, + "column": 27 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4155", + "fixed_version": "v1.24.11", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "Verify", + "receiver": "*Certificate", + "position": { + "filename": "src/crypto/x509/verify.go", + "offset": 25747, + "line": 780, + "column": 23 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "verifyServerCertificate", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 34784, + "line": 1122, + "column": 34 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "readServerCertificate", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 20912, + "line": 658, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handshake", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 3797, + "line": 136, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "clientHandshake", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 12424, + "line": 379, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handleRenegotiation", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40534, + "line": 1291, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handlePostHandshakeMessage", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40901, + "line": 1301, + "column": 31 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43525, + "line": 1389, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "ParsePKCS8PrivateKey", + "position": { + "filename": "src/crypto/x509/pkcs8.go", + "offset": 1089, + "line": 38, + "column": 6 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "parsePrivateKey", + "position": { + "filename": "src/crypto/tls/tls.go", + "offset": 12140, + "line": 359, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "X509KeyPair", + "position": { + "filename": "src/crypto/tls/tls.go", + "offset": 10627, + "line": 315, + "column": 40 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "configTLS", + "position": { + "filename": "pgconn/config.go", + "offset": 24313, + "line": 765, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "ParseConfigWithOptions", + "position": { + "filename": "pgconn/config.go", + "offset": 13356, + "line": 353, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfigWithOptions", + "position": { + "filename": "conn.go", + "offset": 5498, + "line": 147, + "column": 46 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfig", + "position": { + "filename": "conn.go", + "offset": 8098, + "line": 218, + "column": 31 + } + }, + { + "module": "gorm.io/driver/postgres", + "version": "v1.5.11", + "package": "gorm.io/driver/postgres", + "function": "Initialize", + "receiver": "Dialector", + "position": { + "filename": "postgres.go", + "offset": 2344, + "line": 94, + "column": 32 + } + }, + { + "module": "gorm.io/gorm", + "version": "v1.25.12", + "package": "gorm.io/gorm", + "function": "Open", + "position": { + "filename": "gorm.go", + "offset": 4536, + "line": 185, + "column": 36 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/data/db", + "function": "InitDb", + "position": { + "filename": "data/db/postgres.go", + "offset": 543, + "line": 23, + "column": 27 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4175", + "fixed_version": "v1.24.11", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "Verify", + "receiver": "*Certificate", + "position": { + "filename": "src/crypto/x509/verify.go", + "offset": 25747, + "line": 780, + "column": 23 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "verifyServerCertificate", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 34784, + "line": 1122, + "column": 34 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "readServerCertificate", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 20912, + "line": 658, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handshake", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 3797, + "line": 136, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "clientHandshake", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 12424, + "line": 379, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handleRenegotiation", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40534, + "line": 1291, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handlePostHandshakeMessage", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40901, + "line": 1301, + "column": 31 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43525, + "line": 1389, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4013", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "Verify", + "receiver": "*Certificate", + "position": { + "filename": "src/crypto/x509/verify.go", + "offset": 25747, + "line": 780, + "column": 23 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "verifyServerCertificate", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 34784, + "line": 1122, + "column": 34 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "readServerCertificate", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 20912, + "line": 658, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handshake", + "receiver": "*clientHandshakeStateTLS13", + "position": { + "filename": "src/crypto/tls/handshake_client_tls13.go", + "offset": 3797, + "line": 136, + "column": 36 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "clientHandshake", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/handshake_client.go", + "offset": 12424, + "line": 379, + "column": 22 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handleRenegotiation", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40534, + "line": 1291, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "handlePostHandshakeMessage", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 40901, + "line": 1301, + "column": 31 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43525, + "line": 1389, + "column": 42 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4340", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43098, + "line": 1371, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4010", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/url", + "function": "ParseRequestURI", + "position": { + "filename": "src/net/url/url.go", + "offset": 14437, + "line": 496, + "column": 6 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "readRequest", + "position": { + "filename": "src/net/http/request.go", + "offset": 37484, + "line": 1123, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "readRequest", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 32705, + "line": 1048, + "column": 25 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "serve", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 63739, + "line": 2027, + "column": 26 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Serve", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 113612, + "line": 3454, + "column": 3 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 110321, + "line": 3350, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "position": { + "filename": "src/net/http/server.go", + "offset": 119930, + "line": 3665, + "column": 30 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Run", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 13453, + "line": 399, + "column": 27 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "InitServer", + "position": { + "filename": "api/api.go", + "offset": 718, + "line": 25, + "column": 7 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4010", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/url", + "function": "Parse", + "position": { + "filename": "src/net/url/url.go", + "offset": 13775, + "line": 475, + "column": 6 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "redactPW", + "position": { + "filename": "pgconn/errors.go", + "offset": 5191, + "line": 194, + "column": 25 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "Error", + "receiver": "*ParseConfigError", + "position": { + "filename": "pgconn/errors.go", + "offset": 2899, + "line": 103, + "column": 24 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/repository", + "function": "ListExpenses", + "receiver": "*expenseTrackerRepository", + "position": { + "filename": "repository/expense.go", + "offset": 2727, + "line": 89, + "column": 91 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4008", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "Read", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 43098, + "line": 1371, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "bytes", + "function": "ReadFrom", + "receiver": "*Buffer", + "position": { + "filename": "src/bytes/buffer.go", + "offset": 7487, + "line": 211, + "column": 17 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "unmarshalReader", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 52450, + "line": 1796, + "column": 14 + } + }, + { + "module": "github.com/spf13/viper", + "version": "v1.19.0", + "package": "github.com/spf13/viper", + "function": "ReadInConfig", + "receiver": "*Viper", + "position": { + "filename": "viper.go", + "offset": 48547, + "line": 1653, + "column": 25 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/config", + "function": "LoadConfig", + "position": { + "filename": "config/config.go", + "offset": 1998, + "line": 98, + "column": 23 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4012", + "fixed_version": "v1.24.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Cookie", + "receiver": "*Request", + "position": { + "filename": "src/net/http/request.go", + "offset": 16084, + "line": 448, + "column": 19 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Cookie", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 29186, + "line": 942, + "column": 33 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/services", + "function": "RefreshToken", + "receiver": "*TokenService", + "position": { + "filename": "services/token_service.go", + "offset": 2966, + "line": 104, + "column": 31 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4870", + "fixed_version": "v1.25.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/tls", + "function": "HandshakeContext", + "receiver": "*Conn", + "position": { + "filename": "src/crypto/tls/conn.go", + "offset": 47404, + "line": 1505, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "serve", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 61884, + "line": 1971, + "column": 37 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Serve", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 113612, + "line": 3454, + "column": 3 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 110321, + "line": 3350, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "position": { + "filename": "src/net/http/server.go", + "offset": 119930, + "line": 3665, + "column": 30 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Run", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 13453, + "line": 399, + "column": 27 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "InitServer", + "position": { + "filename": "api/api.go", + "offset": 718, + "line": 25, + "column": 7 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4341", + "fixed_version": "v1.24.12", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/url", + "function": "Query", + "receiver": "*URL", + "position": { + "filename": "src/net/url/url.go", + "offset": 32828, + "line": 1154, + "column": 15 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "initQueryCache", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 13526, + "line": 472, + "column": 38 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "GetQueryArray", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 13815, + "line": 482, + "column": 18 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "GetQuery", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 13094, + "line": 456, + "column": 34 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Query", + "receiver": "*Context", + "position": { + "filename": "context.go", + "offset": 12116, + "line": 427, + "column": 23 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api/handlers", + "function": "ListExpenses", + "receiver": "*expenseTrackerHandler", + "position": { + "filename": "api/handlers/expense.go", + "offset": 4933, + "line": 143, + "column": 19 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3553", + "trace": [ + { + "module": "github.com/golang-jwt/jwt", + "version": "v3.2.2+incompatible", + "package": "github.com/golang-jwt/jwt", + "function": "Parse", + "position": { + "filename": "token.go", + "offset": 2727, + "line": 88, + "column": 6 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/services", + "function": "VerifyToken", + "receiver": "*TokenService", + "position": { + "filename": "services/token_service.go", + "offset": 1680, + "line": 64, + "column": 22 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-4007", + "fixed_version": "v1.24.9", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "crypto/x509", + "function": "DecryptPEMBlock", + "position": { + "filename": "src/crypto/x509/pem_decrypt.go", + "offset": 3643, + "line": 124, + "column": 6 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "configTLS", + "position": { + "filename": "pgconn/config.go", + "offset": 23313, + "line": 735, + "column": 56 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5/pgconn", + "function": "ParseConfigWithOptions", + "position": { + "filename": "pgconn/config.go", + "offset": 13356, + "line": 353, + "column": 31 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfigWithOptions", + "position": { + "filename": "conn.go", + "offset": 5498, + "line": 147, + "column": 46 + } + }, + { + "module": "github.com/jackc/pgx/v5", + "version": "v5.5.5", + "package": "github.com/jackc/pgx/v5", + "function": "ParseConfig", + "position": { + "filename": "conn.go", + "offset": 8098, + "line": 218, + "column": 31 + } + }, + { + "module": "gorm.io/driver/postgres", + "version": "v1.5.11", + "package": "gorm.io/driver/postgres", + "function": "Initialize", + "receiver": "Dialector", + "position": { + "filename": "postgres.go", + "offset": 2344, + "line": 94, + "column": 32 + } + }, + { + "module": "gorm.io/gorm", + "version": "v1.25.12", + "package": "gorm.io/gorm", + "function": "Open", + "position": { + "filename": "gorm.go", + "offset": 4536, + "line": 185, + "column": 36 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/data/db", + "function": "InitDb", + "position": { + "filename": "data/db/postgres.go", + "offset": 543, + "line": 23, + "column": 27 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2025-3849", + "fixed_version": "v1.24.6", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "database/sql", + "function": "Scan", + "receiver": "*Rows", + "position": { + "filename": "src/database/sql/sql.go", + "offset": 97374, + "line": 3365, + "column": 17 + } + }, + { + "module": "gorm.io/driver/postgres", + "version": "v1.5.11", + "package": "gorm.io/driver/postgres", + "function": "ColumnTypes$1", + "position": { + "filename": "migrator.go", + "offset": 16446, + "line": 485, + "column": 22 + } + }, + { + "module": "gorm.io/gorm", + "version": "v1.25.12", + "package": "gorm.io/gorm/migrator", + "function": "RunWithValue", + "receiver": "Migrator", + "position": { + "filename": "migrator/migrator.go", + "offset": 1681, + "line": 74, + "column": 11 + } + }, + { + "module": "gorm.io/driver/postgres", + "version": "v1.5.11", + "package": "gorm.io/driver/postgres", + "function": "CreateTable", + "receiver": "Migrator", + "position": { + "filename": "migrator.go", + "offset": 5437, + "line": 192, + "column": 26 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/data/db/migrations", + "function": "createTables", + "position": { + "filename": "data/db/migrations/1_init.go", + "offset": 616, + "line": 30, + "column": 40 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/data/db/migrations", + "function": "Up_1", + "position": { + "filename": "data/db/migrations/1_init.go", + "offset": 322, + "line": 17, + "column": 14 + } + } + ] + } +} +{ + "finding": { + "osv": "GO-2026-4601", + "fixed_version": "v1.25.8", + "trace": [ + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/url", + "function": "ParseRequestURI", + "position": { + "filename": "src/net/url/url.go", + "offset": 14437, + "line": 496, + "column": 6 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "readRequest", + "position": { + "filename": "src/net/http/request.go", + "offset": 37484, + "line": 1123, + "column": 39 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "readRequest", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 32705, + "line": 1048, + "column": 25 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "serve", + "receiver": "*conn", + "position": { + "filename": "src/net/http/server.go", + "offset": 63739, + "line": 2027, + "column": 26 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "Serve", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 113612, + "line": 3454, + "column": 3 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "receiver": "*Server", + "position": { + "filename": "src/net/http/server.go", + "offset": 110321, + "line": 3350, + "column": 16 + } + }, + { + "module": "stdlib", + "version": "v1.24.4", + "package": "net/http", + "function": "ListenAndServe", + "position": { + "filename": "src/net/http/server.go", + "offset": 119930, + "line": 3665, + "column": 30 + } + }, + { + "module": "github.com/gin-gonic/gin", + "version": "v1.10.0", + "package": "github.com/gin-gonic/gin", + "function": "Run", + "receiver": "*Engine", + "position": { + "filename": "gin.go", + "offset": 13453, + "line": 399, + "column": 27 + } + }, + { + "module": "github.com/alielmi98/golang-expense-tracker-api", + "package": "github.com/alielmi98/golang-expense-tracker-api/api", + "function": "InitServer", + "position": { + "filename": "api/api.go", + "offset": 718, + "line": 25, + "column": 7 + } + } + ] + } +} diff --git a/unittests/tools/test_govulncheck_parser.py b/unittests/tools/test_govulncheck_parser.py index 2679bd55365..90499dc48fd 100644 --- a/unittests/tools/test_govulncheck_parser.py +++ b/unittests/tools/test_govulncheck_parser.py @@ -127,3 +127,9 @@ def test_parse_new_version_many_findings_custom_severity(self): self.assertIsNotNone(finding.impact) self.assertIsNotNone(finding.description) self.assertIsNotNone(finding.references) + + def test_parse_issue_14642(self): + with (get_unit_tests_scans_path("govulncheck") / "issue_14642.json").open(encoding="utf-8") as testfile: + parser = GovulncheckParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(201, len(findings)) From 79f744ebc049445bc7a4bed0769597fc30938b0e Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 9 Apr 2026 09:10:06 +0200 Subject: [PATCH 019/173] :tada: add CNNVD to vulnid --- dojo/settings/settings.dist.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 4414cee41a0..429b5646b90 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -2012,6 +2012,7 @@ def saml2_attrib_map_format(din): "CERTFR-": "https://www.cert.ssi.gouv.fr/alerte/", # e.g. https://www.cert.ssi.gouv.fr/alerte/CERTFR-2025-ALE-012" "CGA-": "https://images.chainguard.dev/security/", # e.g. https://images.chainguard.dev/security/CGA-24pq-h5fw-43v3 "CISCO-SA-": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/", # e.g. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-tunnel-gJw5thgE + "CNNVD-": "https://vulners.com/cnnvd/", # e.g. https://vulners.com/cnnvd/CNNVD-202601-2391 "CONFSERVER-": "https://jira.atlassian.com/browse/", # e.g. https://jira.atlassian.com/browse/CONFSERVER-93361 "CVE-": "https://nvd.nist.gov/vuln/detail/", # e.g. https://nvd.nist.gov/vuln/detail/cve-2022-22965 "CWE": "https://cwe.mitre.org/data/definitions/&&.html", # e.g. https://cwe.mitre.org/data/definitions/79.html From d89ee435af32646e3691fe54c4971d1a6d342314 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 6 Apr 2026 18:16:02 +0000 Subject: [PATCH 020/173] Update versions in application files --- docs/content/en/open_source/upgrading/2.58.md | 7 +++++++ dojo/__init__.py | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 docs/content/en/open_source/upgrading/2.58.md diff --git a/docs/content/en/open_source/upgrading/2.58.md b/docs/content/en/open_source/upgrading/2.58.md new file mode 100644 index 00000000000..233bdf1802f --- /dev/null +++ b/docs/content/en/open_source/upgrading/2.58.md @@ -0,0 +1,7 @@ +--- +title: 'Upgrading to DefectDojo Version 2.58.x' +toc_hide: true +weight: -20260406 +description: No special instructions. +--- +There are no special instructions for upgrading to 2.58.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.58.0) for the contents of the release. diff --git a/dojo/__init__.py b/dojo/__init__.py index d4d7d95927d..972a154d299 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.57.0" +__version__ = "2.58.0-dev" __url__ = "https://github.com/DefectDojo/django-DefectDojo" # noqa: RUF067 __docs__ = "https://documentation.defectdojo.com" # noqa: RUF067 From 9349a443737971ba9ab8f9a8cf853fd95cee8c51 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Wed, 8 Apr 2026 10:11:39 +0200 Subject: [PATCH 021/173] chore(deps): bump ruff from 0.15.8 to 0.15.9 --- dojo/__init__.py | 4 ++-- dojo/tools/aws_prowler/__init__.py | 2 +- requirements-lint.txt | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dojo/__init__.py b/dojo/__init__.py index 972a154d299..4ef657c1ccc 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -5,5 +5,5 @@ from .celery import app as celery_app # noqa: F401 __version__ = "2.58.0-dev" -__url__ = "https://github.com/DefectDojo/django-DefectDojo" # noqa: RUF067 -__docs__ = "https://documentation.defectdojo.com" # noqa: RUF067 +__url__ = "https://github.com/DefectDojo/django-DefectDojo" +__docs__ = "https://documentation.defectdojo.com" diff --git a/dojo/tools/aws_prowler/__init__.py b/dojo/tools/aws_prowler/__init__.py index e349874aefc..c64d4512198 100644 --- a/dojo/tools/aws_prowler/__init__.py +++ b/dojo/tools/aws_prowler/__init__.py @@ -1,2 +1,2 @@ __author__ = "Aaron Weaver" -__contributor__ = "Daniel Loureiro - https://dkade.com" # noqa: RUF067 +__contributor__ = "Daniel Loureiro - https://dkade.com" diff --git a/requirements-lint.txt b/requirements-lint.txt index 3290a6cb352..210fd64e40d 100644 --- a/requirements-lint.txt +++ b/requirements-lint.txt @@ -1 +1 @@ -ruff==0.15.8 +ruff==0.15.9 From 2827ad95a201a097ba1b70f6967cf97a573eae42 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 9 Apr 2026 21:40:29 +0200 Subject: [PATCH 022/173] update --- docs/content/en/open_source/upgrading/2.58.md | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 docs/content/en/open_source/upgrading/2.58.md diff --git a/docs/content/en/open_source/upgrading/2.58.md b/docs/content/en/open_source/upgrading/2.58.md deleted file mode 100644 index 233bdf1802f..00000000000 --- a/docs/content/en/open_source/upgrading/2.58.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: 'Upgrading to DefectDojo Version 2.58.x' -toc_hide: true -weight: -20260406 -description: No special instructions. ---- -There are no special instructions for upgrading to 2.58.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.58.0) for the contents of the release. From 73e5f83332d92e73c97e5478783e160c840ab134 Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Thu, 9 Apr 2026 23:05:23 +0200 Subject: [PATCH 023/173] store more parameters in import settings --- dojo/importers/base_importer.py | 7 ++++ dojo/templatetags/display_tags.py | 48 +++++++++++++++---------- unittests/test_update_import_history.py | 23 ++++++++++++ 3 files changed, 60 insertions(+), 18 deletions(-) diff --git a/dojo/importers/base_importer.py b/dojo/importers/base_importer.py index 9625b6c3f93..c149f4e169d 100644 --- a/dojo/importers/base_importer.py +++ b/dojo/importers/base_importer.py @@ -460,6 +460,13 @@ def update_import_history( import_settings["push_to_jira"] = self.push_to_jira import_settings["tags"] = self.tags import_settings["scan_date"] = self.scan_date.isoformat() if self.scan_date_override else None + import_settings["service"] = self.service + import_settings["close_old_findings_product_scope"] = self.close_old_findings_product_scope + import_settings["do_not_reactivate"] = self.do_not_reactivate + import_settings["apply_tags_to_findings"] = self.apply_tags_to_findings + import_settings["apply_tags_to_endpoints"] = self.apply_tags_to_endpoints + import_settings["group_by"] = self.group_by + import_settings["create_finding_groups_for_all_findings"] = self.create_finding_groups_for_all_findings if settings.V3_FEATURE_LOCATIONS: # Add the list of locations that were added exclusively at import time if len(self.endpoints_to_add) > 0: diff --git a/dojo/templatetags/display_tags.py b/dojo/templatetags/display_tags.py index 9267ce2b9f1..25dee916bd1 100644 --- a/dojo/templatetags/display_tags.py +++ b/dojo/templatetags/display_tags.py @@ -1083,6 +1083,13 @@ def esc(x): Push to jira: %s
Tags: %s
Endpoints: %s
+ Service: %s
+ Close Old Findings (Product Scope): %s
+ Do Not Reactivate: %s
+ Apply Tags to Findings: %s
+ Apply Tags to Endpoints: %s
+ Group By: %s
+ Create Finding Groups for All Findings: %s
" """ @@ -1090,26 +1097,31 @@ def esc(x): icon = "fa-info-circle" color = "" + s = test_import.import_settings + common_fields = ( + esc(test_import.id), + esc(s.get("active", None)), + esc(s.get("verified", None)), + esc(s.get("minimum_severity", None)), + esc(s.get("close_old_findings", None)), + esc(s.get("push_to_jira", None)), + esc(s.get("tags", None)), + ) + extra_fields = ( + esc(s.get("service", None)), + esc(s.get("close_old_findings_product_scope", None)), + esc(s.get("do_not_reactivate", None)), + esc(s.get("apply_tags_to_findings", None)), + esc(s.get("apply_tags_to_endpoints", None)), + esc(s.get("group_by", None)), + esc(s.get("create_finding_groups_for_all_findings", None)), + ) + if not settings.V3_FEATURE_LOCATIONS: # TODO: Delete this after the move to Locations - return mark_safe(html % (icon, color, icon, - esc(test_import.id), - esc(test_import.import_settings.get("active", None)), - esc(test_import.import_settings.get("verified", None)), - esc(test_import.import_settings.get("minimum_severity", None)), - esc(test_import.import_settings.get("close_old_findings", None)), - esc(test_import.import_settings.get("push_to_jira", None)), - esc(test_import.import_settings.get("tags", None)), - esc(test_import.import_settings.get("endpoints", test_import.import_settings.get("endpoint", None))))) - return mark_safe(html % (icon, color, icon, - esc(test_import.id), - esc(test_import.import_settings.get("active", None)), - esc(test_import.import_settings.get("verified", None)), - esc(test_import.import_settings.get("minimum_severity", None)), - esc(test_import.import_settings.get("close_old_findings", None)), - esc(test_import.import_settings.get("push_to_jira", None)), - esc(test_import.import_settings.get("tags", None)), - esc(test_import.import_settings.get("locations", None)))) + endpoints = esc(s.get("endpoints", s.get("endpoint", None))) + return mark_safe(html % (icon, color, icon, *common_fields, endpoints, *extra_fields)) + return mark_safe(html % (icon, color, icon, *common_fields, esc(s.get("locations", None)), *extra_fields)) @register.filter(needs_autoescape=True) diff --git a/unittests/test_update_import_history.py b/unittests/test_update_import_history.py index d4192281985..5259b86c0aa 100644 --- a/unittests/test_update_import_history.py +++ b/unittests/test_update_import_history.py @@ -177,3 +177,26 @@ def test_import_settings_scan_date_when_no_scan_date_supplied(self): # Verify import_settings is JSON-serializable json.dumps(settings) self.assertIsNone(settings["scan_date"]) + + def test_import_settings_contains_scope_and_group_fields(self): + """import_settings should persist the seven scope/tag/group-by importer options.""" + self.importer.service = "my-service" + self.importer.close_old_findings_product_scope = True + self.importer.do_not_reactivate = True + self.importer.apply_tags_to_findings = True + self.importer.apply_tags_to_endpoints = True + self.importer.group_by = "component_name" + self.importer.create_finding_groups_for_all_findings = True + + new_findings = self._create_findings(1) + test_import = self.importer.update_import_history(new_findings=new_findings) + + s = test_import.import_settings + json.dumps(s) + self.assertEqual(s["service"], "my-service") + self.assertTrue(s["close_old_findings_product_scope"]) + self.assertTrue(s["do_not_reactivate"]) + self.assertTrue(s["apply_tags_to_findings"]) + self.assertTrue(s["apply_tags_to_endpoints"]) + self.assertEqual(s["group_by"], "component_name") + self.assertTrue(s["create_finding_groups_for_all_findings"]) From fcfadce04e61f7efb0e3e4a7d1d9bd278bbf39ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 19:36:25 -0600 Subject: [PATCH 024/173] chore(deps): bump lodash from 4.17.23 to 4.18.1 in /docs (#14648) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- docs/package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/package-lock.json b/docs/package-lock.json index 39caf2b63d8..423a13af25e 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -3461,9 +3461,9 @@ } }, "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "license": "MIT" }, "node_modules/lodash.debounce": { From ae6c5dddec774e6db8cb53c9c2d956b77fe03cc2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 19:36:58 -0600 Subject: [PATCH 025/173] chore(deps-dev): bump vite from 7.3.1 to 7.3.2 in /docs (#14651) Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.1 to 7.3.2. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- docs/package-lock.json | 8 ++++---- docs/package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/package-lock.json b/docs/package-lock.json index 423a13af25e..4a2904e2f8f 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -23,7 +23,7 @@ }, "devDependencies": { "prettier": "3.8.1", - "vite": "7.3.1" + "vite": "7.3.2" }, "engines": { "node": ">=20.11.0" @@ -4484,9 +4484,9 @@ "license": "MIT" }, "node_modules/vite": { - "version": "7.3.1", - "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz", - "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==", + "version": "7.3.2", + "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.2.tgz", + "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==", "dev": true, "license": "MIT", "dependencies": { diff --git a/docs/package.json b/docs/package.json index 77c261601ef..be7b78b837d 100644 --- a/docs/package.json +++ b/docs/package.json @@ -27,7 +27,7 @@ }, "devDependencies": { "prettier": "3.8.1", - "vite": "7.3.1" + "vite": "7.3.2" }, "engines": { "node": ">=20.11.0" From acec7cf50f1ad822301fd9300e0d069397730b43 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 19:40:22 -0600 Subject: [PATCH 026/173] chore(deps): bump cryptography from 46.0.6 to 46.0.7 (#14660) * Update versions in application files * chore(deps): bump cryptography from 46.0.6 to 46.0.7 Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.6 to 46.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/46.0.6...46.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --------- Signed-off-by: dependabot[bot] Co-authored-by: DefectDojo release bot Co-authored-by: Ross E Esposito Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- docs/content/en/open_source/upgrading/2.58.md | 7 +++++++ dojo/__init__.py | 2 +- requirements.txt | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 docs/content/en/open_source/upgrading/2.58.md diff --git a/docs/content/en/open_source/upgrading/2.58.md b/docs/content/en/open_source/upgrading/2.58.md new file mode 100644 index 00000000000..233bdf1802f --- /dev/null +++ b/docs/content/en/open_source/upgrading/2.58.md @@ -0,0 +1,7 @@ +--- +title: 'Upgrading to DefectDojo Version 2.58.x' +toc_hide: true +weight: -20260406 +description: No special instructions. +--- +There are no special instructions for upgrading to 2.58.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.58.0) for the contents of the release. diff --git a/dojo/__init__.py b/dojo/__init__.py index d4d7d95927d..972a154d299 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.57.0" +__version__ = "2.58.0-dev" __url__ = "https://github.com/DefectDojo/django-DefectDojo" # noqa: RUF067 __docs__ = "https://documentation.defectdojo.com" # noqa: RUF067 diff --git a/requirements.txt b/requirements.txt index c83ac000a3d..5a9fdcd2b0b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,7 +31,7 @@ Markdown==3.10.2 openpyxl==3.1.5 Pillow==12.1.1 # required by django-imagekit psycopg[c]==3.3.3 -cryptography==46.0.6 +cryptography==46.0.7 python-dateutil==2.9.0.post0 redis==7.4.0 requests==2.33.1 From e200b5a32475310182b9b987be2785adb809ee21 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 19:41:52 -0600 Subject: [PATCH 027/173] chore(deps): bump django from 5.2.12 to 5.2.13 (#14664) Bumps [django](https://github.com/django/django) from 5.2.12 to 5.2.13. - [Commits](https://github.com/django/django/compare/5.2.12...5.2.13) --- updated-dependencies: - dependency-name: django dependency-version: 5.2.13 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Matt Tesauro --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 5a9fdcd2b0b..0b6931e7177 100644 --- a/requirements.txt +++ b/requirements.txt @@ -19,7 +19,7 @@ django-slack==5.19.0 django-watson==1.6.3 django-permissions-policy==4.29.0 django-prometheus==2.4.1 -Django==5.2.12 +Django==5.2.13 django-single-session==0.2.0 djangorestframework==3.17.1 html2text==2025.4.15 From 772ecae340941bf627d56ced858d1757d03ad395 Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sun, 12 Apr 2026 16:39:50 -0400 Subject: [PATCH 028/173] [docs] Improve Snyk parser documentation with export instructions and enterprise workflow --- .../supported_tools/parsers/file/snyk.md | 111 +++++++++++++++++- 1 file changed, 107 insertions(+), 4 deletions(-) diff --git a/docs/content/supported_tools/parsers/file/snyk.md b/docs/content/supported_tools/parsers/file/snyk.md index 717cf64323b..b1bed25e229 100644 --- a/docs/content/supported_tools/parsers/file/snyk.md +++ b/docs/content/supported_tools/parsers/file/snyk.md @@ -2,16 +2,119 @@ title: "Snyk" toc_hide: true --- -Snyk output file (snyk test \--json \> snyk.json) can be imported in -JSON format. Only SCA (Software Composition Analysis) report is supported (SAST report not supported yet). + +Snyk output file can be imported in JSON format. Snyk is a developer-first +security platform that identifies vulnerabilities in open source dependencies +(SCA) and application code (SAST). DefectDojo currently supports the SCA +report format via the Snyk parser. For SAST findings, use the +[Snyk Code](snyk_code.md) parser instead. ### Sample Scan Data + Sample Snyk scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/snyk). -### Default Deduplication Hashcode Fields -By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/): +--- + +## Supported Report Types + +| Report Type | Supported | Parser | +|---|---|---| +| Snyk SCA (Open Source) | ✅ Yes | Snyk | +| Snyk SAST (Code) | ✅ Yes | Snyk Code | +| Snyk Issue API | ✅ Yes | Snyk Issue API | + +This page covers the **Snyk SCA (Open Source)** parser only. + +--- + +## How to Export from Snyk + +### Option 1 — Snyk Web UI (Recommended for Enterprise Use) + +1. Log in to your Snyk account at **app.snyk.io** +2. Navigate to your **Organization** and select the **Project** you want + to export +3. Click on the project to open the vulnerability list +4. Click the **Export** button at the top right of the findings list +5. Select **JSON** as the export format +6. Save the exported file + +### Option 2 — Snyk CLI + +If you prefer to export via the command line: + +```bash +snyk test --json > snyk.json +``` + +For monorepos or projects with multiple package managers, scan all +projects at once: + +```bash +snyk test --all-projects --json > snyk.json +``` + +For specific package managers: + +```bash +# For npm projects +snyk test --json --file=package.json > snyk.json + +# For Maven projects +snyk test --json --file=pom.xml > snyk.json + +# For Python projects +snyk test --json --file=requirements.txt > snyk.json +``` + +Once you have the JSON file, upload it into DefectDojo under your chosen +Engagement using **Import Scan > Snyk Scan**. + +--- + +## Severity Mapping + +Snyk uses its own severity model which maps to DefectDojo as follows: + +| Snyk Severity | DefectDojo Severity | +|---|---| +| Critical | Critical | +| High | High | +| Medium | Medium | +| Low | Low | + +--- + +## Recommended Workflow for Enterprise Use + +For teams running Snyk across multiple applications and repositories: + +1. **Use Reimport** (not Import) for recurring scans on the same target + to track finding status over time rather than creating duplicate records +2. **Export at the project level** rather than the organization level + to maintain clean engagement boundaries in DefectDojo +3. **Set SLA thresholds** in DefectDojo aligned to Snyk severity levels + so that Critical and High findings trigger appropriate remediation + timelines automatically +4. **Use Snyk's CI/CD integration** to export JSON automatically as part + of your pipeline and feed results into DefectDojo via the API for + continuous vulnerability tracking + +--- + +## Default Deduplication Hashcode Fields + +By default, DefectDojo identifies duplicate Findings using these +[hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/): - vuln id from tool - file path - component name - component version + +### Note on Deduplication + +Snyk can report the same vulnerability across multiple projects or +package versions. When importing findings from multiple Snyk projects +into the same DefectDojo product, review your deduplication settings +to avoid over-counting the same underlying vulnerability. From fdcdc342bbdb42f4d369ead0aa67bddb2f0e597c Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Mon, 13 Apr 2026 10:54:49 -0400 Subject: [PATCH 029/173] update invicti parser to use FirstSeenDate (#14610) * update invicti parser to use FirstSeenDate * invicti: respect USE_FIRST_SEEN * update invicti test * ruff * update invicti test to use Generated scan date --- dojo/tools/netsparker/parser.py | 37 +++++++++------- unittests/tools/test_netsparker_parser.py | 51 +++++++++++++++++++++++ 2 files changed, 73 insertions(+), 15 deletions(-) diff --git a/dojo/tools/netsparker/parser.py b/dojo/tools/netsparker/parser.py index e53c67e241b..1859b21ebbe 100644 --- a/dojo/tools/netsparker/parser.py +++ b/dojo/tools/netsparker/parser.py @@ -10,6 +10,25 @@ from dojo.tools.locations import LocationData +def _parse_date(date_str): + """Parse a Netsparker/Invicti date string into a date object.""" + if not date_str: + return None + try: + if "UTC" in date_str: + return datetime.datetime.strptime( + date_str.split(" ")[0], "%d/%m/%Y", + ).date() + return datetime.datetime.strptime( + date_str, "%d/%m/%Y %H:%M %p", + ).date() + except ValueError: + try: + return date_parser.parse(date_str).date() + except (ValueError, date_parser.ParserError): + return None + + class NetsparkerParser: def get_scan_types(self): return ["Netsparker Scan"] @@ -27,20 +46,7 @@ def get_findings(self, filename, test): except Exception: data = json.loads(tree) dupes = {} - try: - if "UTC" in data["Generated"]: - scan_date = datetime.datetime.strptime( - data["Generated"].split(" ")[0], "%d/%m/%Y", - ).date() - else: - scan_date = datetime.datetime.strptime( - data["Generated"], "%d/%m/%Y %H:%M %p", - ).date() - except ValueError: - try: - scan_date = date_parser.parse(data["Generated"]) - except date_parser.ParserError: - scan_date = None + scan_date = _parse_date(data.get("Generated")) for item in data["Vulnerabilities"]: title = item["Name"] @@ -62,6 +68,7 @@ def get_findings(self, filename, test): dupe_key = title request = item["HttpRequest"].get("Content", None) response = item["HttpResponse"].get("Content", None) + finding_date = (_parse_date(item.get("FirstSeenDate")) or scan_date) if settings.USE_FIRST_SEEN else scan_date finding = Finding( title=title, @@ -70,7 +77,7 @@ def get_findings(self, filename, test): severity=sev.title(), mitigation=mitigation, impact=impact, - date=scan_date, + date=finding_date, references=references, cwe=cwe, static_finding=True, diff --git a/unittests/tools/test_netsparker_parser.py b/unittests/tools/test_netsparker_parser.py index b18ace0fa2b..276fc977dd8 100644 --- a/unittests/tools/test_netsparker_parser.py +++ b/unittests/tools/test_netsparker_parser.py @@ -1,4 +1,6 @@ +from django.test import override_settings + from dojo.models import Test from dojo.tools.netsparker.parser import NetsparkerParser from unittests.dojo_test_case import DojoTestCase, get_unit_tests_scans_path @@ -7,6 +9,7 @@ class TestNetsparkerParser(DojoTestCase): def test_parse_file_with_one_finding(self): + """With USE_FIRST_SEEN=False (default), date should come from Generated (scan date).""" with (get_unit_tests_scans_path("netsparker") / "netsparker_one_finding.json").open(encoding="utf-8") as testfile: parser = NetsparkerParser() findings = parser.get_findings(testfile, Test()) @@ -16,6 +19,7 @@ def test_parse_file_with_one_finding(self): finding = findings[0] self.assertEqual("Medium", finding.severity) self.assertEqual(16, finding.cwe) + # Generated date is "25/06/2021 09:59 AM" self.assertEqual("25/06/2021", finding.date.strftime("%d/%m/%Y")) self.assertIsNotNone(finding.description) self.assertGreater(len(finding.description), 0) @@ -24,7 +28,23 @@ def test_parse_file_with_one_finding(self): location = self.get_unsaved_locations(finding)[0] self.assertEqual(str(location), "http://php.testsparker.com/auth/login.php") + @override_settings(USE_FIRST_SEEN=True) + def test_parse_file_with_one_finding_first_seen(self): + """With USE_FIRST_SEEN=True, date should come from FirstSeenDate.""" + with (get_unit_tests_scans_path("netsparker") / "netsparker_one_finding.json").open(encoding="utf-8") as testfile: + parser = NetsparkerParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + self.validate_locations(findings) + with self.subTest(i=0): + finding = findings[0] + self.assertEqual("Medium", finding.severity) + self.assertEqual(16, finding.cwe) + # FirstSeenDate is "16/06/2021 12:30 PM" + self.assertEqual("16/06/2021", finding.date.strftime("%d/%m/%Y")) + def test_parse_file_with_multiple_finding(self): + """With USE_FIRST_SEEN=False (default), dates should come from Generated (scan date).""" with (get_unit_tests_scans_path("netsparker") / "netsparker_many_findings.json").open(encoding="utf-8") as testfile: parser = NetsparkerParser() findings = parser.get_findings(testfile, Test()) @@ -34,6 +54,7 @@ def test_parse_file_with_multiple_finding(self): finding = findings[0] self.assertEqual("Medium", finding.severity) self.assertEqual(16, finding.cwe) + # Generated date is "25/06/2021 10:00 AM" self.assertEqual("25/06/2021", finding.date.strftime("%d/%m/%Y")) self.assertIsNotNone(finding.description) self.assertGreater(len(finding.description), 0) @@ -66,6 +87,22 @@ def test_parse_file_with_multiple_finding(self): location = self.get_unsaved_locations(finding)[0] self.assertEqual(str(location), "http://php.testsparker.com") + @override_settings(USE_FIRST_SEEN=True) + def test_parse_file_with_multiple_finding_first_seen(self): + """With USE_FIRST_SEEN=True, dates should come from FirstSeenDate.""" + with (get_unit_tests_scans_path("netsparker") / "netsparker_many_findings.json").open(encoding="utf-8") as testfile: + parser = NetsparkerParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(16, len(findings)) + with self.subTest(i=0): + finding = findings[0] + # FirstSeenDate is "16/06/2021 12:30 PM" + self.assertEqual("16/06/2021", finding.date.strftime("%d/%m/%Y")) + with self.subTest(i=2): + finding = findings[2] + # FirstSeenDate is "15/06/2021 01:44 PM" + self.assertEqual("15/06/2021", finding.date.strftime("%d/%m/%Y")) + def test_parse_file_issue_9816(self): with (get_unit_tests_scans_path("netsparker") / "issue_9816.json").open(encoding="utf-8") as testfile: parser = NetsparkerParser() @@ -91,6 +128,7 @@ def test_parse_file_issue_10311(self): self.assertEqual("03/02/2019", finding.date.strftime("%d/%m/%Y")) def test_parse_file_issue_11020(self): + """With USE_FIRST_SEEN=False (default), date should come from Generated (scan date).""" with (get_unit_tests_scans_path("netsparker") / "issue_11020.json").open(encoding="utf-8") as testfile: parser = NetsparkerParser() findings = parser.get_findings(testfile, Test()) @@ -100,4 +138,17 @@ def test_parse_file_issue_11020(self): finding = findings[0] self.assertEqual("Low", finding.severity) self.assertEqual(205, finding.cwe) + # Generated date is "2024-10-08 02:33 PM" self.assertEqual("08/10/2024", finding.date.strftime("%d/%m/%Y")) + + @override_settings(USE_FIRST_SEEN=True) + def test_parse_file_issue_11020_first_seen(self): + """With USE_FIRST_SEEN=True, date should come from FirstSeenDate.""" + with (get_unit_tests_scans_path("netsparker") / "issue_11020.json").open(encoding="utf-8") as testfile: + parser = NetsparkerParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(3, len(findings)) + with self.subTest(i=0): + finding = findings[0] + # FirstSeenDate is "2024-07-23 05:32 PM" + self.assertEqual("23/07/2024", finding.date.strftime("%d/%m/%Y")) From 377d6d057fcc980e32e1e6044ff70816517cc42c Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 13 Apr 2026 15:20:53 +0000 Subject: [PATCH 030/173] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 8 ++++---- helm/defectdojo/README.md | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/components/package.json b/components/package.json index 9abaf4184c6..f224ee344bd 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.58.0-dev", + "version": "2.57.1", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 4ef657c1ccc..826418a495f 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.58.0-dev" +__version__ = "2.57.1" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 2aa2d56cd3e..35c4265e7a2 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.58.0-dev" +appVersion: "2.57.1" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.9.22-dev +version: 1.9.22 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png maintainers: - name: madchap @@ -33,5 +33,5 @@ dependencies: # - kind: security # description: Critical bug annotations: - artifacthub.io/prerelease: "true" - artifacthub.io/changes: "" + artifacthub.io/prerelease: "false" + artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.57.1\n" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 519decabd6a..50b6f1de8bc 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -511,7 +511,7 @@ The HELM schema will be generated for you. # General information about chart values -![Version: 1.9.22-dev](https://img.shields.io/badge/Version-1.9.22--dev-informational?style=flat-square) ![AppVersion: 2.58.0-dev](https://img.shields.io/badge/AppVersion-2.58.0--dev-informational?style=flat-square) +![Version: 1.9.22](https://img.shields.io/badge/Version-1.9.22-informational?style=flat-square) ![AppVersion: 2.57.1](https://img.shields.io/badge/AppVersion-2.57.1-informational?style=flat-square) A Helm chart for Kubernetes to install DefectDojo From 7154e5c1b2d475f15e8ebd3ceb9080e27741554f Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 13 Apr 2026 16:04:52 +0000 Subject: [PATCH 031/173] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 8 ++++---- helm/defectdojo/README.md | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/components/package.json b/components/package.json index f224ee344bd..9abaf4184c6 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.57.1", + "version": "2.58.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 826418a495f..4ef657c1ccc 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.57.1" +__version__ = "2.58.0-dev" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 35c4265e7a2..f0fe4814a66 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.57.1" +appVersion: "2.58.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.9.22 +version: 1.9.23-dev icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png maintainers: - name: madchap @@ -33,5 +33,5 @@ dependencies: # - kind: security # description: Critical bug annotations: - artifacthub.io/prerelease: "false" - artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.57.1\n" + artifacthub.io/prerelease: "true" + artifacthub.io/changes: "" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 50b6f1de8bc..6006a2203b0 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -511,7 +511,7 @@ The HELM schema will be generated for you. # General information about chart values -![Version: 1.9.22](https://img.shields.io/badge/Version-1.9.22-informational?style=flat-square) ![AppVersion: 2.57.1](https://img.shields.io/badge/AppVersion-2.57.1-informational?style=flat-square) +![Version: 1.9.23-dev](https://img.shields.io/badge/Version-1.9.23--dev-informational?style=flat-square) ![AppVersion: 2.58.0-dev](https://img.shields.io/badge/AppVersion-2.58.0--dev-informational?style=flat-square) A Helm chart for Kubernetes to install DefectDojo From 5f13e4d4e1193a1c343151cf76e1598ff4478080 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 13 Apr 2026 16:07:56 +0000 Subject: [PATCH 032/173] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 8 ++++---- helm/defectdojo/README.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/package.json b/components/package.json index f224ee344bd..9abaf4184c6 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.57.1", + "version": "2.58.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 35c4265e7a2..f0fe4814a66 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.57.1" +appVersion: "2.58.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.9.22 +version: 1.9.23-dev icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png maintainers: - name: madchap @@ -33,5 +33,5 @@ dependencies: # - kind: security # description: Critical bug annotations: - artifacthub.io/prerelease: "false" - artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.57.1\n" + artifacthub.io/prerelease: "true" + artifacthub.io/changes: "" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 50b6f1de8bc..6006a2203b0 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -511,7 +511,7 @@ The HELM schema will be generated for you. # General information about chart values -![Version: 1.9.22](https://img.shields.io/badge/Version-1.9.22-informational?style=flat-square) ![AppVersion: 2.57.1](https://img.shields.io/badge/AppVersion-2.57.1-informational?style=flat-square) +![Version: 1.9.23-dev](https://img.shields.io/badge/Version-1.9.23--dev-informational?style=flat-square) ![AppVersion: 2.58.0-dev](https://img.shields.io/badge/AppVersion-2.58.0--dev-informational?style=flat-square) A Helm chart for Kubernetes to install DefectDojo From df916fdc338bfc09f1a4c00cbc663d46a583a1fc Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 14 Apr 2026 11:51:54 -0600 Subject: [PATCH 033/173] Update dependency renovatebot/renovate from 43.110.14 to v43.112.1 (.github/workflows/renovate.yaml) (#14674) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: valentijnscholten --- .github/workflows/renovate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 6c69725340d..2610e79b2ea 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -21,4 +21,4 @@ jobs: uses: suzuki-shunsuke/github-action-renovate-config-validator@ee9f69e1f683ed0d08225086482b34fc9abe9300 # v2.1.0 with: strict: "true" - validator_version: 43.110.14 # renovate: datasource=github-releases depName=renovatebot/renovate + validator_version: 43.112.1 # renovate: datasource=github-releases depName=renovatebot/renovate From 8a2100effcde2cf2987f94dcc5297a27b7cfd008 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 08:44:32 -0500 Subject: [PATCH 034/173] chore(deps): bump pillow from 12.1.1 to 12.2.0 (#14680) Bumps [pillow](https://github.com/python-pillow/Pillow) from 12.1.1 to 12.2.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](https://github.com/python-pillow/Pillow/compare/12.1.1...12.2.0) --- updated-dependencies: - dependency-name: pillow dependency-version: 12.2.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0b6931e7177..d782fdcd5c8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -29,7 +29,7 @@ PyGithub==2.9.0 lxml==6.0.2 Markdown==3.10.2 openpyxl==3.1.5 -Pillow==12.1.1 # required by django-imagekit +Pillow==12.2.0 # required by django-imagekit psycopg[c]==3.3.3 cryptography==46.0.7 python-dateutil==2.9.0.post0 From 0cbc2dce3e1ebf81ebddb12fee8dcf66c340b74a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:23:17 -0500 Subject: [PATCH 035/173] Update python:3.13.13-alpine3.22 Docker digest from 3.13.13 to v (Dockerfile.nginx-alpine) (#14683) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Dockerfile.django-alpine | 2 +- Dockerfile.nginx-alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.django-alpine b/Dockerfile.django-alpine index a4ab7d00ea6..7e3993dab31 100644 --- a/Dockerfile.django-alpine +++ b/Dockerfile.django-alpine @@ -5,7 +5,7 @@ # Dockerfile.nginx to use the caching mechanism of Docker. # Ref: https://devguide.python.org/#branchstatus -FROM python:3.13.13-alpine3.22@sha256:ad3d69d8050bfec214b11221341ee6e88f4a2f2e82c08ab8e510e2df78487ffb AS base +FROM python:3.13.13-alpine3.22@sha256:d739d0ecd8cd56c6f842d4ce55087ed551c519ec88fa0b3b98a5717c22a083c9 AS base FROM base AS build WORKDIR /app RUN \ diff --git a/Dockerfile.nginx-alpine b/Dockerfile.nginx-alpine index 48d0922635d..ca80193599d 100644 --- a/Dockerfile.nginx-alpine +++ b/Dockerfile.nginx-alpine @@ -5,7 +5,7 @@ # Dockerfile.django-alpine to use the caching mechanism of Docker. # Ref: https://devguide.python.org/#branchstatus -FROM python:3.13.13-alpine3.22@sha256:ad3d69d8050bfec214b11221341ee6e88f4a2f2e82c08ab8e510e2df78487ffb AS base +FROM python:3.13.13-alpine3.22@sha256:d739d0ecd8cd56c6f842d4ce55087ed551c519ec88fa0b3b98a5717c22a083c9 AS base FROM base AS build WORKDIR /app RUN \ From 9877afe95f9aead2db80d044452cad38df8a929e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:26:16 -0500 Subject: [PATCH 036/173] Update python:3.13.13-slim-trixie Docker digest from 3.13.13 to v (Dockerfile.integration-tests-debian) (#14684) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Dockerfile.django-debian | 2 +- Dockerfile.integration-tests-debian | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.django-debian b/Dockerfile.django-debian index 1274c687712..421716a8fdc 100644 --- a/Dockerfile.django-debian +++ b/Dockerfile.django-debian @@ -5,7 +5,7 @@ # Dockerfile.nginx to use the caching mechanism of Docker. # Ref: https://devguide.python.org/#branchstatus -FROM python:3.13.13-slim-trixie@sha256:f96eb0214ceab47efc2558b8351888ca01acf6193f4050ee7594c8250516cc8b AS base +FROM python:3.13.13-slim-trixie@sha256:2ba73a4dc380f21137fc75296abfa2add90b51fd10b609ce530b40cc097269b1 AS base FROM base AS build WORKDIR /app RUN \ diff --git a/Dockerfile.integration-tests-debian b/Dockerfile.integration-tests-debian index d288465122e..af47d8a0b55 100644 --- a/Dockerfile.integration-tests-debian +++ b/Dockerfile.integration-tests-debian @@ -3,7 +3,7 @@ FROM openapitools/openapi-generator-cli:v7.21.0@sha256:ce308310f3c1f8761e65338b8ab87b651bf4862c6acb80de510f381fffc4510b AS openapitools # currently only supports x64, no arm yet due to chrome and selenium dependencies -FROM python:3.13.13-slim-trixie@sha256:f96eb0214ceab47efc2558b8351888ca01acf6193f4050ee7594c8250516cc8b AS build +FROM python:3.13.13-slim-trixie@sha256:2ba73a4dc380f21137fc75296abfa2add90b51fd10b609ce530b40cc097269b1 AS build WORKDIR /app RUN \ apt-get -y update && \ From 3563810232da159bda33f83a0a86724af8b10403 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:27:06 -0500 Subject: [PATCH 037/173] Update actions/cache action from v5.0.4 to v5.0.5 (.github/workflows/validate_docs_build.yml) (#14685) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/gh-pages.yml | 2 +- .github/workflows/validate_docs_build.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 3585388d680..b8ed603820d 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -27,7 +27,7 @@ jobs: node-version: '24.14.1' # TODO: Renovate helper might not be needed here - needs to be fully tested - name: Cache dependencies - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} diff --git a/.github/workflows/validate_docs_build.yml b/.github/workflows/validate_docs_build.yml index ca6d54e6b27..c6ddb2f02f4 100644 --- a/.github/workflows/validate_docs_build.yml +++ b/.github/workflows/validate_docs_build.yml @@ -22,7 +22,7 @@ jobs: node-version: '24.14.1' # TODO: Renovate helper might not be needed here - needs to be fully tested - name: Cache dependencies - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} From 7faee81069cf2eae33cf8dc7f600e4d2893f8b69 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:28:04 -0500 Subject: [PATCH 038/173] Update actions/upload-artifact action from v7.0.0 to v7.0.1 (.github/workflows/release-x-manual-docker-containers.yml) (#14686) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/build-docker-images-for-testing.yml | 2 +- .github/workflows/fetch-oas.yml | 2 +- .github/workflows/release-x-manual-docker-containers.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-docker-images-for-testing.yml b/.github/workflows/build-docker-images-for-testing.yml index e9e6dba295e..234dba28584 100644 --- a/.github/workflows/build-docker-images-for-testing.yml +++ b/.github/workflows/build-docker-images-for-testing.yml @@ -67,7 +67,7 @@ jobs: # export docker images to be used in next jobs below - name: Upload image ${{ matrix.docker-image }} as artifact timeout-minutes: 15 - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: built-docker-image-${{ matrix.docker-image }}-${{ matrix.os }}-${{ env.PLATFORM }} path: ${{ matrix.docker-image }}-${{ matrix.os }}-${{ env.PLATFORM }}_img diff --git a/.github/workflows/fetch-oas.yml b/.github/workflows/fetch-oas.yml index 153c540bb84..7873716642e 100644 --- a/.github/workflows/fetch-oas.yml +++ b/.github/workflows/fetch-oas.yml @@ -55,7 +55,7 @@ jobs: run: docker compose down - name: Upload oas.${{ matrix.file-type }} as artifact - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: oas-${{ matrix.file-type }} path: oas.${{ matrix.file-type }} diff --git a/.github/workflows/release-x-manual-docker-containers.yml b/.github/workflows/release-x-manual-docker-containers.yml index f4897248757..25b20214a71 100644 --- a/.github/workflows/release-x-manual-docker-containers.yml +++ b/.github/workflows/release-x-manual-docker-containers.yml @@ -90,7 +90,7 @@ jobs: # upload the digest file as artifact - name: Upload digest - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digests-${{ matrix.docker-image}}-${{ matrix.os }}-${{ env.PLATFORM }} path: ${{ runner.temp }}/digests/* From c11447ccf363d7f0ee3b2bffa1ad1b797ea0af22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:29:10 -0500 Subject: [PATCH 039/173] chore(deps): bump drf-spectacular-sidecar from 2026.4.1 to 2026.4.14 (#14688) Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2026.4.1 to 2026.4.14. - [Commits](https://github.com/tfranzel/drf-spectacular-sidecar/compare/2026.4.1...2026.4.14) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-version: 2026.4.14 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 843f05ff9e9..6d82a67af33 100644 --- a/requirements.txt +++ b/requirements.txt @@ -59,7 +59,7 @@ django-fieldsignals==0.8.0 hyperlink==21.0.0 djangosaml2==1.12.0 drf-spectacular==0.29.0 -drf-spectacular-sidecar==2026.4.1 +drf-spectacular-sidecar==2026.4.14 django-ratelimit==4.1.0 argon2-cffi==25.1.0 blackduck==1.1.3 From 5ca9e643e614a9437e171096ac3a4b5e0b12ca33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:59:36 -0500 Subject: [PATCH 040/173] chore(deps): bump pygithub from 2.9.0 to 2.9.1 (#14689) Bumps [pygithub](https://github.com/pygithub/pygithub) from 2.9.0 to 2.9.1. - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](https://github.com/pygithub/pygithub/compare/v2.9.0...v2.9.1) --- updated-dependencies: - dependency-name: pygithub dependency-version: 2.9.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 6d82a67af33..e49d0a468f6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -25,7 +25,7 @@ djangorestframework==3.17.1 html2text==2025.4.15 humanize==4.15.0 jira==3.10.5 -PyGithub==2.9.0 +PyGithub==2.9.1 lxml==6.0.2 Markdown==3.10.2 openpyxl==3.1.5 From 46295dfcf32193b51d4debc3393e67c588c54aed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:22:04 -0500 Subject: [PATCH 041/173] chore(deps): bump ruff from 0.15.9 to 0.15.10 (#14690) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.9 to 0.15.10. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.15.9...0.15.10) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.10 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements-lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-lint.txt b/requirements-lint.txt index 210fd64e40d..0d7f81304a9 100644 --- a/requirements-lint.txt +++ b/requirements-lint.txt @@ -1 +1 @@ -ruff==0.15.9 +ruff==0.15.10 From c26028d35e9fc0ee39894ce45928a18299e346e0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:22:44 -0500 Subject: [PATCH 042/173] Update peter-evans/create-pull-request action from v8.1.0 to v8.1.1 (.github/workflows/update-sample-data.yml) (#14691) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/update-sample-data.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-sample-data.yml b/.github/workflows/update-sample-data.yml index 525e892b605..c6f2027a26d 100644 --- a/.github/workflows/update-sample-data.yml +++ b/.github/workflows/update-sample-data.yml @@ -33,7 +33,7 @@ jobs: git config --global user.email "${{ env.GIT_EMAIL }}" - name: Create Pull Request - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update sample data" From b284c491192478128b4c168d1384b11f3fa23fce Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:24:08 -0500 Subject: [PATCH 043/173] Update softprops/action-gh-release action from v2.6.1 to v2.6.2 (.github/workflows/release-x-manual-helm-chart.yml) (#14693) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/release-x-manual-helm-chart.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-x-manual-helm-chart.yml b/.github/workflows/release-x-manual-helm-chart.yml index c7c86c3907c..5d74bc3bce1 100644 --- a/.github/workflows/release-x-manual-helm-chart.yml +++ b/.github/workflows/release-x-manual-helm-chart.yml @@ -77,7 +77,7 @@ jobs: echo "chart_version=$(ls build | cut -d '-' -f 2,3 | sed 's|\.tgz||')" >> $GITHUB_ENV - name: Create release ${{ inputs.release_number }} - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: name: '${{ inputs.release_number }} 🌈' tag_name: ${{ inputs.release_number }} From 1d43d4dc1513c0fe89df2a35558a3f0fa26c86ad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:25:32 -0500 Subject: [PATCH 044/173] chore(deps): bump django-dbbackup from 5.2.0 to 5.3.0 (#14694) Bumps [django-dbbackup](https://github.com/Archmonger/django-dbbackup) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/Archmonger/django-dbbackup/releases) - [Changelog](https://github.com/Archmonger/django-dbbackup/blob/master/CHANGELOG.md) - [Commits](https://github.com/Archmonger/django-dbbackup/compare/5.2.0...5.3.0) --- updated-dependencies: - dependency-name: django-dbbackup dependency-version: 5.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e49d0a468f6..96b0feaf044 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,7 @@ defusedxml==0.7.1 django_celery_results==2.6.0 django-auditlog==3.2.1 django-pghistory==3.9.2 -django-dbbackup==5.2.0 +django-dbbackup==5.3.0 django-environ==0.13.0 django-filter==25.2 django-imagekit==6.1.0 From df387b79f900cf36445195126819f876d768fe8a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:27:18 -0500 Subject: [PATCH 045/173] Update docker/build-push-action action from v7.0.0 to v7.1.0 (.github/workflows/release-x-manual-docker-containers.yml) (#14695) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/build-docker-images-for-testing.yml | 2 +- .github/workflows/release-x-manual-docker-containers.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-docker-images-for-testing.yml b/.github/workflows/build-docker-images-for-testing.yml index 234dba28584..9f81a64f830 100644 --- a/.github/workflows/build-docker-images-for-testing.yml +++ b/.github/workflows/build-docker-images-for-testing.yml @@ -53,7 +53,7 @@ jobs: - name: Build id: docker_build - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 timeout-minutes: 15 env: DOCKER_BUILD_CHECKS_ANNOTATIONS: false diff --git a/.github/workflows/release-x-manual-docker-containers.yml b/.github/workflows/release-x-manual-docker-containers.yml index 25b20214a71..14f0b259584 100644 --- a/.github/workflows/release-x-manual-docker-containers.yml +++ b/.github/workflows/release-x-manual-docker-containers.yml @@ -69,7 +69,7 @@ jobs: # we cannot set any tags here, those are set on the merged digest in release-x-manual-merge-container-digests.yml - name: Build and push images id: build - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 env: DOCKER_BUILD_CHECKS_ANNOTATIONS: false with: From 8b05e4ceb1f036854b7118158f19b133a982e4ef Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:29:39 -0500 Subject: [PATCH 046/173] Update valkey Docker tag from 0.18.0 to v0.19.0 (helm/defectdojo/Chart.yaml) (#14696) * Update valkey Docker tag from 0.18.0 to v0.19.0 (helm/defectdojo/Chart.yaml) * update Helm documentation --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] --- helm/defectdojo/Chart.lock | 6 +++--- helm/defectdojo/Chart.yaml | 4 ++-- helm/defectdojo/README.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/helm/defectdojo/Chart.lock b/helm/defectdojo/Chart.lock index db730ca2249..892cb0e9297 100644 --- a/helm/defectdojo/Chart.lock +++ b/helm/defectdojo/Chart.lock @@ -4,6 +4,6 @@ dependencies: version: 16.7.27 - name: valkey repository: oci://registry-1.docker.io/cloudpirates - version: 0.18.0 -digest: sha256:0c3c6c5c8eee31ac3d9adeb5def442cb014fd97f18c147d01220f9c54d0b00b6 -generated: "2026-03-13T11:58:21.506508399Z" + version: 0.19.0 +digest: sha256:644732bcf4fadb73dd78d7db14892986359b9b501adcb68b4cb56ec8cdca84af +generated: "2026-04-15T01:23:02.08387448Z" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index f0fe4814a66..9600af3b961 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -14,7 +14,7 @@ dependencies: repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo" condition: postgresql.enabled - name: valkey - version: 0.18.0 + version: 0.19.0 repository: "oci://registry-1.docker.io/cloudpirates" condition: valkey.enabled # For correct syntax, check https://artifacthub.io/docs/topics/annotations/helm/ @@ -34,4 +34,4 @@ dependencies: # description: Critical bug annotations: artifacthub.io/prerelease: "true" - artifacthub.io/changes: "" + artifacthub.io/changes: "- kind: changed\n description: Update valkey Docker tag from 0.18.0 to v0.19.0 (_/defect_/Chart.yaml)\n" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 6006a2203b0..b7bc1606e18 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -525,7 +525,7 @@ A Helm chart for Kubernetes to install DefectDojo | Repository | Name | Version | |------------|------|---------| -| oci://registry-1.docker.io/cloudpirates | valkey | 0.18.0 | +| oci://registry-1.docker.io/cloudpirates | valkey | 0.19.0 | | oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | postgresql | 16.7.27 | ## Values From 91d83e421b2e312e7ec6dccc88207337b39af404 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 20:28:28 -0500 Subject: [PATCH 047/173] chore(deps): bump lxml from 6.0.2 to 6.0.4 (#14692) Bumps [lxml](https://github.com/lxml/lxml) from 6.0.2 to 6.0.4. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](https://github.com/lxml/lxml/compare/lxml-6.0.2...lxml-6.0.4) --- updated-dependencies: - dependency-name: lxml dependency-version: 6.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 96b0feaf044..c6b1952b7c4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -26,7 +26,7 @@ html2text==2025.4.15 humanize==4.15.0 jira==3.10.5 PyGithub==2.9.1 -lxml==6.0.2 +lxml==6.0.4 Markdown==3.10.2 openpyxl==3.1.5 Pillow==12.2.0 # required by django-imagekit From 76d8ed8f206f724ddc44b2cb61fe2204a24684ec Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 16 Apr 2026 08:52:47 +0200 Subject: [PATCH 048/173] :tada: add mozilla foundation sec advice to vulnid --- dojo/settings/settings.dist.py | 1 + dojo/templatetags/display_tags.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 429b5646b90..2da65a5ebb6 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -2036,6 +2036,7 @@ def saml2_attrib_map_format(din): "KHV": "https://avd.aquasec.com/misconfig/kubernetes/", # e.g. https://avd.aquasec.com/misconfig/kubernetes/khv045 "LEN-": "https://support.lenovo.com/cl/de/product_security/", # e.g. https://support.lenovo.com/cl/de/product_security/LEN-94953 "MAL-": "https://cvepremium.circl.lu/vuln/", # e.g. https://cvepremium.circl.lu/vuln/mal-2025-49305 + "MFSA": "https://www.mozilla.org/en-US/security/advisories/", # e.g. https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/ "MGAA-": "https://advisories.mageia.org/&&.html", # e.g. https://advisories.mageia.org/MGAA-2013-0054.html "MGASA-": "https://advisories.mageia.org/&&.html", # e.g. https://advisories.mageia.org/MGASA-2025-0023.html "MSRC_": "https://cvepremium.circl.lu/vuln/", # e.g. https://cvepremium.circl.lu/vuln/msrc_cve-2025-59200 diff --git a/dojo/templatetags/display_tags.py b/dojo/templatetags/display_tags.py index 25dee916bd1..be102783d03 100644 --- a/dojo/templatetags/display_tags.py +++ b/dojo/templatetags/display_tags.py @@ -854,7 +854,7 @@ def vulnerability_url(vulnerability_id): return settings.VULNERABILITY_URLS[key] + str(vulnerability_id.replace("SSA:", "SSA-")) if key == "SSA-" and not re.findall(r"SSA-\d{4}-", vulnerability_id): return "https://cert-portal.siemens.com/productcert/html/" + str(vulnerability_id.lower()) + ".html" - if key in {"AVD", "KHV", "C-", "ELA-"}: + if key in {"AVD", "KHV", "C-", "ELA-", "MFSA"}: return settings.VULNERABILITY_URLS[key] + str(vulnerability_id.lower()) if key == "SUSE-SU-": return settings.VULNERABILITY_URLS[key] + str(vulnerability_id.lower().removeprefix("suse-su-")[:4]) + "/" + vulnerability_id.replace(":", "") From aec3fef0a49196977e7183989b989550f595d532 Mon Sep 17 00:00:00 2001 From: Jino Tesauro <53376807+Jino-T@users.noreply.github.com> Date: Thu, 16 Apr 2026 13:52:27 -0500 Subject: [PATCH 049/173] Added ssrf utils file to check urls and applied it to risk recon parser (#14631) * added ssrf utils to check urls and applied it to risk recon parser * update risk recon unit tests * add unit tests for SSRF protection in risk recon API init Co-Authored-By: Claude Sonnet 4.6 * add unit tests for utils_ssrf module Co-Authored-By: Claude Sonnet 4.6 --------- Co-authored-by: Claude Sonnet 4.6 --- dojo/tools/risk_recon/api.py | 16 +- dojo/utils_ssrf.py | 172 ++++++++++++++++++++++ unittests/test_utils_ssrf.py | 75 ++++++++++ unittests/tools/test_risk_recon_parser.py | 24 ++- 4 files changed, 280 insertions(+), 7 deletions(-) create mode 100644 dojo/utils_ssrf.py create mode 100644 unittests/test_utils_ssrf.py diff --git a/dojo/tools/risk_recon/api.py b/dojo/tools/risk_recon/api.py index d9691d41aa9..5bf26d83115 100644 --- a/dojo/tools/risk_recon/api.py +++ b/dojo/tools/risk_recon/api.py @@ -1,6 +1,7 @@ -import requests from django.conf import settings +from dojo.utils_ssrf import SSRFError, make_ssrf_safe_session, validate_url_for_ssrf + class RiskReconAPI: def __init__(self, api_key, endpoint, data): @@ -26,7 +27,14 @@ def __init__(self, api_key, endpoint, data): raise Exception(msg) if self.url.endswith("/"): self.url = endpoint[:-1] - self.session = requests.Session() + + try: + validate_url_for_ssrf(self.url) + except SSRFError as exc: + msg = f"Invalid Risk Recon API url: {exc}" + raise Exception(msg) from exc + + self.session = make_ssrf_safe_session() self.map_toes() self.get_findings() @@ -54,7 +62,7 @@ def map_toes(self): filters = comps.get(name) self.toe_map[toe_id] = filters or self.data else: - msg = f"Unable to query Target of Evaluations due to {response.status_code} - {response.content}" + msg = f"Unable to query Target of Evaluations due to {response.status_code}" raise Exception(msg) # TODO: when implementing ruff BLE001, please fix also TODO in unittests/test_risk_recon.py def filter_finding(self, finding): @@ -86,5 +94,5 @@ def get_findings(self): if not self.filter_finding(finding): self.findings.append(finding) else: - msg = f"Unable to collect findings from toe: {toe} due to {response.status_code} - {response.content}" + msg = f"Unable to collect findings from toe: {toe} due to {response.status_code}" raise Exception(msg) diff --git a/dojo/utils_ssrf.py b/dojo/utils_ssrf.py new file mode 100644 index 00000000000..42334e0173b --- /dev/null +++ b/dojo/utils_ssrf.py @@ -0,0 +1,172 @@ +""" +SSRF (Server-Side Request Forgery) protection utilities. + +Provides a requests.Session that validates outbound URLs against private/reserved +IP ranges at socket-creation time, closing the DNS rebinding (TOCTOU) window that +exists when validation is performed only as a pre-flight step. + +Usage: + from dojo.utils_ssrf import make_ssrf_safe_session, validate_url_for_ssrf, SSRFError + + # Pre-flight validation (raises SSRFError with a human-readable message): + validate_url_for_ssrf(url) + + # Safe session (validates at socket-creation time on every request): + session = make_ssrf_safe_session() + response = session.get(url) +""" + +import ipaddress +import socket +from urllib.parse import urlparse + +import requests +import urllib3.connection +import urllib3.connectionpool +from requests.adapters import DEFAULT_POOLBLOCK, DEFAULT_POOLSIZE, HTTPAdapter + + +class SSRFError(ValueError): + + """Raised when a URL is determined to be unsafe for server-side requests.""" + + +_ALLOWED_SCHEMES = frozenset({"http", "https"}) + + +def _check_ip(ip_str: str) -> None: + """Raise SSRFError if the IP address is not globally routable.""" + try: + ip = ipaddress.ip_address(ip_str) + except ValueError as exc: + msg = f"Cannot parse IP address: {ip_str!r}" + raise SSRFError(msg) from exc + + # ip.is_global is False for loopback, link-local (169.254.x.x), RFC 1918, + # reserved, multicast, and unspecified addresses. + if not ip.is_global: + msg = ( + f"Blocked: URL resolved to non-public address {ip}. " + "Requests to private, loopback, link-local, or reserved " + "addresses are not permitted." + ) + raise SSRFError(msg) + + +def _resolve_and_check(hostname: str, port: int) -> None: + """Resolve hostname and verify every returned address is publicly routable.""" + try: + addr_infos = socket.getaddrinfo( + hostname, port, socket.AF_UNSPEC, socket.SOCK_STREAM, + ) + except socket.gaierror as exc: + msg = f"Unable to resolve hostname {hostname!r}: {exc}" + raise SSRFError(msg) from exc + + if not addr_infos: + msg = f"No addresses returned for hostname {hostname!r}" + raise SSRFError(msg) + + for _family, _type, _proto, _canon, sockaddr in addr_infos: + _check_ip(sockaddr[0]) + + +def validate_url_for_ssrf(url: str) -> None: + """ + Pre-flight SSRF validation for a URL. + + Checks: + - Scheme is http or https (blocks file://, gopher://, etc.) + - Every resolved IP address is globally routable (blocks RFC 1918, + loopback 127.x, link-local 169.254.x.x, and other reserved ranges) + + Raises SSRFError with a descriptive message if the URL is unsafe. + This is a best-effort pre-flight check; use make_ssrf_safe_session() for + socket-level enforcement that also mitigates DNS rebinding. + """ + try: + parsed = urlparse(url) + except Exception as exc: + msg = f"Malformed URL: {url!r}" + raise SSRFError(msg) from exc + + if parsed.scheme not in _ALLOWED_SCHEMES: + msg = ( + f"URL scheme {parsed.scheme!r} is not permitted. " + "Only 'http' and 'https' are allowed." + ) + raise SSRFError(msg) + + hostname = parsed.hostname + if not hostname: + msg = f"URL has no hostname: {url!r}" + raise SSRFError(msg) + + port = parsed.port or (443 if parsed.scheme == "https" else 80) + _resolve_and_check(hostname, port) + + +# --------------------------------------------------------------------------- +# urllib3 connection subclasses — validation runs at socket-creation time. +# Overriding _new_conn() (called immediately before the OS connect() syscall) +# minimises the TOCTOU window to microseconds, making DNS rebinding attacks +# impractical in practice. +# --------------------------------------------------------------------------- + +class _SSRFSafeHTTPConnection(urllib3.connection.HTTPConnection): + def _new_conn(self) -> socket.socket: + _resolve_and_check(self._dns_host, self.port) + return super()._new_conn() + + +class _SSRFSafeHTTPSConnection(urllib3.connection.HTTPSConnection): + def _new_conn(self) -> socket.socket: + _resolve_and_check(self._dns_host, self.port) + return super()._new_conn() + + +class _SSRFSafeHTTPConnectionPool(urllib3.connectionpool.HTTPConnectionPool): + ConnectionCls = _SSRFSafeHTTPConnection + + +class _SSRFSafeHTTPSConnectionPool(urllib3.connectionpool.HTTPSConnectionPool): + ConnectionCls = _SSRFSafeHTTPSConnection + + +_SAFE_POOL_CLASSES = { + "http": _SSRFSafeHTTPConnectionPool, + "https": _SSRFSafeHTTPSConnectionPool, +} + + +class _SSRFSafeAdapter(HTTPAdapter): + + """ + A requests HTTPAdapter that injects SSRF-safe connection classes into the + urllib3 pool manager so that IP validation happens at socket-creation time + on every request, including after redirects. + """ + + def init_poolmanager(self, connections, maxsize, block=DEFAULT_POOLBLOCK, **pool_kwargs): + super().init_poolmanager(connections, maxsize, block, **pool_kwargs) + # Replace the pool classes after the manager is created. + # pool_classes_by_scheme is a plain dict on the instance, so this + # only affects this adapter's pool manager. + self.poolmanager.pool_classes_by_scheme = _SAFE_POOL_CLASSES + + +def make_ssrf_safe_session() -> requests.Session: + """ + Return a requests.Session with SSRF protection applied at the socket level. + + Every outbound request made through this session will have its resolved IP + validated against the private/reserved range blocklist immediately before + the OS socket is opened, preventing both: + - Direct requests to internal IP ranges + - DNS rebinding attacks + """ + session = requests.Session() + adapter = _SSRFSafeAdapter(pool_maxsize=DEFAULT_POOLSIZE) + session.mount("http://", adapter) + session.mount("https://", adapter) + return session diff --git a/unittests/test_utils_ssrf.py b/unittests/test_utils_ssrf.py new file mode 100644 index 00000000000..904abf8101c --- /dev/null +++ b/unittests/test_utils_ssrf.py @@ -0,0 +1,75 @@ +import socket +from unittest.mock import patch + +import requests + +from dojo.utils_ssrf import SSRFError, _SSRFSafeAdapter, make_ssrf_safe_session, validate_url_for_ssrf # noqa: PLC2701 +from unittests.dojo_test_case import DojoTestCase + + +def _addr_info(ip, port=80): + """Build a minimal getaddrinfo-style return value for a single IP.""" + return [(socket.AF_INET, socket.SOCK_STREAM, 6, "", (ip, port))] + + +_MIXED_ADDR_INFO = [ + (socket.AF_INET, socket.SOCK_STREAM, 6, "", ("8.8.8.8", 80)), + (socket.AF_INET, socket.SOCK_STREAM, 6, "", ("192.168.1.1", 80)), +] + + +class TestValidateUrlForSsrf(DojoTestCase): + + @patch("dojo.utils_ssrf.socket.getaddrinfo", return_value=_addr_info("8.8.8.8")) + def test_valid_public_url_does_not_raise(self, mock_getaddrinfo): + validate_url_for_ssrf("http://example.com/api") # should not raise + + def test_file_scheme_raises(self): + with self.assertRaisesRegex(SSRFError, "not permitted"): + validate_url_for_ssrf("file:///etc/passwd") + + def test_gopher_scheme_raises(self): + with self.assertRaisesRegex(SSRFError, "not permitted"): + validate_url_for_ssrf("gopher://example.com") + + def test_no_hostname_raises(self): + with self.assertRaisesRegex(SSRFError, "no hostname"): + validate_url_for_ssrf("http://") + + def test_loopback_ip_raises(self): + with self.assertRaisesRegex(SSRFError, "non-public address"): + validate_url_for_ssrf("http://127.0.0.1/") + + def test_private_class_c_raises(self): + with self.assertRaisesRegex(SSRFError, "non-public address"): + validate_url_for_ssrf("http://192.168.1.1/") + + def test_private_class_a_raises(self): + with self.assertRaisesRegex(SSRFError, "non-public address"): + validate_url_for_ssrf("http://10.0.0.1/") + + def test_link_local_raises(self): + with self.assertRaisesRegex(SSRFError, "non-public address"): + validate_url_for_ssrf("http://169.254.1.1/") + + @patch("dojo.utils_ssrf.socket.getaddrinfo", side_effect=socket.gaierror("Name or service not known")) + def test_unresolvable_hostname_raises(self, mock_getaddrinfo): + with self.assertRaisesRegex(SSRFError, "Unable to resolve"): + validate_url_for_ssrf("http://nonexistent.invalid/") + + @patch("dojo.utils_ssrf.socket.getaddrinfo", return_value=_MIXED_ADDR_INFO) + def test_multi_address_with_private_ip_raises(self, mock_getaddrinfo): + with self.assertRaisesRegex(SSRFError, "non-public address"): + validate_url_for_ssrf("http://example.com/") + + +class TestMakeSsrfSafeSession(DojoTestCase): + + def test_returns_requests_session(self): + session = make_ssrf_safe_session() + self.assertIsInstance(session, requests.Session) + + def test_http_and_https_mounted_with_safe_adapter(self): + session = make_ssrf_safe_session() + self.assertIsInstance(session.get_adapter("http://example.com"), _SSRFSafeAdapter) + self.assertIsInstance(session.get_adapter("https://example.com"), _SSRFSafeAdapter) diff --git a/unittests/tools/test_risk_recon_parser.py b/unittests/tools/test_risk_recon_parser.py index c59b39bd7d9..a2fec88180d 100644 --- a/unittests/tools/test_risk_recon_parser.py +++ b/unittests/tools/test_risk_recon_parser.py @@ -1,9 +1,10 @@ import datetime - -import requests +from unittest.mock import MagicMock, patch from dojo.models import Test +from dojo.tools.risk_recon.api import RiskReconAPI from dojo.tools.risk_recon.parser import RiskReconParser +from dojo.utils_ssrf import SSRFError from unittests.dojo_test_case import DojoTestCase, get_unit_tests_scans_path @@ -11,7 +12,7 @@ class TestRiskReconAPIParser(DojoTestCase): def test_api_with_bad_url(self): with (get_unit_tests_scans_path("risk_recon") / "bad_url.json").open(encoding="utf-8") as testfile, \ - self.assertRaises(requests.exceptions.ConnectionError): + self.assertRaises(Exception): # noqa: B017 # SSRFError is caught and re-raised as Exception in api.py parser = RiskReconParser() parser.get_findings(testfile, Test()) @@ -34,3 +35,20 @@ def test_parser_without_api(self): finding = findings[1] self.assertEqual(datetime.date(2017, 3, 17), finding.date.date()) self.assertEqual("ff2bbdbfc2b6gsrgwergwe6b1fasfwefb", finding.unique_id_from_tool) + + @patch("dojo.tools.risk_recon.api.validate_url_for_ssrf", side_effect=SSRFError("blocked: private address")) + def test_ssrf_error_is_raised_as_exception(self, mock_validate): + with self.assertRaisesRegex(Exception, "Invalid Risk Recon API url"): + RiskReconAPI(api_key="somekey", endpoint="http://192.168.1.1/api", data=[]) + mock_validate.assert_called_once_with("http://192.168.1.1/api") + + @patch.object(RiskReconAPI, "get_findings") + @patch.object(RiskReconAPI, "map_toes") + @patch("dojo.tools.risk_recon.api.make_ssrf_safe_session") + @patch("dojo.tools.risk_recon.api.validate_url_for_ssrf") + def test_make_ssrf_safe_session_called_on_init(self, mock_validate, mock_make_session, mock_map_toes, mock_get_findings): + mock_session = MagicMock() + mock_make_session.return_value = mock_session + api = RiskReconAPI(api_key="somekey", endpoint="https://api.riskrecon.com/v1", data=[]) + mock_make_session.assert_called_once() + self.assertIs(api.session, mock_session) From 7f546711bc9221630237fcf586a2946a2f71c293 Mon Sep 17 00:00:00 2001 From: Jino Tesauro <53376807+Jino-T@users.noreply.github.com> Date: Thu, 16 Apr 2026 13:53:02 -0500 Subject: [PATCH 050/173] Use RBAC for accept_risks API endpoints (#14632) * Fix accept_risks API endpoints to use RBAC instead of IsAdminUser Replace DRF's IsAdminUser permission with DefectDojo's RBAC system on all accept_risks endpoints. IsAdminUser only checked is_staff, bypassing role-based access control entirely. - Use UserHasRiskAcceptanceRelatedObjectPermission for detail endpoints (engagement/test accept_risks) to enforce Permissions.Risk_Acceptance - Change mass endpoint to query engagements with Risk_Acceptance permission instead of Engagement_View - Enforce product-level enable_full_risk_acceptance setting on all accept_risks endpoints - Add 9 RBAC unit tests covering writer/reader roles and the enable_full_risk_acceptance product setting Co-Authored-By: Claude Opus 4.6 (1M context) * Fix ruff lint: add blank line before class docstring Co-Authored-By: Claude Opus 4.6 (1M context) --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) --- dojo/risk_acceptance/api.py | 19 ++- unittests/test_bulk_risk_acceptance_api.py | 188 +++++++++++++++++++++ 2 files changed, 201 insertions(+), 6 deletions(-) diff --git a/dojo/risk_acceptance/api.py b/dojo/risk_acceptance/api.py index 2fdaadf0afb..4db4e09c76d 100644 --- a/dojo/risk_acceptance/api.py +++ b/dojo/risk_acceptance/api.py @@ -1,18 +1,20 @@ from abc import ABC, abstractmethod from typing import NamedTuple +from django.core.exceptions import PermissionDenied from django.db.models import QuerySet from django.utils import timezone from drf_spectacular.utils import extend_schema from rest_framework import serializers, status from rest_framework.decorators import action -from rest_framework.permissions import IsAdminUser +from rest_framework.permissions import IsAuthenticated from rest_framework.response import Response +from dojo.api_v2.permissions import UserHasRiskAcceptanceRelatedObjectPermission from dojo.api_v2.serializers import RiskAcceptanceSerializer from dojo.authorization.roles_permissions import Permissions from dojo.engagement.queries import get_authorized_engagements -from dojo.models import Risk_Acceptance, User, Vulnerability_Id +from dojo.models import Engagement, Risk_Acceptance, User, Vulnerability_Id AcceptedRisk = NamedTuple("AcceptedRisk", (("vulnerability_id", str), ("justification", str), ("accepted_by", str))) @@ -40,10 +42,13 @@ def risk_application_model_class(self): request=AcceptedRiskSerializer(many=True), responses={status.HTTP_201_CREATED: RiskAcceptanceSerializer(many=True)}, ) - @action(methods=["post"], detail=True, permission_classes=[IsAdminUser], serializer_class=AcceptedRiskSerializer, - filter_backends=[], pagination_class=None) + @action(methods=["post"], detail=True, permission_classes=[IsAuthenticated, UserHasRiskAcceptanceRelatedObjectPermission], + serializer_class=AcceptedRiskSerializer, filter_backends=[], pagination_class=None) def accept_risks(self, request, pk=None): model = self.get_object() + product = model.product if isinstance(model, Engagement) else model.engagement.product + if not product.enable_full_risk_acceptance: + raise PermissionDenied serializer = AcceptedRiskSerializer(data=request.data, many=True) if serializer.is_valid(): accepted_risks = serializer.save() @@ -63,7 +68,7 @@ class AcceptedFindingsMixin(ABC): request=AcceptedRiskSerializer(many=True), responses={status.HTTP_201_CREATED: RiskAcceptanceSerializer(many=True)}, ) - @action(methods=["post"], detail=False, permission_classes=[IsAdminUser], serializer_class=AcceptedRiskSerializer) + @action(methods=["post"], detail=False, permission_classes=[IsAuthenticated], serializer_class=AcceptedRiskSerializer) def accept_risks(self, request): serializer = AcceptedRiskSerializer(data=request.data, many=True) if serializer.is_valid(): @@ -72,7 +77,9 @@ def accept_risks(self, request): return Response(data=serializer.errors, status=status.HTTP_400_BAD_REQUEST) owner = request.user accepted_result = [] - for engagement in get_authorized_engagements(Permissions.Engagement_View): + for engagement in get_authorized_engagements(Permissions.Risk_Acceptance): + if not engagement.product.enable_full_risk_acceptance: + continue base_findings = engagement.unaccepted_open_findings accepted = _accept_risks(accepted_risks, base_findings, owner) engagement.accept_risks(accepted) diff --git a/unittests/test_bulk_risk_acceptance_api.py b/unittests/test_bulk_risk_acceptance_api.py index 05bbe10e7a8..cc5ace94517 100644 --- a/unittests/test_bulk_risk_acceptance_api.py +++ b/unittests/test_bulk_risk_acceptance_api.py @@ -9,6 +9,7 @@ Engagement, Finding, Product, + Product_Member, Product_Type, Product_Type_Member, Role, @@ -117,3 +118,190 @@ def test_finding_accept_risks(self): for ra in self.engagement_2b.risk_acceptance.all(): for finding in ra.accepted_findings.all(): self.assertEqual(self.engagement_2a.product, finding.test.engagement.product) + + +class TestBulkRiskAcceptanceRbac(APITestCase): + + """Tests that accept_risks endpoints use RBAC (Permissions.Risk_Acceptance) instead of is_staff.""" + + @classmethod + def setUpTestData(cls): + cls.product_type = Product_Type.objects.create(name="RBAC Test Type") + cls.test_type = Test_Type.objects.create(name="RBAC Mock Scan", static_tool=True) + + # Product with full risk acceptance enabled (default) + cls.product_enabled = Product.objects.create( + prod_type=cls.product_type, name="RBAC Enabled", + description="Full risk acceptance enabled", + enable_full_risk_acceptance=True, + ) + # Product with full risk acceptance disabled + cls.product_disabled = Product.objects.create( + prod_type=cls.product_type, name="RBAC Disabled", + description="Full risk acceptance disabled", + enable_full_risk_acceptance=False, + ) + + cls.engagement_enabled = Engagement.objects.create( + product=cls.product_enabled, + target_start=datetime.datetime(2000, 1, 1, tzinfo=datetime.UTC), + target_end=datetime.datetime(2000, 2, 1, tzinfo=datetime.UTC), + ) + cls.engagement_disabled = Engagement.objects.create( + product=cls.product_disabled, + target_start=datetime.datetime(2000, 1, 1, tzinfo=datetime.UTC), + target_end=datetime.datetime(2000, 2, 1, tzinfo=datetime.UTC), + ) + + cls.test_enabled = Test.objects.create( + engagement=cls.engagement_enabled, test_type=cls.test_type, + target_start=datetime.datetime(2000, 1, 1, tzinfo=datetime.UTC), + target_end=datetime.datetime(2000, 2, 1, tzinfo=datetime.UTC), + ) + cls.test_disabled = Test.objects.create( + engagement=cls.engagement_disabled, test_type=cls.test_type, + target_start=datetime.datetime(2000, 1, 1, tzinfo=datetime.UTC), + target_end=datetime.datetime(2000, 2, 1, tzinfo=datetime.UTC), + ) + + # Writer user: has Risk_Acceptance permission, NOT is_staff + cls.writer = User.objects.create(username="rbac_writer", is_staff=False) + cls.writer_token = Token.objects.create(user=cls.writer) + Product_Member.objects.create( + product=cls.product_enabled, user=cls.writer, + role=Role.objects.get(id=Roles.Writer), + ) + Product_Member.objects.create( + product=cls.product_disabled, user=cls.writer, + role=Role.objects.get(id=Roles.Writer), + ) + + # Reader user: does NOT have Risk_Acceptance permission, NOT is_staff + cls.reader = User.objects.create(username="rbac_reader", is_staff=False) + cls.reader_token = Token.objects.create(user=cls.reader) + Product_Member.objects.create( + product=cls.product_enabled, user=cls.reader, + role=Role.objects.get(id=Roles.Reader), + ) + + def create_finding(test, reporter, cve): + return Finding( + test=test, title=f"Finding {cve}", cve=cve, severity="High", + verified=True, description="Test", mitigation="Test", + impact="Test", reporter=reporter, numerical_severity="S1", + static_finding=True, dynamic_finding=False, + ) + + # Findings on the enabled product + Finding.objects.bulk_create( + create_finding(cls.test_enabled, cls.writer, f"CVE-2024-{i}") for i in range(10)) + for f in Finding.objects.filter(test=cls.test_enabled): + Vulnerability_Id.objects.get_or_create(finding=f, vulnerability_id=f.cve) + + # Findings on the disabled product + Finding.objects.bulk_create( + create_finding(cls.test_disabled, cls.writer, f"CVE-2024-{i + 100}") for i in range(5)) + for f in Finding.objects.filter(test=cls.test_disabled): + Vulnerability_Id.objects.get_or_create(finding=f, vulnerability_id=f.cve) + + def _client_for(self, token): + client = APIClient() + client.credentials(HTTP_AUTHORIZATION="Token " + token.key) + return client + + def _accepted_risks(self, cve_ids): + return [{"vulnerability_id": cve, "justification": "Test", "accepted_by": "Tester"} for cve in cve_ids] + + # --- Writer (has Risk_Acceptance) succeeds on enabled product --- + + def test_writer_can_accept_risks_on_engagement(self): + client = self._client_for(self.writer_token) + result = client.post( + reverse("engagement-accept-risks", kwargs={"pk": self.engagement_enabled.id}), + data=self._accepted_risks(["CVE-2024-0"]), + format="json", + ) + self.assertEqual(result.status_code, 201) + + def test_writer_can_accept_risks_on_test(self): + client = self._client_for(self.writer_token) + result = client.post( + reverse("test-accept-risks", kwargs={"pk": self.test_enabled.id}), + data=self._accepted_risks(["CVE-2024-1"]), + format="json", + ) + self.assertEqual(result.status_code, 201) + + def test_writer_can_accept_risks_on_findings(self): + client = self._client_for(self.writer_token) + result = client.post( + reverse("finding-accept-risks"), + data=self._accepted_risks(["CVE-2024-2"]), + format="json", + ) + self.assertEqual(result.status_code, 201) + + # --- Reader (no Risk_Acceptance) is forbidden --- + + def test_reader_forbidden_on_engagement(self): + client = self._client_for(self.reader_token) + result = client.post( + reverse("engagement-accept-risks", kwargs={"pk": self.engagement_enabled.id}), + data=self._accepted_risks(["CVE-2024-3"]), + format="json", + ) + self.assertEqual(result.status_code, 403) + + def test_reader_forbidden_on_test(self): + client = self._client_for(self.reader_token) + result = client.post( + reverse("test-accept-risks", kwargs={"pk": self.test_enabled.id}), + data=self._accepted_risks(["CVE-2024-4"]), + format="json", + ) + self.assertEqual(result.status_code, 403) + + def test_reader_gets_empty_result_on_findings(self): + client = self._client_for(self.reader_token) + result = client.post( + reverse("finding-accept-risks"), + data=self._accepted_risks(["CVE-2024-5"]), + format="json", + ) + # Mass endpoint returns 201 with empty results (no authorized engagements) + self.assertEqual(result.status_code, 201) + self.assertEqual(len(result.json()), 0) + + # --- enable_full_risk_acceptance=False blocks risk acceptance --- + + def test_engagement_blocked_when_full_risk_acceptance_disabled(self): + client = self._client_for(self.writer_token) + result = client.post( + reverse("engagement-accept-risks", kwargs={"pk": self.engagement_disabled.id}), + data=self._accepted_risks(["CVE-2024-100"]), + format="json", + ) + self.assertEqual(result.status_code, 403) + + def test_test_blocked_when_full_risk_acceptance_disabled(self): + client = self._client_for(self.writer_token) + result = client.post( + reverse("test-accept-risks", kwargs={"pk": self.test_disabled.id}), + data=self._accepted_risks(["CVE-2024-101"]), + format="json", + ) + self.assertEqual(result.status_code, 403) + + def test_mass_endpoint_skips_disabled_products(self): + client = self._client_for(self.writer_token) + # Use a CVE that exists only on the disabled product + result = client.post( + reverse("finding-accept-risks"), + data=self._accepted_risks(["CVE-2024-102"]), + format="json", + ) + self.assertEqual(result.status_code, 201) + # No risk acceptances created because the matching engagement's product has it disabled + self.assertEqual(len(result.json()), 0) + # Findings on disabled product remain unaccepted + self.assertEqual(self.engagement_disabled.unaccepted_open_findings.count(), 5) From eea3e47d0976a2ba1726bf0b3a988170b24210bc Mon Sep 17 00:00:00 2001 From: Jino Tesauro <53376807+Jino-T@users.noreply.github.com> Date: Thu, 16 Apr 2026 13:53:36 -0500 Subject: [PATCH 051/173] Change to reactivating risk accepted findings (#14633) * change to reactivating risk accepted findinggs * Fix remove_finding BFLA and add test coverage (PR #14633) Gate the remove_finding POST branch on edit_mode so only the edit URL (requiring Risk_Acceptance permission) can process finding removals. Scope the finding lookup to risk_acceptance.accepted_findings to prevent cross-product blind enumeration via sequential IDs. Add 6 security tests covering: edit_mode guard, scoped lookup, cross-product IDOR, decorator enforcement, and positive regression. Co-Authored-By: Claude Opus 4.6 (1M context) --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) --- dojo/engagement/views.py | 5 +- unittests/test_permissions_audit.py | 261 ++++++++++++++++++++++++++++ unittests/test_risk_acceptance.py | 2 +- 3 files changed, 265 insertions(+), 3 deletions(-) diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index 1b94ace21f4..c955439814f 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -1442,9 +1442,10 @@ def view_edit_risk_acceptance(request, eid, raid, *, edit_mode=False): "Since you are not the note's author, it was not deleted.", extra_tags="alert-danger") - if "remove_finding" in request.POST: + if edit_mode and "remove_finding" in request.POST: finding = get_object_or_404( - Finding, pk=request.POST["remove_finding_id"]) + risk_acceptance.accepted_findings, + pk=request.POST["remove_finding_id"]) ra_helper.remove_finding_from_risk_acceptance(request.user, risk_acceptance, finding) diff --git a/unittests/test_permissions_audit.py b/unittests/test_permissions_audit.py index 8904c6270be..26ef3fb78c8 100644 --- a/unittests/test_permissions_audit.py +++ b/unittests/test_permissions_audit.py @@ -12,6 +12,7 @@ 8. Questionnaire cross-engagement IDOR (H1 #3571957) 9. Finding Templates exposure via find_template_to_apply (H1 #3577363) 10. Jira Epic BFLA - Reader cannot trigger update_jira_epic (H1 #3577193) +11. Risk Acceptance remove_finding: edit_mode guard + scoped finding lookup (PR #14633) """ import datetime @@ -701,6 +702,266 @@ def test_view_risk_acceptance_same_engagement(self): self.assertEqual(response.status_code, 200) +class TestRiskAcceptanceRemoveFindingGuard(DojoTestCase): + + """ + PR #14633: view_edit_risk_acceptance must: + 1. Only process 'remove_finding' when edit_mode is True (Writer+ via edit URL). + 2. Scope the finding lookup to risk_acceptance.accepted_findings (not global Finding). + + Prevents a Reader from removing findings via the view URL, and prevents + cross-product blind enumeration of finding IDs. + """ + + @classmethod + def setUpTestData(cls): + cls.reader_role = Role.objects.get(name="Reader") + cls.owner_role = Role.objects.get(name="Owner") + + # ── Product A ──────────────────────────────────────────────── + cls.product_type_a = Product_Type.objects.create( + name="RA Remove Guard Test PT A", + ) + cls.product_a = Product.objects.create( + name="RA Remove Guard Product A", + description="Test", + prod_type=cls.product_type_a, + enable_full_risk_acceptance=True, + ) + + # ── Product B (for cross-product IDOR test) ───────────────── + cls.product_type_b = Product_Type.objects.create( + name="RA Remove Guard Test PT B", + ) + cls.product_b = Product.objects.create( + name="RA Remove Guard Product B", + description="Test", + prod_type=cls.product_type_b, + enable_full_risk_acceptance=True, + ) + + # ── Users ──────────────────────────────────────────────────── + cls.reader_user_a = Dojo_User.objects.create_user( + username="ra_remove_reader_a", + password="testTEST1234!@#$", # noqa: S106 + is_active=True, + ) + cls.owner_user_a = Dojo_User.objects.create_user( + username="ra_remove_owner_a", + password="testTEST1234!@#$", # noqa: S106 + is_active=True, + ) + cls.owner_user_b = Dojo_User.objects.create_user( + username="ra_remove_owner_b", + password="testTEST1234!@#$", # noqa: S106 + is_active=True, + ) + + # ── Role assignments ───────────────────────────────────────── + Product_Member.objects.create( + product=cls.product_a, + user=cls.reader_user_a, + role=cls.reader_role, + ) + Product_Member.objects.create( + product=cls.product_a, + user=cls.owner_user_a, + role=cls.owner_role, + ) + Product_Member.objects.create( + product=cls.product_b, + user=cls.owner_user_b, + role=cls.owner_role, + ) + + # ── Product A: engagement, test, findings, risk acceptance ─── + cls.engagement_a = Engagement.objects.create( + name="RA Remove Guard Engagement A", + product=cls.product_a, + target_start=datetime.date(2024, 1, 1), + target_end=datetime.date(2024, 12, 31), + ) + test_type, _ = Test_Type.objects.get_or_create( + name="Manual Code Review", + ) + cls.test_a = Test.objects.create( + engagement=cls.engagement_a, + test_type=test_type, + target_start=timezone.now(), + target_end=timezone.now(), + ) + + # Finding that IS in the risk acceptance + cls.finding_a = Finding.objects.create( + title="RA Remove Guard Finding A", + test=cls.test_a, + severity="High", + numerical_severity="S1", + active=False, + risk_accepted=True, + reporter=cls.owner_user_a, + ) + + # Finding in same engagement but NOT in the risk acceptance + cls.finding_a_extra = Finding.objects.create( + title="RA Remove Guard Finding A Extra", + test=cls.test_a, + severity="Medium", + numerical_severity="S2", + active=True, + risk_accepted=False, + reporter=cls.owner_user_a, + ) + + cls.risk_acceptance_a = Risk_Acceptance.objects.create( + name="RA Remove Guard RA A", + owner=cls.owner_user_a, + ) + cls.risk_acceptance_a.accepted_findings.add(cls.finding_a) + cls.engagement_a.risk_acceptance.add(cls.risk_acceptance_a) + + # ── Product B: engagement, test, finding, risk acceptance ──── + cls.engagement_b = Engagement.objects.create( + name="RA Remove Guard Engagement B", + product=cls.product_b, + target_start=datetime.date(2024, 1, 1), + target_end=datetime.date(2024, 12, 31), + ) + cls.test_b = Test.objects.create( + engagement=cls.engagement_b, + test_type=test_type, + target_start=timezone.now(), + target_end=timezone.now(), + ) + cls.finding_b = Finding.objects.create( + title="RA Remove Guard Finding B", + test=cls.test_b, + severity="High", + numerical_severity="S1", + active=False, + risk_accepted=True, + reporter=cls.owner_user_b, + ) + + cls.risk_acceptance_b = Risk_Acceptance.objects.create( + name="RA Remove Guard RA B", + owner=cls.owner_user_b, + ) + cls.risk_acceptance_b.accepted_findings.add(cls.finding_b) + cls.engagement_b.risk_acceptance.add(cls.risk_acceptance_b) + + def _login(self, username): + client = Client() + client.login( + username=username, + password="testTEST1234!@#$", # noqa: S106 + ) + return client + + def _remove_finding_data(self, finding_id): + return { + "remove_finding": "Remove", + "remove_finding_id": finding_id, + } + + # ── Test 1: edit_mode guard (BFLA) ─────────────────────────────── + + def test_reader_cannot_remove_finding_via_view_url(self): + """Reader POSTing remove_finding to view URL must be silently ignored.""" + client = self._login("ra_remove_reader_a") + url = reverse("view_risk_acceptance", args=( + self.engagement_a.id, self.risk_acceptance_a.id, + )) + response = client.post(url, self._remove_finding_data(self.finding_a.id)) + # View still redirects (302) because errors=False, but finding is untouched + self.assertEqual(response.status_code, 302) + self.finding_a.refresh_from_db() + self.assertFalse(self.finding_a.active) + self.assertTrue(self.finding_a.risk_accepted) + self.assertTrue( + self.risk_acceptance_a.accepted_findings + .filter(pk=self.finding_a.pk) + .exists(), + ) + + # ── Test 2: positive regression (edit URL works) ───────────────── + + def test_owner_can_remove_finding_via_edit_url(self): + """Owner POSTing remove_finding to edit URL must succeed.""" + client = self._login("ra_remove_owner_a") + url = reverse("edit_risk_acceptance", args=( + self.engagement_a.id, self.risk_acceptance_a.id, + )) + response = client.post(url, self._remove_finding_data(self.finding_a.id)) + self.assertEqual(response.status_code, 302) + self.finding_a.refresh_from_db() + self.assertTrue(self.finding_a.active) + self.assertFalse(self.finding_a.risk_accepted) + self.assertFalse( + self.risk_acceptance_a.accepted_findings + .filter(pk=self.finding_a.pk) + .exists(), + ) + + # ── Test 3: scoped lookup (finding not in this RA) ─────────────── + + def test_finding_not_in_risk_acceptance_returns_404(self): + """Supplying a finding ID not in the RA's accepted_findings must 404.""" + client = self._login("ra_remove_owner_a") + url = reverse("edit_risk_acceptance", args=( + self.engagement_a.id, self.risk_acceptance_a.id, + )) + # finding_a_extra exists in the same engagement but is NOT accepted + response = client.post( + url, self._remove_finding_data(self.finding_a_extra.id), + ) + self.assertEqual(response.status_code, 404) + + # ── Test 4: cross-product IDOR ─────────────────────────────────── + + def test_cross_product_finding_id_rejected(self): + """Finding from Product B cannot be removed via Product A's RA.""" + client = self._login("ra_remove_owner_a") + url = reverse("edit_risk_acceptance", args=( + self.engagement_a.id, self.risk_acceptance_a.id, + )) + response = client.post( + url, self._remove_finding_data(self.finding_b.id), + ) + self.assertEqual(response.status_code, 404) + # Product B's finding must remain untouched + self.finding_b.refresh_from_db() + self.assertFalse(self.finding_b.active) + self.assertTrue(self.finding_b.risk_accepted) + + # ── Test 5: Reader blocked by decorator on edit URL ────────────── + + def test_reader_blocked_on_edit_url_by_decorator(self): + """Reader lacks Risk_Acceptance permission — edit URL itself is denied.""" + client = self._login("ra_remove_reader_a") + url = reverse("edit_risk_acceptance", args=( + self.engagement_a.id, self.risk_acceptance_a.id, + )) + response = client.post(url, self._remove_finding_data(self.finding_a.id)) + # PermissionDenied raised; custom handler403 returns 400 (DD bug) + self.assertIn(response.status_code, [400, 403]) + # Finding must remain untouched + self.finding_a.refresh_from_db() + self.assertFalse(self.finding_a.active) + self.assertTrue(self.finding_a.risk_accepted) + + # ── Test 6: nonexistent finding ID ─────────────────────────────── + + def test_nonexistent_finding_id_returns_404(self): + """A bogus finding ID must produce 404 from the scoped lookup.""" + client = self._login("ra_remove_owner_a") + url = reverse("edit_risk_acceptance", args=( + self.engagement_a.id, self.risk_acceptance_a.id, + )) + response = client.post(url, self._remove_finding_data(999999)) + self.assertEqual(response.status_code, 404) + + class TestEngagementPresetsCrossProductIDOR(DojoTestCase): """ diff --git a/unittests/test_risk_acceptance.py b/unittests/test_risk_acceptance.py index c0613bd49ee..628624b6db1 100644 --- a/unittests/test_risk_acceptance.py +++ b/unittests/test_risk_acceptance.py @@ -111,7 +111,7 @@ def test_remove_findings_from_risk_acceptance_findings_active(self): data = copy.copy(self.data_remove_finding_from_ra) data["remove_finding_id"] = 2 ra = Risk_Acceptance.objects.last() - response = self.client.post(reverse("view_risk_acceptance", args=(1, ra.id)), data) + response = self.client.post(reverse("edit_risk_acceptance", args=(1, ra.id)), data) self.assertEqual(302, response.status_code, response.content[:1000]) self.assert_all_active_not_risk_accepted(Finding.objects.filter(id=2)) self.assert_all_inactive_risk_accepted(Finding.objects.filter(id=3)) From 9d661d72e9f92b8e6e3eef334afb7257dd968fb1 Mon Sep 17 00:00:00 2001 From: Jino Tesauro <53376807+Jino-T@users.noreply.github.com> Date: Thu, 16 Apr 2026 13:54:22 -0500 Subject: [PATCH 052/173] Add permission checks for moving engagements between products (#14634) * change-to-moving-engagements * fix-migration-issue: * Revert PR #14634 changes (editable=False approach) Reverting the approach of making Engagement.product editable=False and splitting serializers. Will replace with proper permission checks on the destination product when moving engagements. Co-Authored-By: Claude Opus 4.6 (1M context) * Add permission check on destination product when moving engagements When a user changes an engagement's product (via API PUT/PATCH or the UI edit form), verify they have Engagement_Edit permission on the destination product. Previously only the source product was checked, allowing users to move engagements to products they lack write access to. - API: EngagementSerializer.validate() checks destination product permission on update, following the ProductMemberSerializer pattern - UI: edit_engagement() view checks destination product permission before saving - Tests: 8 new tests covering PATCH, PUT, and UI paths for both authorized and unauthorized product moves Co-Authored-By: Claude Opus 4.6 (1M context) * Fix UI test: form queryset already rejects unauthorized products The EngForm product queryset is filtered to authorized products, so submitting an unauthorized product fails form validation (200) before the view-level permission check runs. Update the test to accept both 200 and 403 -- the key assertion is that the engagement does not move. Co-Authored-By: Claude Opus 4.6 (1M context) * Fix ruff lint: docstring formatting Co-Authored-By: Claude Opus 4.6 (1M context) --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) --- dojo/api_v2/serializers.py | 12 +++ dojo/engagement/views.py | 6 ++ unittests/test_permissions_audit.py | 159 ++++++++++++++++++++++++++++ 3 files changed, 177 insertions(+) diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 342287aba94..7c9bbd6ae79 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -1123,6 +1123,18 @@ def validate(self, data): if data.get("target_start") > data.get("target_end"): msg = "Your target start date exceeds your target end date" raise serializers.ValidationError(msg) + if ( + self.instance is not None + and "product" in data + and data.get("product") != self.instance.product + and not user_has_permission( + self.context["request"].user, + data.get("product"), + Permissions.Engagement_Edit, + ) + ): + msg = "You are not permitted to edit engagements in the destination product" + raise PermissionDenied(msg) return data def build_relational_field(self, field_name, relation_info): diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index c955439814f..ca36d81c0dd 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -286,6 +286,12 @@ def edit_engagement(request, eid): if form.is_valid(): # first save engagement details new_status = form.cleaned_data.get("status") + if form.cleaned_data.get("product") != engagement.product: + user_has_permission_or_403( + request.user, + form.cleaned_data.get("product"), + Permissions.Engagement_Edit, + ) engagement.product = form.cleaned_data.get("product") engagement = form.save(commit=False) if (new_status in {"Cancelled", "Completed"}): diff --git a/unittests/test_permissions_audit.py b/unittests/test_permissions_audit.py index 26ef3fb78c8..9d4ca0a746e 100644 --- a/unittests/test_permissions_audit.py +++ b/unittests/test_permissions_audit.py @@ -1686,3 +1686,162 @@ def test_risk_acceptance_download_proof_writer_allowed(self): # Clean up uploaded file self.risk_acceptance.path.delete(save=True) + + +class TestEngagementMovePermission(DojoTestCase): + + """Moving an engagement to another product requires Engagement_Edit on the destination.""" + + @classmethod + def setUpTestData(cls): + cls.owner_role = Role.objects.get(name="Owner") + cls.product_type = Product_Type.objects.create(name="Eng Move Test PT") + + cls.product_a = Product.objects.create( + name="Eng Move Product A", description="Test", prod_type=cls.product_type, + ) + cls.product_b = Product.objects.create( + name="Eng Move Product B", description="Test", prod_type=cls.product_type, + ) + cls.product_c = Product.objects.create( + name="Eng Move Product C", description="Test", prod_type=cls.product_type, + ) + + cls.user = Dojo_User.objects.create_user( + username="eng_move_owner", + password="testTEST1234!@#$", # noqa: S106 + is_active=True, + ) + Product_Member.objects.create(product=cls.product_a, user=cls.user, role=cls.owner_role) + # No membership on product_b -- user cannot move engagements there + Product_Member.objects.create(product=cls.product_c, user=cls.user, role=cls.owner_role) + + def setUp(self): + self.engagement = Engagement.objects.create( + name="Move Test Engagement", + product=self.product_a, + target_start=datetime.date.today(), + target_end=datetime.date.today(), + ) + + def _api_client(self): + token, _ = Token.objects.get_or_create(user=self.user) + client = APIClient() + client.credentials(HTTP_AUTHORIZATION="Token " + token.key) + return client + + def _ui_client(self): + client = Client() + client.login(username="eng_move_owner", password="testTEST1234!@#$") # noqa: S106 + return client + + # ── API: PATCH ──────────────────────────────────────────────────── + + def test_api_patch_move_to_authorized_product(self): + """PATCH with product the user has access to should succeed.""" + client = self._api_client() + url = reverse("engagement-detail", args=(self.engagement.id,)) + response = client.patch(url, {"product": self.product_c.id}, format="json") + self.assertEqual(response.status_code, 200, response.content) + self.engagement.refresh_from_db() + self.assertEqual(self.engagement.product, self.product_c) + + def test_api_patch_move_to_unauthorized_product(self): + """PATCH with product the user lacks access to should be denied.""" + client = self._api_client() + url = reverse("engagement-detail", args=(self.engagement.id,)) + response = client.patch(url, {"product": self.product_b.id}, format="json") + self.assertEqual(response.status_code, 403, response.content) + self.engagement.refresh_from_db() + self.assertEqual(self.engagement.product, self.product_a) + + def test_api_patch_same_product(self): + """PATCH with the same product should succeed without extra permission check.""" + client = self._api_client() + url = reverse("engagement-detail", args=(self.engagement.id,)) + response = client.patch(url, {"product": self.product_a.id}, format="json") + self.assertEqual(response.status_code, 200, response.content) + + def test_api_patch_without_product_field(self): + """PATCH without product field should succeed (no spurious check).""" + client = self._api_client() + url = reverse("engagement-detail", args=(self.engagement.id,)) + response = client.patch(url, {"version": "1.0"}, format="json") + self.assertEqual(response.status_code, 200, response.content) + + # ── API: PUT ────────────────────────────────────────────────────── + + def test_api_put_move_to_authorized_product(self): + """PUT with product the user has access to should succeed.""" + client = self._api_client() + url = reverse("engagement-detail", args=(self.engagement.id,)) + payload = { + "name": "Move Test Engagement", + "product": self.product_c.id, + "target_start": str(datetime.date.today()), + "target_end": str(datetime.date.today()), + "engagement_type": "Interactive", + "status": "Not Started", + } + response = client.put(url, payload, format="json") + self.assertEqual(response.status_code, 200, response.content) + self.engagement.refresh_from_db() + self.assertEqual(self.engagement.product, self.product_c) + + def test_api_put_move_to_unauthorized_product(self): + """PUT with product the user lacks access to should be denied.""" + client = self._api_client() + url = reverse("engagement-detail", args=(self.engagement.id,)) + payload = { + "name": "Move Test Engagement", + "product": self.product_b.id, + "target_start": str(datetime.date.today()), + "target_end": str(datetime.date.today()), + "engagement_type": "Interactive", + "status": "Not Started", + } + response = client.put(url, payload, format="json") + self.assertEqual(response.status_code, 403, response.content) + self.engagement.refresh_from_db() + self.assertEqual(self.engagement.product, self.product_a) + + # ── UI ──────────────────────────────────────────────────────────── + + def test_ui_move_to_authorized_product(self): + """Edit engagement form moving to authorized product should succeed.""" + client = self._ui_client() + url = reverse("edit_engagement", args=(self.engagement.id,)) + form_data = { + "product": self.product_c.id, + "target_start": datetime.date.today().strftime("%Y-%m-%d"), + "target_end": datetime.date.today().strftime("%Y-%m-%d"), + "lead": self.user.id, + "status": "Not Started", + } + response = client.post(url, form_data) + self.assertIn(response.status_code, [200, 302], response.content[:500]) + self.engagement.refresh_from_db() + self.assertEqual(self.engagement.product, self.product_c) + + def test_ui_move_to_unauthorized_product(self): + """ + Edit engagement form moving to unauthorized product should be denied. + + The form's product queryset is filtered to authorized products, so + submitting an unauthorized product fails form validation (200 with + errors) before the view-level permission check runs. Either way the + engagement must NOT move. + """ + client = self._ui_client() + url = reverse("edit_engagement", args=(self.engagement.id,)) + form_data = { + "product": self.product_b.id, + "target_start": datetime.date.today().strftime("%Y-%m-%d"), + "target_end": datetime.date.today().strftime("%Y-%m-%d"), + "lead": self.user.id, + "status": "Not Started", + } + response = client.post(url, form_data) + self.assertIn(response.status_code, [200, 403]) + self.engagement.refresh_from_db() + self.assertEqual(self.engagement.product, self.product_a) From 4df60d02b88e92612d0be15e72685c6a1216b913 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 16 Apr 2026 22:30:27 -0600 Subject: [PATCH 053/173] Add CLAUDE.md with module reorganization playbook Documents a repeatable 10-phase process for reorganizing domain modules (finding, test, engagement, product, product_type) to match the dojo/url/ reference pattern. Includes service-layer extraction guidance to support the long-term goal of removing the classic UI and going fully API-based. Co-Authored-By: Claude Opus 4.6 --- CLAUDE.md | 250 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 CLAUDE.md diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 00000000000..14e1db91640 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,250 @@ +# DefectDojo Development Guide + +## Project Overview + +DefectDojo is a Django application (`dojo` app) for vulnerability management. The codebase is undergoing a modular reorganization to move from monolithic files toward self-contained domain modules. + +## Module Reorganization + +### Reference Pattern: `dojo/url/` + +All domain modules should match the structure of `dojo/url/`. This is the canonical example of a fully reorganized module. + +``` +dojo/{module}/ +├── __init__.py # import dojo.{module}.admin # noqa: F401 +├── models.py # Domain models, constants, factory methods +├── admin.py # @admin.register() for the module's models +├── services.py # Business logic (no HTTP concerns) +├── queries.py # Complex DB aggregations/annotations +├── signals.py # Django signal handlers +├── [manager.py] # Custom QuerySet/Manager if needed +├── [validators.py] # Field-level validators if needed +├── [helpers.py] # Async task wrappers, tag propagation, etc. +├── ui/ +│ ├── __init__.py # Empty +│ ├── forms.py # Django ModelForms +│ ├── filters.py # UI-layer django-filter classes +│ ├── views.py # Thin view functions — delegates to services.py +│ └── urls.py # URL routing +└── api/ + ├── __init__.py # path = "{module}" + ├── serializer.py # DRF serializers + ├── views.py # API ViewSets — delegates to services.py + ├── filters.py # API-layer filters + └── urls.py # add_{module}_urls(router) registration +``` + +### Architecture Principles + +**Long-term goal**: Remove the classic Django template UI and make the app fully API-based. The `ui/` subdirectory should be deletable with zero impact on `api/` or shared business logic. + +**services.py is the critical layer**: Both `ui/views.py` and `api/views.py` call `services.py` for business logic. Services accept domain objects and primitives — never request/response objects, forms, or serializers. + +**Backward-compatible re-exports**: When moving code out of monolithic files (`dojo/models.py`, `dojo/forms.py`, `dojo/filters.py`, `dojo/api_v2/serializers.py`, `dojo/api_v2/views.py`), always leave a re-export at the original location: +```python +from dojo.{module}.models import {Model} # noqa: F401 -- backward compat +``` +Never remove re-exports until all consumers are updated in a dedicated cleanup pass. + +### Current State + +Modules in various stages of reorganization: + +| Module | models.py | services.py | ui/ | api/ | Status | +|--------|-----------|-------------|-----|------|--------| +| **url** | In module | N/A | Done | Done | **Complete** | +| **location** | In module | N/A | N/A | Done | **Complete** | +| **product_type** | In dojo/models.py | Missing | Partial (views at root) | In dojo/api_v2/ | Needs work | +| **test** | In dojo/models.py | Missing | Partial (views at root) | In dojo/api_v2/ | Needs work | +| **engagement** | In dojo/models.py | Partial (32 lines) | Partial (views at root) | In dojo/api_v2/ | Needs work | +| **product** | In dojo/models.py | Missing | Partial (views at root) | In dojo/api_v2/ | Needs work | +| **finding** | In dojo/models.py | Missing | Partial (views at root) | In dojo/api_v2/ | Needs work | + +### Monolithic Files Being Decomposed + +These files still contain code for multiple modules. Extract code to the target module's subdirectory and leave a re-export stub. + +- `dojo/models.py` (4,973 lines) — All model definitions +- `dojo/forms.py` (4,127 lines) — All Django forms +- `dojo/filters.py` (4,016 lines) — All UI and API filter classes +- `dojo/api_v2/serializers.py` (3,387 lines) — All DRF serializers +- `dojo/api_v2/views.py` (3,519 lines) — All API viewsets + +--- + +## Reorganization Playbook + +When asked to reorganize a module, follow these phases in order. Each phase should be independently verifiable. + +### Phase 0: Pre-Flight (Read-Only) + +Before any changes, identify all code to extract: + +```bash +# 1. Model classes and line ranges in dojo/models.py +grep -n "class {Model}" dojo/models.py + +# 2. Form classes in dojo/forms.py +grep -n "class.*{Module}" dojo/forms.py +grep -n "model = {Model}" dojo/forms.py + +# 3. Filter classes in dojo/filters.py +grep -n "class.*{Module}\|class.*{Model}" dojo/filters.py + +# 4. Serializer classes +grep -n "class.*{Model}" dojo/api_v2/serializers.py + +# 5. ViewSet classes +grep -n "class.*{Model}\|class.*{Module}" dojo/api_v2/views.py + +# 6. Admin registrations +grep -n "admin.site.register({Model}" dojo/models.py + +# 7. All import sites (to verify backward compat) +grep -rn "from dojo.models import.*{Model}" dojo/ unittests/ + +# 8. Business logic in current views +# Scan dojo/{module}/views.py for: .save(), .delete(), create_notification(), +# jira_helper.*, dojo_dispatch_task(), multi-model workflows +``` + +### Phase 1: Extract Models + +1. Create `dojo/{module}/models.py` with the model class(es) and associated constants +2. Create `dojo/{module}/admin.py` with `admin.site.register()` calls (remove from `dojo/models.py`) +3. Update `dojo/{module}/__init__.py` to `import dojo.{module}.admin # noqa: F401` +4. Add re-exports in `dojo/models.py` +5. Remove original model code (keep re-export line) + +**Import rules for models.py:** +- Upward FKs (e.g., Test -> Engagement): import from `dojo.models` if not yet extracted, or `dojo.{module}.models` if already extracted +- Downward references (e.g., Product_Type querying Finding): use lazy imports inside method bodies +- Shared utilities (`copy_model_util`, `_manage_inherited_tags`, `get_current_date`, etc.): import from `dojo.models` +- Do NOT set `app_label` in Meta — all models inherit `dojo` app_label automatically + +**Verify:** +```bash +python manage.py check +python manage.py makemigrations --check +python -c "from dojo.{module}.models import {Model}" +python -c "from dojo.models import {Model}" +``` + +### Phase 2: Extract Services + +Create `dojo/{module}/services.py` with business logic extracted from UI views. + +**What belongs in services.py:** +- State transitions (close, reopen, status changes) +- Multi-step creation/update workflows +- External integration calls (JIRA, GitHub) +- Notification dispatching +- Copy/clone operations +- Bulk operations +- Merge operations + +**What stays in views:** +- HTTP request/response handling +- Form instantiation and validation +- Serialization/deserialization +- Authorization checks (`@user_is_authorized`, `user_has_permission_or_403`) +- Template rendering, redirects +- Pagination, breadcrumbs + +**Service function pattern:** +```python +def close_engagement(engagement: Engagement, user: User) -> Engagement: + engagement.active = False + engagement.status = "Completed" + engagement.save() + if jira_helper.get_jira_project(engagement): + dojo_dispatch_task(jira_helper.close_epic, engagement.id, push_to_jira=True) + return engagement +``` + +Update UI views and API viewsets to call the service instead of containing logic inline. + +### Phase 3: Extract Forms to `ui/forms.py` + +1. Create `dojo/{module}/ui/__init__.py` (empty) +2. Create `dojo/{module}/ui/forms.py` — move form classes from `dojo/forms.py` +3. Add re-exports in `dojo/forms.py` + +### Phase 4: Extract UI Filters to `ui/filters.py` + +1. Create `dojo/{module}/ui/filters.py` — move module-specific filters from `dojo/filters.py` +2. Shared base classes (`DojoFilter`, `DateRangeFilter`, `ReportBooleanFilter`) stay in `dojo/filters.py` +3. Add re-exports in `dojo/filters.py` + +### Phase 5: Move UI Views/URLs into `ui/` + +1. Move `dojo/{module}/views.py` -> `dojo/{module}/ui/views.py` +2. Move `dojo/{module}/urls.py` -> `dojo/{module}/ui/urls.py` +3. Update URL imports: + - product: update `dojo/asset/urls.py` + - product_type: update `dojo/organization/urls.py` + - others: update the include in `dojo/urls.py` + +### Phase 6: Extract API Serializers to `api/serializer.py` + +1. Create `dojo/{module}/api/__init__.py` with `path = "{module}"` +2. Create `dojo/{module}/api/serializer.py` — move from `dojo/api_v2/serializers.py` +3. Add re-exports in `dojo/api_v2/serializers.py` + +### Phase 7: Extract API Filters to `api/filters.py` + +1. Create `dojo/{module}/api/filters.py` — move `Api{Model}Filter` from `dojo/filters.py` +2. Add re-exports + +### Phase 8: Extract API ViewSets to `api/views.py` + +1. Create `dojo/{module}/api/views.py` — move from `dojo/api_v2/views.py` +2. Add re-exports in `dojo/api_v2/views.py` + +### Phase 9: Extract API URL Registration + +1. Create `dojo/{module}/api/urls.py`: + ```python + from dojo.{module}.api import path + from dojo.{module}.api.views import {ViewSet} + + def add_{module}_urls(router): + router.register(path, {ViewSet}, path) + return router + ``` +2. Update `dojo/urls.py` — replace `v2_api.register(...)` with `add_{module}_urls(v2_api)` + +### After Each Phase: Verify + +```bash +python manage.py check +python manage.py makemigrations --check +python -m pytest unittests/ -x --timeout=120 +``` + +--- + +## Cross-Module Dependencies + +The model hierarchy is: Product_Type -> Product -> Engagement -> Test -> Finding + +Extract in this order (top to bottom) so that upward FKs can import from already-extracted modules. The recommended order is: product_type, test, engagement, product, finding. + +For downward references (e.g., Product_Type's cached properties querying Finding), always use lazy imports: +```python +@cached_property +def critical_present(self): + from dojo.models import Finding # lazy import + return Finding.objects.filter(test__engagement__product__prod_type=self, severity="Critical").exists() +``` + +--- + +## Key Technical Details + +- **Single Django app**: Everything is under `app_label = "dojo"`. Moving models to subdirectories does NOT require migration changes. +- **Model discovery**: Triggered by `__init__.py` importing `admin.py`, which imports `models.py`. This is the same chain `dojo/url/` uses. +- **Signal registration**: Handled in `dojo/apps.py` via `import dojo.{module}.signals`. Already set up for test, engagement, product, product_type. +- **Watson search**: Uses `self.get_model("Product")` in `apps.py` — works via Django's model registry regardless of file location. +- **Admin registration**: Currently at the bottom of `dojo/models.py` (lines 4888-4973). Must be moved to `{module}/admin.py` and removed from `dojo/models.py` to avoid `AlreadyRegistered` errors. From 56c84a72221f6f307084cde31f0da780356b2200 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 16 Apr 2026 22:33:01 -0600 Subject: [PATCH 054/173] Update CLAUDE.md --- CLAUDE.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CLAUDE.md b/CLAUDE.md index 14e1db91640..64279977619 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -37,7 +37,6 @@ dojo/{module}/ ### Architecture Principles -**Long-term goal**: Remove the classic Django template UI and make the app fully API-based. The `ui/` subdirectory should be deletable with zero impact on `api/` or shared business logic. **services.py is the critical layer**: Both `ui/views.py` and `api/views.py` call `services.py` for business logic. Services accept domain objects and primitives — never request/response objects, forms, or serializers. From c1b2526ee495fed3a14bb81c065be51a7a986e39 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Fri, 17 Apr 2026 06:40:54 +0200 Subject: [PATCH 055/173] :tada: add fix_available and fix_version to govulncheck (#14681) --- dojo/tools/govulncheck/parser.py | 24 +++++++++++++++++++++- unittests/tools/test_govulncheck_parser.py | 2 ++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/dojo/tools/govulncheck/parser.py b/dojo/tools/govulncheck/parser.py index 4bdea0908ff..9214218d68b 100644 --- a/dojo/tools/govulncheck/parser.py +++ b/dojo/tools/govulncheck/parser.py @@ -40,6 +40,22 @@ def get_location(data, node): def get_version(data, node): return data["Requires"]["Modules"][str(node)]["Version"] + @staticmethod + def get_fix_info(affected_ranges): + for r in affected_ranges: + for event in r.get("events", []): + if "fixed" in event: + return True, event["fixed"] + return False, "" + + @staticmethod + def get_introduced_version(affected_ranges): + for r in affected_ranges: + for event in r.get("events", []): + if "introduced" in event: + return event["introduced"] + return "" + def get_finding_trace_info(self, data, osv_id): # Browse the findings to look for matching OSV-id. If the OSV-id is matching, extract traces. trace_info_strs = [] @@ -202,8 +218,12 @@ def get_findings(self, scan_file, test): else: title = f"{osv_data['id']} - {affected_package['name']}" - affected_version = self.get_affected_version(data, osv_data["id"]) + fix_available, fix_version = self.get_fix_info(affected_ranges) + affected_version = ( + self.get_affected_version(data, osv_data["id"]) + or self.get_introduced_version(affected_ranges) + ) severity = elem["osv"].get("severity", SEVERITY) d = { @@ -215,6 +235,8 @@ def get_findings(self, scan_file, test): "description": description, "impact": impact, "references": references, + "fix_available": fix_available, + "fix_version": fix_version, "file_path": path, "url": db_specific_url, "unique_id_from_tool": osv_id, diff --git a/unittests/tools/test_govulncheck_parser.py b/unittests/tools/test_govulncheck_parser.py index 90499dc48fd..3b0a8efc474 100644 --- a/unittests/tools/test_govulncheck_parser.py +++ b/unittests/tools/test_govulncheck_parser.py @@ -127,6 +127,8 @@ def test_parse_new_version_many_findings_custom_severity(self): self.assertIsNotNone(finding.impact) self.assertIsNotNone(finding.description) self.assertIsNotNone(finding.references) + self.assertTrue(finding.fix_available) + self.assertEqual("0.3.8", finding.fix_version) def test_parse_issue_14642(self): with (get_unit_tests_scans_path("govulncheck") / "issue_14642.json").open(encoding="utf-8") as testfile: From 4a0abbd7e91ac68da2abc22d9bed2c905e843660 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 16 Apr 2026 22:41:04 -0600 Subject: [PATCH 056/173] fix: clean up template rendering for endpoint user fields (#14682) Remove unnecessary template filter from auditor and mitigated_by fields in the endpoints snippet to align with standard Django template rendering conventions. Co-authored-by: Claude Opus 4.6 (1M context) --- dojo/templates/dojo/snippets/endpoints.html | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dojo/templates/dojo/snippets/endpoints.html b/dojo/templates/dojo/snippets/endpoints.html index e7d4d740ea8..84f10304d00 100644 --- a/dojo/templates/dojo/snippets/endpoints.html +++ b/dojo/templates/dojo/snippets/endpoints.html @@ -72,13 +72,13 @@
Mitigated Endpoints / Systems ({{ finding.mitigated_endpoint_count }})
{% if V3_FEATURE_LOCATIONS %} {{ endpoint.location }}{% if endpoint.is_broken %} 🚩{% endif %} {{ endpoint.status }} - {{ endpoint.auditor|safe }} + {{ endpoint.auditor }} {{ endpoint.audit_time|date }} {% else %} - {% comment %} TODO: Delete this after the move to Locations {% endcomment %} + {% comment %} TODO: Delete this after the move to Locations {% endcomment %} {{ endpoint }}{% if endpoint.endpoint.is_broken %} 🚩{% endif %} {{ endpoint.status }} - {{ endpoint.mitigated_by|safe }} + {{ endpoint.mitigated_by }} {{ endpoint.mitigated_time|date }} {% endif %} @@ -256,7 +256,7 @@

Mitigated Endpoints / Systems ({{ finding.mitigated_endpoint_count }}) {% include "dojo/snippets/tags.html" with tags=endpoint.location.tags.all %} {{ endpoint.get_status_display }} - {{ endpoint.auditor|safe }} + {{ endpoint.auditor }} {{ endpoint.audit_time|date }} {% else %} {% comment %} TODO: Delete this after the move to Locations {% endcomment %} @@ -265,7 +265,7 @@

Mitigated Endpoints / Systems ({{ finding.mitigated_endpoint_count }}) {% include "dojo/snippets/tags.html" with tags=endpoint.endpoint.tags.all %} {{ endpoint.status }} - {{ endpoint.mitigated_by|safe }} + {{ endpoint.mitigated_by }} {{ endpoint.mitigated_time|date }} {% endif %} From 1812598691ea74f886490a70519851d82a52d19f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 22:45:26 -0600 Subject: [PATCH 057/173] Update release-drafter/release-drafter action from v7.1.1 to v7.2.0 (.github/workflows/release-drafter.yml) (#14699) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/release-drafter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index c91df094fa5..b0acd676cf8 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Create Release id: create_release - uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1 + uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7.2.0 with: version: ${{ inputs.version }} env: From e9d187bb3d608da5dbdf5c24019a760f30db7da3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 22:45:44 -0600 Subject: [PATCH 058/173] Update actions/github-script action from v8.0.0 to v9 (.github/workflows/release-3-master-into-dev.yml) (#14700) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/release-1-create-pr.yml | 2 +- .github/workflows/release-3-master-into-dev.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-1-create-pr.yml b/.github/workflows/release-1-create-pr.yml index 33aaafecb26..c93b7f0bfda 100644 --- a/.github/workflows/release-1-create-pr.yml +++ b/.github/workflows/release-1-create-pr.yml @@ -107,7 +107,7 @@ jobs: branch: ${{ env.NEW_BRANCH }} - name: Create Pull Request - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/release-3-master-into-dev.yml b/.github/workflows/release-3-master-into-dev.yml index f8e2c75682d..6354486a0e0 100644 --- a/.github/workflows/release-3-master-into-dev.yml +++ b/.github/workflows/release-3-master-into-dev.yml @@ -95,7 +95,7 @@ jobs: branch: ${{ env.NEW_BRANCH }} - name: Create Pull Request - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -171,7 +171,7 @@ jobs: branch: ${{ env.NEW_BRANCH }} - name: Create Pull Request - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | From 45d9d95cbbfe9026f18a007e570e74886e65bd50 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 22:46:35 -0600 Subject: [PATCH 059/173] Update softprops/action-gh-release action from v2.6.2 to v3 (.github/workflows/release-x-manual-helm-chart.yml) (#14702) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/release-x-manual-helm-chart.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-x-manual-helm-chart.yml b/.github/workflows/release-x-manual-helm-chart.yml index 5d74bc3bce1..85052bd8a58 100644 --- a/.github/workflows/release-x-manual-helm-chart.yml +++ b/.github/workflows/release-x-manual-helm-chart.yml @@ -77,7 +77,7 @@ jobs: echo "chart_version=$(ls build | cut -d '-' -f 2,3 | sed 's|\.tgz||')" >> $GITHUB_ENV - name: Create release ${{ inputs.release_number }} - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: name: '${{ inputs.release_number }} 🌈' tag_name: ${{ inputs.release_number }} From 4decd88fe513bdf325b2ce536d8d197ef834c36f Mon Sep 17 00:00:00 2001 From: Jino Tesauro <53376807+Jino-T@users.noreply.github.com> Date: Thu, 16 Apr 2026 23:48:21 -0500 Subject: [PATCH 060/173] Validate consistency between ID-based and name-based identifiers in import/reimport (#14636) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix reimport-scan API authorization bypass via conflicting identifiers Validate that ID-resolved objects (test, engagement) are consistent with name-based identifiers (product_name, engagement_name) in both the permission check layer and the AutoCreateContextManager resolution layer. This prevents an attacker from passing their own engagement/test ID to satisfy the permission check while using name-based fields to target a victim's product. Co-Authored-By: Claude Opus 4.6 (1M context) * Use ID-based comparisons and add engagement_name check to import - Switch permission checks to use ID comparisons (product_id, engagement_id) where resolved objects are available, with name fallback for unresolved cases - Add engagement_name validation to UserHasImportPermission (was missing) - Fix ruff string quoting in auto_create_context.py Co-Authored-By: Claude Opus 4.6 (1M context) * Strip undeclared engagement field in reimport permission check The engagement field is not declared on ReImportScanSerializer and gets stripped during validation. The permission check must also strip it so it resolves targets the same way execution does — by name, not by a stale engagement ID from request.data. Update test to verify the engagement param is ignored and permission is checked against the name-resolved target. Co-Authored-By: Claude Opus 4.6 (1M context) * Fix information disclosure in conflict validation error messages Replace error messages that leaked resolved object names (product names, engagement names) with generic messages. An attacker could enumerate object names by sending conflicting ID-based and name-based identifiers and reading the detailed error responses. Co-Authored-By: Claude Opus 4.6 (1M context) --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> --- dojo/api_v2/permissions.py | 33 +++++++++- dojo/importers/auto_create_context.py | 6 ++ unittests/test_rest_framework.py | 89 +++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 3 deletions(-) diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py index 807bbcf7b2a..10e012ede5b 100644 --- a/dojo/api_v2/permissions.py +++ b/dojo/api_v2/permissions.py @@ -473,7 +473,13 @@ def has_permission(self, request, view): # Raise an explicit drf exception here raise ValidationError(e) if engagement := converted_dict.get("engagement"): - # existing engagement, nothing special to check + # Validate the resolved engagement's parent chain matches any provided identifiers + if (product := converted_dict.get("product")) and engagement.product_id != product.id: + msg = "The provided identifiers are inconsistent — the engagement does not belong to the specified product." + raise ValidationError(msg) + if (engagement_name := converted_dict.get("engagement_name")) and engagement.name != engagement_name: + msg = "The provided identifiers are inconsistent — the engagement name does not match the specified engagement." + raise ValidationError(msg) return user_has_permission( request.user, engagement, Permissions.Import_Scan_Result, ) @@ -764,6 +770,11 @@ def has_permission(self, request, view): try: converted_dict = auto_create.convert_querydict_to_dict(request.data) auto_create.process_import_meta_data_from_dict(converted_dict) + # engagement is not a declared field on ReImportScanSerializer and will be + # stripped during validation — don't use it in the permission check either, + # so the permission check resolves targets the same way execution does + converted_dict.pop("engagement", None) + converted_dict.pop("engagement_id", None) # Get an existing product converted_dict["product_type"] = auto_create.get_target_product_type_if_exists(**converted_dict) converted_dict["product"] = auto_create.get_target_product_if_exists(**converted_dict) @@ -774,7 +785,20 @@ def has_permission(self, request, view): raise ValidationError(e) if test := converted_dict.get("test"): - # existing test, nothing special to check + # Validate the resolved test's parent chain matches any provided identifiers + if (product := converted_dict.get("product")) and test.engagement.product_id != product.id: + msg = "The provided identifiers are inconsistent — the test does not belong to the specified product." + raise ValidationError(msg) + if (engagement := converted_dict.get("engagement")) and test.engagement_id != engagement.id: + msg = "The provided identifiers are inconsistent — the test does not belong to the specified engagement." + raise ValidationError(msg) + # Also validate by name when the objects were not resolved (e.g. names that match no existing record) + if not converted_dict.get("product") and (product_name := converted_dict.get("product_name")) and test.engagement.product.name != product_name: + msg = "The provided identifiers are inconsistent — the test does not belong to the specified product." + raise ValidationError(msg) + if not converted_dict.get("engagement") and (engagement_name := converted_dict.get("engagement_name")) and test.engagement.name != engagement_name: + msg = "The provided identifiers are inconsistent — the test does not belong to the specified engagement." + raise ValidationError(msg) return user_has_permission( request.user, test, Permissions.Import_Scan_Result, ) @@ -1181,7 +1205,10 @@ def check_auto_create_permission( raise ValidationError(msg) if engagement: - # existing engagement, nothing special to check + # Validate the resolved engagement's parent chain matches any provided names + if product is not None and engagement.product_id != product.id: + msg = "The provided identifiers are inconsistent — the engagement does not belong to the specified product." + raise ValidationError(msg) return user_has_permission( user, engagement, Permissions.Import_Scan_Result, ) diff --git a/dojo/importers/auto_create_context.py b/dojo/importers/auto_create_context.py index 26d37ae65b0..916bbea056e 100644 --- a/dojo/importers/auto_create_context.py +++ b/dojo/importers/auto_create_context.py @@ -181,6 +181,9 @@ def get_target_engagement_if_exists( """ if engagement := get_object_or_none(Engagement, pk=engagement_id): logger.debug("Using existing engagement by id: %s", engagement_id) + if product is not None and engagement.product_id != product.id: + msg = "The provided identifiers are inconsistent — the engagement does not belong to the specified product." + raise ValueError(msg) return engagement # if there's no product, then for sure there's no engagement either if product is None: @@ -203,6 +206,9 @@ def get_target_test_if_exists( """ if test := get_object_or_none(Test, pk=test_id): logger.debug("Using existing Test by id: %s", test_id) + if engagement is not None and test.engagement_id != engagement.id: + msg = "The provided identifiers are inconsistent — the test does not belong to the specified engagement." + raise ValueError(msg) return test # If the engagement is not supplied, we cannot do anything if not engagement: diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 95807d4c536..7199e08c126 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -3429,6 +3429,95 @@ def test_create_not_authorized_product_name_engagement_name_scan_type_title(self importer_mock.assert_not_called() reimporter_mock.assert_not_called() + # Security tests: verify that conflicting ID-based and name-based identifiers are rejected + + @patch("dojo.importers.default_reimporter.DefaultReImporter.process_scan") + @patch("dojo.importers.default_importer.DefaultImporter.process_scan") + @patch("dojo.api_v2.permissions.user_has_permission") + def test_reimport_engagement_param_ignored_permission_checked_on_name_resolved_target(self, mock, importer_mock, reimporter_mock): + """ + Engagement is not a declared field on ReImportScanSerializer — verify + the permission check uses the name-resolved target, not the engagement param. + """ + mock.return_value = False + importer_mock.return_value = IMPORTER_MOCK_RETURN_VALUE + reimporter_mock.return_value = REIMPORTER_MOCK_RETURN_VALUE + + with Path("tests/zap_sample.xml").open(encoding="utf-8") as testfile: + payload = { + "minimum_severity": "Low", + "active": True, + "verified": True, + "scan_type": "ZAP Scan", + "file": testfile, + # engagement=1 belongs to Product 2 Engagement 1, but it should be ignored + "engagement": 1, + # These names resolve to Product 2's Engagement 4 -> Test 4 + "product_name": "Security How-to", + "engagement_name": "April monthly engagement", + "version": "1.0.0", + } + response = self.client.post(self.url, payload) + self.assertEqual(403, response.status_code, response.content[:1000]) + # Permission must be checked on name-resolved Test 4 (in Engagement 4), + # NOT on Test 3 (which belongs to the engagement=1 param) + mock.assert_called_with(User.objects.get(username="admin"), + Test.objects.get(id=4), + Permissions.Import_Scan_Result) + importer_mock.assert_not_called() + reimporter_mock.assert_not_called() + + @patch("dojo.importers.default_reimporter.DefaultReImporter.process_scan") + @patch("dojo.importers.default_importer.DefaultImporter.process_scan") + def test_reimport_with_test_id_mismatched_product_name_is_rejected(self, importer_mock, reimporter_mock): + """Sending test ID from one product with product_name from another must be rejected.""" + importer_mock.return_value = IMPORTER_MOCK_RETURN_VALUE + reimporter_mock.return_value = REIMPORTER_MOCK_RETURN_VALUE + + with Path("tests/zap_sample.xml").open(encoding="utf-8") as testfile: + payload = { + "minimum_severity": "Low", + "active": True, + "verified": True, + "scan_type": "ZAP Scan", + "file": testfile, + # Test 3 belongs to Engagement 1 -> Product 2 ("Security How-to") + "test": 3, + # But product_name points to Product 1 ("Python How-to") + "product_name": "Python How-to", + "version": "1.0.0", + } + response = self.client.post(self.url, payload) + self.assertEqual(400, response.status_code, response.content[:1000]) + importer_mock.assert_not_called() + reimporter_mock.assert_not_called() + + @patch("dojo.importers.default_reimporter.DefaultReImporter.process_scan") + @patch("dojo.importers.default_importer.DefaultImporter.process_scan") + def test_reimport_with_test_id_mismatched_engagement_name_is_rejected(self, importer_mock, reimporter_mock): + """Sending test ID from one engagement with engagement_name from another must be rejected.""" + importer_mock.return_value = IMPORTER_MOCK_RETURN_VALUE + reimporter_mock.return_value = REIMPORTER_MOCK_RETURN_VALUE + + with Path("tests/zap_sample.xml").open(encoding="utf-8") as testfile: + payload = { + "minimum_severity": "Low", + "active": True, + "verified": True, + "scan_type": "ZAP Scan", + "file": testfile, + # Test 3 belongs to Engagement 1 ("1st Quarter Engagement") + "test": 3, + # But engagement_name points to a different engagement + "product_name": "Security How-to", + "engagement_name": "April monthly engagement", + "version": "1.0.0", + } + response = self.client.post(self.url, payload) + self.assertEqual(400, response.status_code, response.content[:1000]) + importer_mock.assert_not_called() + reimporter_mock.assert_not_called() + @versioned_fixtures class ProductTypeTest(BaseClass.BaseClassTest): From 1fa86bc0f04d3e9942085ad7f1dc04f580a52470 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 17 Apr 2026 10:34:19 -0500 Subject: [PATCH 061/173] Update mccutchen/go-httpbin Docker tag from 2.21.0 to v2.22.1 (docker-compose.override.dev.yml) (#14697) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.override.dev.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.override.dev.yml b/docker-compose.override.dev.yml index 409de9f5d69..6ee4738c26d 100644 --- a/docker-compose.override.dev.yml +++ b/docker-compose.override.dev.yml @@ -72,7 +72,7 @@ services: protocol: tcp mode: host "webhook.endpoint": - image: mccutchen/go-httpbin:2.21.0@sha256:809250d14e94397f4729f617931068a9ea048231fc1a11c9e3c7cb8c28bbab8d + image: mccutchen/go-httpbin:2.22.1@sha256:33aa5d2d563881a55f319cce4530de48ae518386ad742159f4390281a8277915 integration-tests: platform: "linux/amd64" profiles: From c51d018324dfebaa49ee5b84a188a99b0194828c Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Fri, 17 Apr 2026 13:21:23 -0400 Subject: [PATCH 062/173] tests: read raw template string --- unittests/test_pdf_report_rendering.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/unittests/test_pdf_report_rendering.py b/unittests/test_pdf_report_rendering.py index 283fd4f6272..f2d794baa81 100644 --- a/unittests/test_pdf_report_rendering.py +++ b/unittests/test_pdf_report_rendering.py @@ -192,10 +192,9 @@ def test_long_unbroken_string_in_report_field(self): def test_report_base_css_has_overflow_wrap(self): """The report base template must include overflow-wrap for text wrapping.""" template = self.django_engine.get_template("report_base.html") - # Render with minimal context to get the CSS - html = template.render({"report_name": "Test"}) + source = template.template.source - self.assertIn("overflow-wrap: break-word", html) + self.assertIn("overflow-wrap: break-word", source) def test_report_base_css_styles_nested_pre(self): """ @@ -203,10 +202,10 @@ def test_report_base_css_styles_nested_pre(self): nested
 elements from breaking out of margins.
         """
         template = self.django_engine.get_template("report_base.html")
-        html = template.render({"report_name": "Test"})
+        source = template.template.source
 
-        self.assertIn(".report-field pre", html)
-        self.assertIn("overflow-wrap: break-word", html)
+        self.assertIn(".report-field pre", source)
+        self.assertIn("overflow-wrap: break-word", source)
 
     def test_raw_request_pre_tags_preserved(self):
         """

From 6b26aae4de4a39040f130da2c9894776a1fce5c7 Mon Sep 17 00:00:00 2001
From: Paul Osinski 
Date: Fri, 17 Apr 2026 13:59:41 -0400
Subject: [PATCH 063/173] implement versioned_fixtures in test

---
 unittests/test_pdf_report_rendering.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/unittests/test_pdf_report_rendering.py b/unittests/test_pdf_report_rendering.py
index f2d794baa81..1cdfe1e34e1 100644
--- a/unittests/test_pdf_report_rendering.py
+++ b/unittests/test_pdf_report_rendering.py
@@ -10,9 +10,10 @@
     Test_Type,
     User,
 )
-from unittests.dojo_test_case import DojoTestCase
+from unittests.dojo_test_case import DojoTestCase, versioned_fixtures
 
 
+@versioned_fixtures
 class TestPdfReportTextWrapping(DojoTestCase):
 
     """

From 43b2238132d3ec0e6e958dfb3845eaac2be4346b Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Mon, 20 Apr 2026 08:35:36 -0600
Subject: [PATCH 064/173] Add centralized banner system with OS messaging
 support (#14708)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add OSS subscriber for Open Source Messaging banner

Fetches a markdown message from the DaaS-published GCS bucket, renders
the bleached headline and optional expanded section through the existing
additional_banners template loop. Cached for 1h; any fetch/parse failure
silently yields no banner. No Django settings introduced — disabling the
banner requires forking.

Co-Authored-By: Claude Opus 4.7 (1M context) 

* Enable nl2br in expanded markdown and fold module into dojo.announcement

Single newlines in the expanded body now render as 
, so authored markdown lays out multi-line. Module folded into the existing dojo/announcement/ app and test patch paths updated. Co-Authored-By: Claude Opus 4.7 (1M context) * Use

{% endif %} {% for banner in additional_banners %} - - -
-
-
-

- {% trans "Potential Findings" %} -

- {% if test|has_object_permission:"Finding_Add" %} - - {% csrf_token %} -
- - - - - -
- - {% endif %} -
-
- - - - - - - - - - - - {% for finding in stub_findings %} - - - - - - - - {% endfor %} - -
- {% trans "Name" %} - - {% trans "Severity" %} - - {% trans "Reporter" %} - - {% trans "Date" %} - - {% trans "Actions" %} -
- {% if test|has_object_permission:"Finding_Add" %} - {{ finding.title }} - {% else %} - {{ finding.title }} - {% endif %} - - {% if finding.severity == "Critical" or finding.severity == "High" %} - - {% else %} - {{ finding.severity }} - {% endif %} - - {% if finding.reporter.get_full_name and finding.reporter.get_full_name.strip %} - {{ finding.reporter.get_full_name }} - {% else %} - {{ finding.reporter }} - {% endif %} - - {{ finding.date }} - -
- {% if test|has_object_permission:"Finding_Add" %} - {% trans "Promote To Finding" %} - {% endif %} - {% if test|has_object_permission:"Finding_Edit" %} -
- {% csrf_token %} - - -
- {% endif %} -
-
-
- {% include "dojo/paging_snippet.html" with page=stub_findings %} -
-
- {% if system_settings.enable_credentials %}
@@ -2059,71 +1953,6 @@

} ; - $('form#quick-add-form').on("submit", function (e) { - if ($("input#quick_add_finding").val().length == 0) { - alert('Potential finding description needs a value.'); - e.preventDefault(); - return false; - } - $('form#quick-add-form').removeClass("has-error"); - $('button#the_button').attr('disabled', true).removeClass("btn-success btn-danger").addClass('btn-warning'); - $('i#fa-icon').removeClass("fa-plus").addClass("fa-spinner fa-pulse"); - $.ajax({ - type: "post", - dataType:'json', - data: $(this).serialize(), - url: '{% url 'add_stub_finding' test.id %}', - // The ``X-CSRFToken`` evidently can't be set in the - // ``headers`` option, so force it here. - // This method requires jQuery 1.5+. - beforeSend: function (jqXHR, settings) { - // Pull the token out of the DOM. - jqXHR.setRequestHeader('X-CSRFToken', $('input[name=csrfmiddlewaretoken]').val()); - }, - success: function (data, textStatus, jqXHR) { - // Your processing of the data here. " + + " - // - $('table#stub_findings').removeClass('hidden'); - var fid = data['id']; - var fseverity = data['severity']; - var fdate = data['date']; - var row = $(""); - var link = $(''); - - link.attr('href', "/stub_finding/" + fid + "/promote"); - link.text($("input#quick_add_finding").val()); - var title = $("").append(link); - var severity = $("").append(fseverity); - var reporter = $("{{ request.user.username }}"); - var date = $("").append(fdate); - var td_info = ''; - var actions = $(td_info.replace(/\[id\]/g, fid)); - - row.append(title, severity, reporter, date, actions).appendTo("#stub_findings tbody"); - $("input#quick_add_finding").val("") - $('button#the_button').removeClass("btn-warning btn-danger").addClass('btn-success'); - - $("input#quick_add_finding").focus() - - setTimeout(function () { - $("tr#added-" + fid + " td").animate({ - backgroundColor: "#fff", - }) - }, 2000) - }, - error: function () { - $('form#quick-add-form').addClass("has-error"); - $('button#the_button').removeClass("btn-warning").addClass('btn-danger'); - }, - complete: function () { - $('i#fa-icon').addClass("fa-plus").removeClass("fa-spinner fa-pulse"); - $('button#the_button').attr('disabled', false); - - } - }); - return false; - }); - }); function jira_action(elem, url) { diff --git a/dojo/test/views.py b/dojo/test/views.py index 936a43b54aa..c154e0fb598 100644 --- a/dojo/test/views.py +++ b/dojo/test/views.py @@ -56,7 +56,6 @@ Finding_Template, Note_Type, Product_API_Scan_Configuration, - Stub_Finding, Test, Test_Import, ) @@ -110,14 +109,6 @@ def get_test_import_data(self, request: HttpRequest, test: Test): "test_import_filter": test_import_filter, } - def get_stub_findings(self, request: HttpRequest, test: Test): - stub_findings = Stub_Finding.objects.filter(test=test) - paged_stub_findings = get_page_items(request, stub_findings, 25) - - return { - "stub_findings": paged_stub_findings, - } - def get_findings(self, request: HttpRequest, test: Test): findings = Finding.objects.filter(test=test).order_by("numerical_severity") filter_string_matching = get_system_setting("filter_string_matching", False) @@ -194,7 +185,6 @@ def get_initial_context(self, request: HttpRequest, test: Test): context["form"] = form # Add some of the related objects context |= self.get_findings(request, test) - context |= self.get_stub_findings(request, test) context |= self.get_test_import_data(request, test) return context diff --git a/dojo/urls.py b/dojo/urls.py index 84483b30590..4e8dea6f965 100644 --- a/dojo/urls.py +++ b/dojo/urls.py @@ -55,7 +55,6 @@ SLAConfigurationViewset, SonarqubeIssueTransitionViewSet, SonarqubeIssueViewSet, - StubFindingsViewSet, SystemSettingsViewSet, TestImportViewSet, TestsViewSet, @@ -162,7 +161,6 @@ v2_api.register(r"sla_configurations", SLAConfigurationViewset, basename="sla_configurations") v2_api.register(r"sonarqube_issues", SonarqubeIssueViewSet, basename="sonarqube_issue") v2_api.register(r"sonarqube_transitions", SonarqubeIssueTransitionViewSet, basename="sonarqube_issue_transition") -v2_api.register(r"stub_findings", StubFindingsViewSet, basename="stub_finding") v2_api.register(r"system_settings", SystemSettingsViewSet, basename="system_settings") v2_api.register(r"technologies", AppAnalysisViewSet, basename="app_analysis") v2_api.register(r"tests", TestsViewSet, basename="test") diff --git a/tests/test_test.py b/tests/test_test.py index 7ee311b91cd..419931cd578 100644 --- a/tests/test_test.py +++ b/tests/test_test.py @@ -1,7 +1,7 @@ import sys import unittest -from base_test_class import BaseTestCase, on_exception_html_source_logger +from base_test_class import BaseTestCase from product_test import ProductTest, WaitForPageLoad from selenium.webdriver.common.by import By from selenium.webdriver.common.keys import Keys @@ -188,88 +188,6 @@ def test_add_test_finding(self): driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS2").click() self.assertTrue(self.is_text_present_on_page(text="product2.finding.com")) - def test_add_stub_finding(self): - # Login to the site. - driver = self.driver - - # Select the previously created test - # Select a previously created engagement title - driver.find_element(By.PARTIAL_LINK_TEXT, "Beta Test").click() - driver.find_element(By.PARTIAL_LINK_TEXT, "Quick Security Testing").click() - - # Enter the title of the stub finding - # Keep a good practice of clearing field before entering value - driver.find_element(By.ID, "quick_add_finding").clear() - driver.find_element(By.ID, "quick_add_finding").send_keys("App Vulnerable to XSS3") - # Click on Add Potential Finding - driver.find_element(By.ID, "the_button").click() - - def test_add_and_promote_stub_finding(self): - - self.test_add_stub_finding() - - driver = self.driver - - # Select the previously created test - self.goto_active_engagements_overview(driver) - driver.find_element(By.PARTIAL_LINK_TEXT, "Beta Test").click() - driver.find_element(By.PARTIAL_LINK_TEXT, "Quick Security Testing").click() - - # Click on link of finding name to promote to finding - driver.find_element(By.PARTIAL_LINK_TEXT, "App Vulnerable to XSS3").click() - self.assertTrue(self.is_info_message_present(text="In order to promote a Potential Finding to a Verified Finding you must provide the following information.")) - self.assertEqual(driver.find_element(By.ID, "id_title").get_attribute("value"), "App Vulnerable to XSS3") - # finding Description - # Note item [0] is a meta tag on the top of the page with name "description", so we use [1] - driver.execute_script("document.getElementsByName('description')[1].style.display = 'inline'") - driver.find_elements(By.NAME, "description")[1].send_keys(Keys.TAB, "This is just a test finding") - - # "Click" the Done button to Edit the finding - driver.find_element(By.ID, "submit").click() - - # Assert ot the query to dtermine status of failure - self.assertTrue(self.is_success_message_present(text="Finding promoted successfully")) - - @on_exception_html_source_logger - def test_add_and_delete_stub_finding(self): - - self.test_add_stub_finding() - - driver = self.driver - - # Select the previously created test - self.goto_active_engagements_overview(driver) - driver.find_element(By.PARTIAL_LINK_TEXT, "Beta Test").click() - driver.find_element(By.PARTIAL_LINK_TEXT, "Quick Security Testing").click() - - # Click on Delete butten - driver.find_elements(By.NAME, "stub_finding_delete")[0].click() - # Accept popup - driver.switch_to.alert.accept() - # Check the stub finding is deleted - self.assertFalse(driver.find_elements(By.NAME, "stub_finding_name")) - - def test_merge_findings(self): - # View existing test from ProductTest() - # Login to the site. - driver = self.driver - - # Navigate to the engagement page - self.goto_active_engagements_overview(driver) - # Select a previously created engagement title - driver.find_element(By.PARTIAL_LINK_TEXT, "Beta Test").click() - driver.find_element(By.PARTIAL_LINK_TEXT, "Quick Security Testing").click() - - driver.find_element(By.ID, "select_all").click() - - driver.find_element(By.ID, "merge_findings").click() - - Select(driver.find_element(By.ID, "id_finding_action")).select_by_visible_text("Inactive") - - Select(driver.find_element(By.ID, "id_findings_to_merge")).select_by_visible_text("App Vulnerable to XSS3") - - driver.find_element(By.CSS_SELECTOR, "input.btn.btn-primary").click() - def test_delete_test(self): # Login to the site. Password will have to be modified # to match an admin password in your own container @@ -300,9 +218,9 @@ def suite(): suite.addTest(TestUnitTest("test_create_test")) suite.addTest(TestUnitTest("test_edit_test")) suite.addTest(TestUnitTest("test_add_test_finding")) - suite.addTest(TestUnitTest("test_add_and_promote_stub_finding")) - suite.addTest(TestUnitTest("test_merge_findings")) - suite.addTest(TestUnitTest("test_add_and_delete_stub_finding")) + # test_merge_findings depended on the stub-finding promote flow to create + # a second finding ("App Vulnerable to XSS3") before merging — drop it + # along with the rest of the stub-finding scaffolding. suite.addTest(TestUnitTest("test_add_note")) suite.addTest(TestUnitTest("test_delete_test")) suite.addTest(ProductTest("test_delete_product")) diff --git a/unittests/authorization/test_authorization.py b/unittests/authorization/test_authorization.py index 60fff15eca6..01223403834 100644 --- a/unittests/authorization/test_authorization.py +++ b/unittests/authorization/test_authorization.py @@ -33,7 +33,6 @@ Product_Type_Group, Product_Type_Member, Role, - Stub_Finding, Test, ) from dojo.url.models import URL @@ -76,9 +75,6 @@ def setUpTestData(cls): cls.finding = Finding() cls.finding.test = cls.test - cls.stub_finding = Stub_Finding() - cls.stub_finding.test = cls.test - if settings.V3_FEATURE_LOCATIONS: cls.location = URL(host="testhost.com") cls.location.save() @@ -354,28 +350,6 @@ def test_user_has_permission_finding_success(self, mock_foo): self.assertTrue(result) mock_foo.filter.assert_called_with(user=self.user) - @patch("dojo.models.Product_Member.objects") - def test_user_has_permission_stub_finding_no_permissions(self, mock_foo): - mock_foo.select_related.return_value = mock_foo - mock_foo.select_related.return_value = mock_foo - mock_foo.filter.return_value = [self.product_member_reader] - - result = user_has_permission(self.user, self.stub_finding, Permissions.Finding_Edit) - - self.assertFalse(result) - mock_foo.filter.assert_called_with(user=self.user) - - @patch("dojo.models.Product_Member.objects") - def test_user_has_permission_stub_finding_success(self, mock_foo): - mock_foo.select_related.return_value = mock_foo - mock_foo.select_related.return_value = mock_foo - mock_foo.filter.return_value = [self.product_member_owner] - - result = user_has_permission(self.user, self.stub_finding, Permissions.Finding_Delete) - - self.assertTrue(result) - mock_foo.filter.assert_called_with(user=self.user) - @patch("dojo.models.Product_Member.objects") def test_user_has_permission_location_no_permissions(self, mock_foo): mock_foo.select_related.return_value = mock_foo diff --git a/unittests/test_authorization_queries.py b/unittests/test_authorization_queries.py index 10ea562c512..9eb42df4bb2 100644 --- a/unittests/test_authorization_queries.py +++ b/unittests/test_authorization_queries.py @@ -16,7 +16,6 @@ from dojo.finding.queries import ( get_authorized_findings, get_authorized_findings_for_queryset, - get_authorized_stub_findings, get_authorized_vulnerability_ids, ) from dojo.finding_group.queries import get_authorized_finding_groups @@ -44,7 +43,6 @@ Product_Type_Group, Product_Type_Member, Role, - Stub_Finding, Test, Test_Type, Vulnerability_Id, @@ -230,24 +228,6 @@ def setUpTestData(cls): }, ) - # Create stub findings - reporter is required - cls.stub_finding_1, _ = Stub_Finding.objects.get_or_create( - test=cls.test_1, - title="Auth Test Stub Finding 1", - defaults={ - "severity": "High", - "reporter": cls.superuser, - }, - ) - cls.stub_finding_2, _ = Stub_Finding.objects.get_or_create( - test=cls.test_2, - title="Auth Test Stub Finding 2", - defaults={ - "severity": "Medium", - "reporter": cls.superuser, - }, - ) - # Create vulnerability IDs cls.vuln_id_1, _ = Vulnerability_Id.objects.get_or_create( finding=cls.finding_1, @@ -365,35 +345,6 @@ def test_none_user_returns_empty(self): self.assertEqual(findings.count(), 0) -class TestGetAuthorizedStubFindings(AuthorizationQueriesTestBase): - - """Tests for get_authorized_stub_findings() - uses get_current_user()""" - - @patch("dojo.finding.queries.get_current_user") - def test_superuser_gets_all_stub_findings(self, mock_get_current_user): - """Superuser should get all stub findings""" - mock_get_current_user.return_value = self.superuser - stub_findings = get_authorized_stub_findings(Permissions.Finding_View) - self.assertIn(self.stub_finding_1, stub_findings) - self.assertIn(self.stub_finding_2, stub_findings) - - @patch("dojo.finding.queries.get_current_user") - def test_user_no_permissions_gets_empty(self, mock_get_current_user): - """User with no permissions should not get test stub findings""" - mock_get_current_user.return_value = self.user_no_perms - stub_findings = get_authorized_stub_findings(Permissions.Finding_View) - self.assertNotIn(self.stub_finding_1, stub_findings) - self.assertNotIn(self.stub_finding_2, stub_findings) - - @patch("dojo.finding.queries.get_current_user") - def test_user_product_member_gets_product_stub_findings(self, mock_get_current_user): - """User with product membership should get only that product's stub findings""" - mock_get_current_user.return_value = self.user_product_member - stub_findings = get_authorized_stub_findings(Permissions.Finding_View) - self.assertIn(self.stub_finding_1, stub_findings) - self.assertNotIn(self.stub_finding_2, stub_findings) - - class TestGetAuthorizedVulnerabilityIds(AuthorizationQueriesTestBase): """Tests for get_authorized_vulnerability_ids()""" diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 812eb258c7a..4a8e5ec8c6e 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -70,7 +70,6 @@ RiskAcceptanceViewSet, RoleViewSet, SonarqubeIssueViewSet, - StubFindingsViewSet, TestsViewSet, TestTypesViewSet, ToolConfigurationsViewSet, @@ -126,7 +125,6 @@ Role, Sonarqube_Issue, Sonarqube_Issue_Transition, - Stub_Finding, Test, Test_Type, Tool_Configuration, @@ -1672,7 +1670,9 @@ def __init__(self, *args, **kwargs): self.permission_create = Permissions.Engagement_Add self.permission_update = Permissions.Engagement_Edit self.permission_delete = Permissions.Engagement_Delete - self.deleted_objects = 23 + # 23 -> 21: cascading delete no longer pulls 2 Stub_Finding rows now + # that the model has been removed. + self.deleted_objects = 21 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) @@ -2505,38 +2505,6 @@ def __init__(self, *args, **kwargs): BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) -@versioned_fixtures -class StubFindingsTest(BaseClass.BaseClassTest): - fixtures = ["dojo_testdata.json"] - - def __init__(self, *args, **kwargs): - self.endpoint_model = Stub_Finding - self.endpoint_path = "stub_findings" - self.viewname = "stub_finding" - self.viewset = StubFindingsViewSet - self.payload = { - "title": "Stub Finding 1", - "date": "2017-12-31", - "severity": "High", - "description": "test stub finding", - "reporter": 3, - "test": 3, - } - self.update_fields = {"severity": "Low"} - self.test_type = TestType.OBJECT_PERMISSIONS - self.permission_check_class = Stub_Finding - self.permission_create = Permissions.Finding_Add - self.permission_update = Permissions.Finding_Edit - self.permission_delete = Permissions.Finding_Delete - self.deleted_objects = 1 - BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) - - def test_severity_validation(self): - result = self.client.patch(self.url + "2/", data={"severity": "Not a valid choice"}) - self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST, "Severity just got set to something invalid") - self.assertEqual(result.json()["severity"], ["Severity must be one of the following: ['Info', 'Low', 'Medium', 'High', 'Critical']"]) - - @versioned_fixtures class TestsTest(BaseClass.RelatedObjectsTest, BaseClass.BaseClassTest): fixtures = ["dojo_testdata.json"] From b681610221ef54b3b2fda0757142e6434b266d54 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 8 May 2026 15:11:09 -0600 Subject: [PATCH 172/173] remove: Credential Manager (2.57 deprecation, 2.59 EOL) (#14836) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * remove: Credential Manager (announced 2.57, EOL in 2.59) Per the 2.59 release notes, retires the Credential Manager feature in its entirety: UI, API, models, DB tables, and the system-settings toggle that gated it. Endpoints removed (now `404`): - /api/v2/credentials/ - /api/v2/credential_mappings/ UI removed: - All `/cred/*`, `/product//cred/*`, `/engagement//cred/*`, `/test//cred/*`, `/finding//cred/*` routes - "Credential Manager" sidebar entry and per-product Add/View Credentials shortcuts in the navbar - Credential sections from view_test, view_eng, and view_finding Code deleted: - The entire `dojo/cred/` module (views, urls, signals, queries) - All `*cred*.html` templates - `CredMappingForm`, `CredMappingFormProd`, `CredUserForm` in forms.py - `ApiCredentialsFilter` in filters.py - `CredentialsViewSet`, `CredentialsMappingViewSet`, `CredentialSerializer`, `CredentialMappingSerializer`, `UserHasCredentialPermission` - Selenium tests `tests/credential_test.py` and `tests/product_credential_test.py` - The four `Credential_*` permissions and `Permissions.get_credential_permissions()`, plus their entries in every role's permission set - The `Cred_Mapping` reverse-lookup blocks in test/finding/engagement views (and the `cred_form` plumbing in the import-scan flow) - `Cred_User` from audit-log and pghistory tracking lists, including the `Cred_UserEvent` history table Schema dropped via 0265_remove_credential_manager: - `system_settings.enable_credentials` (no longer gates anything) - `Cred_Mapping`, `Cred_User`, `Cred_UserEvent` models, with their pghistory triggers cleared first The 2.59 upgrade doc already documents the removal; nothing to update in `docs/`. Co-Authored-By: Claude Opus 4.7 (1M context) * fix: ruff E302 + drop cred refs from fixtures - dojo/authorization/roles_permissions.py: add the second blank line before get_roles_with_permissions() that ruff's E302 demands. - Remove the now-orphan dojo.cred_user / dojo.cred_mapping entries from the three test fixtures, drop watson.searchentry rows pointing at those content types, and strip the gone enable_credentials field from System_Settings entries (the loaddata test was failing on it). The fixture normalization picks up small indentation diffs in unrelated sections (Python's json.dump uses one consistent indent) but the data is unchanged otherwise. Co-Authored-By: Claude Opus 4.7 (1M context) * fix: drop credential_manager refs from sample_data_locations fixture + matrix - dojo/fixtures/defect_dojo_sample_data_locations.json: missed in the previous fixture sweep — strip enable_credentials, cred_user / cred_mapping rows, and the matching watson.searchentry rows so loaddata stops failing. - .github/workflows/integration-tests.yml: drop the credential_test.py and product_credential_test.py entries from the UI test matrix; both files were deleted in this PR and CI was failing trying to run them. Co-Authored-By: Claude Opus 4.7 (1M context) * fix: drop cred_user from configuration permissions list dojo/user/utils.py left a Permission_Helper(name="cred user", ...) in the configuration-permissions form that drives /user//edit_permissions and /group//edit_permissions. With Cred_User gone, the underlying view_cred_user / add_cred_user / change_cred_user / delete_cred_user django auth permissions no longer exist and the form 500s on save — which is what was breaking the group_test and user_test UI integration tests. Co-Authored-By: Claude Opus 4.7 (1M context) * fix: drop malformed watson.searchentry rows left by bad merge The merge of dev into this branch (2f8f6828b6) collided on the watson search-entry rows: dev removed stub_finding entries while this branch removed cred_user entries, and the three-way merge dropped only the model name from each conflicting row, leaving six entries per fixture with content_type set to ['dojo'] (a one-element natural key). loaddata then failed with: ContentTypeManager.get_by_natural_key() missing 1 required positional argument: 'model' ... (watson.searchentry:pk=4) field_value was '['dojo']' These rows pointed at the now-removed cred_user content type and were already supposed to be deleted (see 12d749f0f4). Remove them from both fixture files. Co-Authored-By: Claude Opus 4.7 (1M context) --------- Co-authored-by: Claude Opus 4.7 (1M context) --- .github/workflows/integration-tests.yml | 2 - dojo/api_v2/permissions.py | 33 - dojo/api_v2/serializers.py | 14 - dojo/api_v2/views.py | 128 ---- dojo/apps.py | 1 - dojo/auditlog/backfill.py | 6 +- dojo/auditlog/services.py | 16 - dojo/authorization/authorization.py | 20 - dojo/authorization/roles_permissions.py | 27 - dojo/cred/__init__.py | 0 dojo/cred/queries.py | 92 --- dojo/cred/signals.py | 14 - dojo/cred/urls.py | 28 - dojo/cred/views.py | 711 ------------------ .../0266_remove_credential_manager.py | 52 ++ dojo/engagement/views.py | 90 +-- dojo/filters.py | 7 - dojo/finding/views.py | 25 - dojo/fixtures/defect_dojo_sample_data.json | 109 --- .../defect_dojo_sample_data_locations.json | 109 --- dojo/fixtures/dojo_testdata.json | 32 - dojo/fixtures/dojo_testdata_locations.json | 32 - dojo/forms.py | 39 - .../management/commands/pghistory_backfill.py | 3 +- .../commands/pghistory_backfill_simple.py | 2 - dojo/management/commands/pghistory_clear.py | 1 - dojo/models.py | 56 -- dojo/notes/views.py | 10 +- dojo/templates/base.html | 22 - dojo/templates/dojo/delete_cred_all.html | 21 - dojo/templates/dojo/edit_cred.html | 18 - dojo/templates/dojo/edit_cred_all.html | 18 - dojo/templates/dojo/new_cred.html | 13 - dojo/templates/dojo/new_cred_mapping.html | 13 - dojo/templates/dojo/new_cred_product.html | 13 - dojo/templates/dojo/view_cred.html | 96 --- .../templates/dojo/view_cred_all_details.html | 308 -------- dojo/templates/dojo/view_cred_details.html | 328 -------- dojo/templates/dojo/view_cred_prod.html | 61 -- dojo/templates/dojo/view_eng.html | 104 --- dojo/templates/dojo/view_finding.html | 112 --- dojo/templates/dojo/view_test.html | 136 ---- dojo/test/views.py | 3 - dojo/urls.py | 6 - dojo/user/utils.py | 3 - tests/credential_test.py | 89 --- tests/product_credential_test.py | 146 ---- unittests/test_apiv2_methods_and_endpoints.py | 2 +- unittests/test_rest_framework.py | 51 -- 49 files changed, 59 insertions(+), 3163 deletions(-) delete mode 100644 dojo/cred/__init__.py delete mode 100644 dojo/cred/queries.py delete mode 100644 dojo/cred/signals.py delete mode 100644 dojo/cred/urls.py delete mode 100644 dojo/cred/views.py create mode 100644 dojo/db_migrations/0266_remove_credential_manager.py delete mode 100644 dojo/templates/dojo/delete_cred_all.html delete mode 100644 dojo/templates/dojo/edit_cred.html delete mode 100644 dojo/templates/dojo/edit_cred_all.html delete mode 100644 dojo/templates/dojo/new_cred.html delete mode 100644 dojo/templates/dojo/new_cred_mapping.html delete mode 100644 dojo/templates/dojo/new_cred_product.html delete mode 100644 dojo/templates/dojo/view_cred.html delete mode 100644 dojo/templates/dojo/view_cred_all_details.html delete mode 100644 dojo/templates/dojo/view_cred_details.html delete mode 100644 dojo/templates/dojo/view_cred_prod.html delete mode 100644 tests/credential_test.py delete mode 100644 tests/product_credential_test.py diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 3300c1cb0bb..f0d466264d0 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -22,7 +22,6 @@ jobs: "tests/check_various_pages.py", "tests/close_old_findings_dedupe_test.py", "tests/close_old_findings_test.py", - "tests/credential_test.py", "tests/dashboard_test.py", "tests/dedupe_test.py", "tests/endpoint_extended_test.py", @@ -46,7 +45,6 @@ jobs: "tests/notification_webhook_test.py", "tests/notifications_test.py", "tests/object_test.py", - "tests/product_credential_test.py", "tests/product_group_test.py", "tests/product_member_test.py", "tests/product_metadata_test.py", diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py index 10e012ede5b..e0b68e2bcc6 100644 --- a/dojo/api_v2/permissions.py +++ b/dojo/api_v2/permissions.py @@ -20,7 +20,6 @@ from dojo.importers.auto_create_context import AutoCreateContextManager from dojo.location.models import Location from dojo.models import ( - Cred_Mapping, Development_Environment, Dojo_Group, Endpoint, @@ -146,38 +145,6 @@ def has_object_permission(self, request, view, obj): ) -class UserHasCredentialPermission(permissions.BasePermission): - def has_permission(self, request, view): - if request.data.get("product") is not None: - return check_post_permission( - request, Cred_Mapping, "product", Permissions.Credential_Add, - ) - if request.data.get("engagement") is not None: - return check_post_permission( - request, Cred_Mapping, "engagement", Permissions.Credential_Add, - ) - if request.data.get("test") is not None: - return check_post_permission( - request, Cred_Mapping, "test", Permissions.Credential_Add, - ) - if request.data.get("finding") is not None: - return check_post_permission( - request, Cred_Mapping, "finding", Permissions.Credential_Add, - ) - return check_post_permission( - request, Cred_Mapping, "product", Permissions.Credential_Add, - ) - - def has_object_permission(self, request, view, obj): - return check_object_permission( - request, - obj.product, - Permissions.Credential_View, - Permissions.Credential_Edit, - Permissions.Credential_Delete, - ) - - class UserHasDojoGroupPermission(permissions.BasePermission): def has_permission(self, request, view): if request.method == "GET": diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index e0314b597a8..72a7752f7df 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -51,8 +51,6 @@ App_Analysis, BurpRawRequestResponse, Check_List, - Cred_Mapping, - Cred_User, Development_Environment, Dojo_Group, Dojo_Group_Member, @@ -2144,18 +2142,6 @@ def update(self, instance, validated_data): return super().update(instance, validated_data) -class CredentialSerializer(serializers.ModelSerializer): - class Meta: - model = Cred_User - exclude = ("password",) - - -class CredentialMappingSerializer(serializers.ModelSerializer): - class Meta: - model = Cred_Mapping - fields = "__all__" - - class ProductSerializer(serializers.ModelSerializer): findings_count = serializers.SerializerMethodField() findings_list = serializers.SerializerMethodField() diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index 303fa22efd8..180333dd27f 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -49,7 +49,6 @@ from dojo.authorization.authorization import user_has_permission_or_403 from dojo.authorization.roles_permissions import Permissions from dojo.celery_dispatch import dojo_dispatch_task -from dojo.cred.queries import get_authorized_cred_mappings from dojo.endpoint.queries import ( get_authorized_endpoint_status, get_authorized_endpoints, @@ -59,7 +58,6 @@ from dojo.engagement.services import close_engagement, reopen_engagement from dojo.filters import ( ApiAppAnalysisFilter, - ApiCredentialsFilter, ApiDojoMetaFilter, ApiEndpointFilter, ApiEngagementFilter, @@ -93,8 +91,6 @@ App_Analysis, BurpRawRequestResponse, Check_List, - Cred_Mapping, - Cred_User, Development_Environment, Dojo_Group, Dojo_Group_Member, @@ -872,130 +868,6 @@ def get_queryset(self): return get_authorized_app_analysis(Permissions.Product_View) -# Authorization: object-based -@extend_schema_view(**schema_with_prefetch()) -class CredentialsViewSet( - PrefetchDojoModelViewSet, - DeprecationNoticeMixin, -): - deprecated = True - end_of_life_date = datetime(2026, 6, 1) - serializer_class = serializers.CredentialSerializer - queryset = Cred_User.objects.all() - filter_backends = (DjangoFilterBackend,) - permission_classes = (permissions.IsSuperUser, DjangoModelPermissions) - - def get_queryset(self): - return Cred_User.objects.all().order_by("id") - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def list(self, request, *args, **kwargs): - return super().list(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def retrieve(self, request, *args, **kwargs): - return super().retrieve(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def create(self, request, *args, **kwargs): - return super().create(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def update(self, request, *args, **kwargs): - return super().update(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def partial_update(self, request, *args, **kwargs): - return super().partial_update(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def destroy(self, request, *args, **kwargs): - return super().destroy(request, *args, **kwargs) - - -# Authorization: configuration -# @extend_schema_view(**schema_with_prefetch()) -# Nested models with prefetch make the response schema too long for Swagger UI -class CredentialsMappingViewSet( - PrefetchDojoModelViewSet, - DeprecationNoticeMixin, -): - deprecated = True - end_of_life_date = datetime(2026, 6, 1) - serializer_class = serializers.CredentialMappingSerializer - queryset = Cred_Mapping.objects.none() - filter_backends = (DjangoFilterBackend,) - filterset_class = ApiCredentialsFilter - - permission_classes = ( - IsAuthenticated, - permissions.UserHasCredentialPermission, - ) - - def get_queryset(self): - return get_authorized_cred_mappings(Permissions.Credential_View) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def list(self, request, *args, **kwargs): - return super().list(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def retrieve(self, request, *args, **kwargs): - return super().retrieve(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def create(self, request, *args, **kwargs): - return super().create(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def update(self, request, *args, **kwargs): - return super().update(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def partial_update(self, request, *args, **kwargs): - return super().partial_update(request, *args, **kwargs) - - @extend_schema( - deprecated=True, - description="This endpoint is deprecated and will be removed on 2026-06-01.", - ) - def destroy(self, request, *args, **kwargs): - return super().destroy(request, *args, **kwargs) - - # Authorization: configuration class FindingTemplatesViewSet( DojoModelViewSet, diff --git a/dojo/apps.py b/dojo/apps.py index 89820e2bf12..38035547229 100644 --- a/dojo/apps.py +++ b/dojo/apps.py @@ -76,7 +76,6 @@ def ready(self): # Importing the signals file is good enough if using the receiver decorator import dojo.announcement.signals # noqa: PLC0415, F401 raised: AppRegistryNotReady import dojo.benchmark.signals # noqa: PLC0415, F401 raised: AppRegistryNotReady - import dojo.cred.signals # noqa: PLC0415, F401 raised: AppRegistryNotReady # TODO: Delete this after the move to Locations import dojo.endpoint.signals # noqa: PLC0415, F401 raised: AppRegistryNotReady diff --git a/dojo/auditlog/backfill.py b/dojo/auditlog/backfill.py index af8d971cf4a..082c648d90a 100644 --- a/dojo/auditlog/backfill.py +++ b/dojo/auditlog/backfill.py @@ -20,7 +20,6 @@ def get_excluded_fields(model_name): excluded_fields_map = { "Dojo_User": ["password"], "Product": ["updated"], - "Cred_User": ["password"], "Notification_Webhooks": ["header_name", "header_value"], } return excluded_fields_map.get(model_name, []) @@ -43,9 +42,6 @@ def get_table_names(model_name): elif model_name == "Finding_Template": table_name = "dojo_finding_template" event_table_name = "dojo_finding_templateevent" - elif model_name == "Cred_User": - table_name = "dojo_cred_user" - event_table_name = "dojo_cred_userevent" elif model_name == "Notification_Webhooks": table_name = "dojo_notification_webhooks" event_table_name = "dojo_notification_webhooksevent" @@ -366,7 +362,7 @@ def get_tracked_models(): return [ "Dojo_User", "Endpoint", "Engagement", "Finding", "Finding_Group", "Product_Type", "Product", "Test", "Risk_Acceptance", - "Finding_Template", "Cred_User", "Notification_Webhooks", + "Finding_Template", "Notification_Webhooks", "FindingReviewers", # M2M through table for Finding.reviewers "Location", "URL", # Tag through tables (tagulous auto-generated) diff --git a/dojo/auditlog/services.py b/dojo/auditlog/services.py index fa152aa9113..86ffa70cdc3 100644 --- a/dojo/auditlog/services.py +++ b/dojo/auditlog/services.py @@ -151,7 +151,6 @@ def register_django_pghistory_models(): from dojo.location.models import Location # noqa: PLC0415 from dojo.models import ( # noqa: PLC0415 App_Analysis, - Cred_User, Dojo_User, # TODO: Delete this after the move to Locations Endpoint, @@ -312,21 +311,6 @@ def register_django_pghistory_models(): }, )(Finding_Template) - pghistory.track( - pghistory.InsertEvent(), - pghistory.UpdateEvent(condition=pghistory.AnyChange(exclude_auto=True)), - pghistory.DeleteEvent(), - pghistory.ManualEvent(label="initial_backfill"), - exclude=["password"], - meta={ - "indexes": [ - models.Index(fields=["pgh_created_at"]), - models.Index(fields=["pgh_label"]), - models.Index(fields=["pgh_context_id"]), - ], - }, - )(Cred_User) - pghistory.track( pghistory.InsertEvent(), pghistory.UpdateEvent(condition=pghistory.AnyChange(exclude_auto=True)), diff --git a/dojo/authorization/authorization.py b/dojo/authorization/authorization.py index 9d24ff02e2d..0fa5f8723b5 100644 --- a/dojo/authorization/authorization.py +++ b/dojo/authorization/authorization.py @@ -10,7 +10,6 @@ from dojo.location.models import AbstractLocation, Location from dojo.models import ( App_Analysis, - Cred_Mapping, Dojo_Group, Dojo_Group_Member, Dojo_User, @@ -219,25 +218,6 @@ def user_has_permission(user: Dojo_User, obj: Model, permission: int) -> bool: user, obj.group, permission, ) return user_has_permission(user, obj.group, permission) - if ( - isinstance(obj, Cred_Mapping) - and permission in Permissions.get_credential_permissions() - ): - if obj.product: - return user_has_permission(user, obj.product, permission) - if obj.engagement: - return user_has_permission( - user, obj.engagement.product, permission, - ) - if obj.test: - return user_has_permission( - user, obj.test.engagement.product, permission, - ) - if obj.finding: - return user_has_permission( - user, obj.finding.test.engagement.product, permission, - ) - return None msg = f"No authorization implemented for class {type(obj).__name__} and permission {permission}" raise NoAuthorizationImplementedError(msg) diff --git a/dojo/authorization/roles_permissions.py b/dojo/authorization/roles_permissions.py index ebd873dc617..0262719b413 100644 --- a/dojo/authorization/roles_permissions.py +++ b/dojo/authorization/roles_permissions.py @@ -120,11 +120,6 @@ class Permissions(IntEnum): Product_Tracking_Files_Edit = 2606 Product_Tracking_Files_Delete = 2607 - Credential_View = 2702 - Credential_Add = 2703 - Credential_Edit = 2706 - Credential_Delete = 2707 - @classmethod def has_value(cls, value): try: @@ -268,15 +263,6 @@ def get_product_api_scan_configuration_permissions(cls): Permissions.Product_API_Scan_Configuration_Delete, } - @classmethod - def get_credential_permissions(cls): - return { - Permissions.Credential_View, - Permissions.Credential_Add, - Permissions.Credential_Edit, - Permissions.Credential_Delete, - } - def get_roles_with_permissions(): return { @@ -297,7 +283,6 @@ def get_roles_with_permissions(): Permissions.Technology_View, Permissions.Product_API_Scan_Configuration_View, Permissions.Product_Tracking_Files_View, - Permissions.Credential_View, }, Roles.API_Importer: { Permissions.Product_Type_View, @@ -315,7 +300,6 @@ def get_roles_with_permissions(): Permissions.Product_Type_Group_View, Permissions.Technology_View, Permissions.Import_Scan_Result, - Permissions.Credential_View, }, Roles.Writer: { Permissions.Product_Type_View, @@ -355,9 +339,6 @@ def get_roles_with_permissions(): Permissions.Technology_Edit, Permissions.Product_API_Scan_Configuration_View, Permissions.Product_Tracking_Files_View, - Permissions.Credential_View, - Permissions.Credential_Add, - Permissions.Credential_Edit, }, Roles.Maintainer: { Permissions.Product_Type_Add_Product, @@ -427,10 +408,6 @@ def get_roles_with_permissions(): Permissions.Product_Tracking_Files_Add, Permissions.Product_Tracking_Files_Edit, Permissions.Product_Tracking_Files_Delete, - Permissions.Credential_View, - Permissions.Credential_Add, - Permissions.Credential_Edit, - Permissions.Credential_Delete, }, Roles.Owner: { Permissions.Product_Type_Add_Product, @@ -508,10 +485,6 @@ def get_roles_with_permissions(): Permissions.Product_Tracking_Files_Add, Permissions.Product_Tracking_Files_Edit, Permissions.Product_Tracking_Files_Delete, - Permissions.Credential_View, - Permissions.Credential_Add, - Permissions.Credential_Edit, - Permissions.Credential_Delete, }, } diff --git a/dojo/cred/__init__.py b/dojo/cred/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/dojo/cred/queries.py b/dojo/cred/queries.py deleted file mode 100644 index a9dab0fb58e..00000000000 --- a/dojo/cred/queries.py +++ /dev/null @@ -1,92 +0,0 @@ -from crum import get_current_user -from django.db.models import Q, Subquery - -from dojo.authorization.authorization import get_roles_for_permission, user_has_global_permission -from dojo.models import Cred_Mapping, Product_Group, Product_Member, Product_Type_Group, Product_Type_Member -from dojo.request_cache import cache_for_request - - -# Cached: all parameters are hashable, no dynamic queryset filtering -@cache_for_request -def get_authorized_cred_mappings(permission): - """Cached - returns all cred mappings the user is authorized to see.""" - user = get_current_user() - - if user is None: - return Cred_Mapping.objects.none() - - cred_mappings = Cred_Mapping.objects.all().order_by("id") - - if user.is_superuser: - return cred_mappings - - if user_has_global_permission(user, permission): - return cred_mappings - - roles = get_roles_for_permission(permission) - - # Get authorized product/product_type IDs via subqueries - authorized_product_type_roles = Product_Type_Member.objects.filter( - user=user, role__in=roles, - ).values("product_type_id") - - authorized_product_roles = Product_Member.objects.filter( - user=user, role__in=roles, - ).values("product_id") - - authorized_product_type_groups = Product_Type_Group.objects.filter( - group__users=user, role__in=roles, - ).values("product_type_id") - - authorized_product_groups = Product_Group.objects.filter( - group__users=user, role__in=roles, - ).values("product_id") - - # Filter using IN with Subquery - no annotations needed - return cred_mappings.filter( - Q(product__prod_type_id__in=Subquery(authorized_product_type_roles)) - | Q(product_id__in=Subquery(authorized_product_roles)) - | Q(product__prod_type_id__in=Subquery(authorized_product_type_groups)) - | Q(product_id__in=Subquery(authorized_product_groups)), - ) - - -def get_authorized_cred_mappings_for_queryset(permission, queryset): - """Filters a provided queryset for authorization. Not cached due to dynamic queryset parameter.""" - user = get_current_user() - - if user is None: - return Cred_Mapping.objects.none() - - if user.is_superuser: - return queryset - - if user_has_global_permission(user, permission): - return queryset - - roles = get_roles_for_permission(permission) - - # Get authorized product/product_type IDs via subqueries - authorized_product_type_roles = Product_Type_Member.objects.filter( - user=user, role__in=roles, - ).values("product_type_id") - - authorized_product_roles = Product_Member.objects.filter( - user=user, role__in=roles, - ).values("product_id") - - authorized_product_type_groups = Product_Type_Group.objects.filter( - group__users=user, role__in=roles, - ).values("product_type_id") - - authorized_product_groups = Product_Group.objects.filter( - group__users=user, role__in=roles, - ).values("product_id") - - # Filter using IN with Subquery - no annotations needed - return queryset.filter( - Q(product__prod_type_id__in=Subquery(authorized_product_type_roles)) - | Q(product_id__in=Subquery(authorized_product_roles)) - | Q(product__prod_type_id__in=Subquery(authorized_product_type_groups)) - | Q(product_id__in=Subquery(authorized_product_groups)), - ) diff --git a/dojo/cred/signals.py b/dojo/cred/signals.py deleted file mode 100644 index 9cf72fdd5c0..00000000000 --- a/dojo/cred/signals.py +++ /dev/null @@ -1,14 +0,0 @@ -import logging - -from django.db.models.signals import pre_delete -from django.dispatch import receiver - -from dojo.models import Cred_User -from dojo.notes.helper import delete_related_notes - -logger = logging.getLogger(__name__) - - -@receiver(pre_delete, sender=Cred_User) -def cred_user_pre_delete(sender, instance, **kwargs): - delete_related_notes(instance) diff --git a/dojo/cred/urls.py b/dojo/cred/urls.py deleted file mode 100644 index 05f2bfe132d..00000000000 --- a/dojo/cred/urls.py +++ /dev/null @@ -1,28 +0,0 @@ -from django.urls import re_path - -from . import views - -urlpatterns = [ - re_path(r"^cred/add", views.new_cred, name="add_cred"), - re_path(r"^cred/(?P\d+)/view$", views.view_cred_details, name="view_cred_details"), - re_path(r"^cred/(?P\d+)/edit$", views.edit_cred, name="edit_cred"), - re_path(r"^cred/(?P\d+)/delete$", views.delete_cred, name="delete_cred"), - re_path(r"^cred$", views.cred, name="cred"), - re_path(r"^product/(?P\d+)/cred/add$", views.new_cred_product, name="new_cred_product"), - re_path(r"^product/(?P\d+)/cred/all$", views.all_cred_product, name="all_cred_product"), - re_path(r"^product/(?P\d+)/cred/(?P\d+)/edit$", views.edit_cred_product, name="edit_cred_product"), - re_path(r"^product/(?P\d+)/cred/(?P\d+)/view$", views.view_cred_product, name="view_cred_product"), - re_path(r"^product/(?P\d+)/cred/(?P\d+)/delete$", views.delete_cred_product, name="delete_cred_product"), - re_path(r"^engagement/(?P\d+)/cred/add$", views.new_cred_product_engagement, name="new_cred_product_engagement"), - re_path(r"^engagement/(?P\d+)/cred/(?P\d+)/view$", views.view_cred_product_engagement, - name="view_cred_product_engagement"), - re_path(r"^engagement/(?P\d+)/cred/(?P\d+)/delete$", views.delete_cred_engagement, - name="delete_cred_engagement"), - re_path(r"^test/(?P\d+)/cred/add$", views.new_cred_engagement_test, name="new_cred_engagement_test"), - re_path(r"^test/(?P\d+)/cred/(?P\d+)/view$", views.view_cred_engagement_test, - name="view_cred_engagement_test"), - re_path(r"^test/(?P\d+)/cred/(?P\d+)/delete$", views.delete_cred_test, name="delete_cred_test"), - re_path(r"^finding/(?P\d+)/cred/add$", views.new_cred_finding, name="new_cred_finding"), - re_path(r"^finding/(?P\d+)/cred/(?P\d+)/view$", views.view_cred_finding, name="view_cred_finding"), - re_path(r"^finding/(?P\d+)/cred/(?P\d+)/delete$", views.delete_cred_finding, name="delete_cred_finding"), -] diff --git a/dojo/cred/views.py b/dojo/cred/views.py deleted file mode 100644 index 1ba33939733..00000000000 --- a/dojo/cred/views.py +++ /dev/null @@ -1,711 +0,0 @@ -import logging - -from django.contrib import messages -from django.http import HttpResponseRedirect -from django.shortcuts import get_object_or_404, render -from django.urls import reverse -from django.utils import timezone - -from dojo.authorization.authorization_decorators import user_is_authorized, user_is_configuration_authorized -from dojo.authorization.roles_permissions import Permissions -from dojo.cred.queries import get_authorized_cred_mappings_for_queryset -from dojo.decorators import deprecated_view -from dojo.forms import CredMappingForm, CredMappingFormProd, CredUserForm, NoteForm -from dojo.models import Cred_Mapping, Cred_User, Engagement, Finding, Product, Test -from dojo.utils import Product_Tab, add_breadcrumb, dojo_crypto_encrypt, prepare_for_view - -logger = logging.getLogger(__name__) - - -@user_is_configuration_authorized(Permissions.Credential_Add) -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def new_cred(request): - if request.method == "POST": - tform = CredUserForm(request.POST) - if tform.is_valid(): - form_copy = tform.save(commit=False) - form_copy.password = dojo_crypto_encrypt( - tform.cleaned_data["password"]) - form_copy.save() - messages.add_message( - request, - messages.SUCCESS, - "Credential Successfully Created.", - extra_tags="alert-success") - return HttpResponseRedirect(reverse("cred")) - else: - tform = CredUserForm() - add_breadcrumb( - title="New Credential", top_level=False, request=request) - return render(request, "dojo/new_cred.html", {"tform": tform}) - - -@user_is_authorized(Product, Permissions.Product_Edit, "pid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def all_cred_product(request, pid): - prod = get_object_or_404(Product, id=pid) - creds = Cred_Mapping.objects.filter(product=prod).order_by("cred_id__name") - - product_tab = Product_Tab(prod, title="Credentials", tab="settings") - return render(request, "dojo/view_cred_prod.html", {"product_tab": product_tab, "creds": creds, "prod": prod}) - - -@user_is_configuration_authorized(Permissions.Credential_Edit) -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def edit_cred(request, ttid): - tool_config = Cred_User.objects.get(pk=ttid) - if request.method == "POST": - tform = CredUserForm(request.POST, request.FILES, instance=tool_config) - if tform.is_valid(): - form_copy = tform.save(commit=False) - form_copy.password = dojo_crypto_encrypt( - tform.cleaned_data["password"]) - # handle_uploaded_selenium(request.FILES['selenium_script'], tool_config) - form_copy.save() - - messages.add_message( - request, - messages.SUCCESS, - "Credential Successfully Updated.", - extra_tags="alert-success") - return HttpResponseRedirect(reverse("cred")) - else: - tool_config.password = prepare_for_view(tool_config.password) - - tform = CredUserForm(instance=tool_config) - add_breadcrumb( - title="Edit Credential Configuration", - top_level=False, - request=request) - - return render(request, "dojo/edit_cred.html", { - "tform": tform, - }) - - -@user_is_configuration_authorized(Permissions.Credential_View) -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def view_cred_details(request, ttid): - cred = Cred_User.objects.get(pk=ttid) - notes = cred.notes.all() - cred_products = Cred_Mapping.objects.select_related("product").filter( - product_id__isnull=False, cred_id=ttid).order_by("product__name") - cred_products = get_authorized_cred_mappings_for_queryset(Permissions.Product_View, cred_products) - - if request.method == "POST": - form = NoteForm(request.POST) - - if form.is_valid(): - new_note = form.save(commit=False) - new_note.author = request.user - new_note.date = timezone.now() - new_note.save() - cred.notes.add(new_note) - form = NoteForm() - - messages.add_message( - request, - messages.SUCCESS, - "Note added successfully.", - extra_tags="alert-success") - else: - form = NoteForm() - - add_breadcrumb(title="View", top_level=False, request=request) - - return render(request, "dojo/view_cred_details.html", { - "cred": cred, - "form": form, - "notes": notes, - "cred_products": cred_products, - "person": request.user.username, - }) - - -@user_is_configuration_authorized(Permissions.Credential_View) -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def cred(request): - confs = Cred_User.objects.all().order_by("name", "environment", "username") - add_breadcrumb(title="Credential Manager", top_level=True, request=request) - return render(request, "dojo/view_cred.html", { - "confs": confs, - }) - - -@user_is_authorized(Product, Permissions.Product_View, "pid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_View, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def view_cred_product(request, pid, ttid): - cred = get_object_or_404( - Cred_Mapping.objects.select_related("cred_id"), id=ttid) - notes = cred.cred_id.notes.all() - - if request.method == "POST": - form = NoteForm(request.POST) - - if form.is_valid(): - new_note = form.save(commit=False) - new_note.author = request.user - new_note.date = timezone.now() - new_note.save() - cred.cred_id.notes.add(new_note) - form = NoteForm() - messages.add_message( - request, - messages.SUCCESS, - "Note added successfully.", - extra_tags="alert-success") - else: - form = NoteForm() - - add_breadcrumb( - title="Credential Manager", top_level=False, request=request) - cred_type = "Product" - view_link = reverse( - "view_cred_product", args=( - cred.product.id, - cred.id, - )) - edit_link = reverse( - "edit_cred_product", args=( - cred.product.id, - cred.id, - )) - delete_link = reverse( - "delete_cred_product", args=( - cred.product.id, - cred.id, - )) - - return render( - request, "dojo/view_cred_all_details.html", { - "cred": cred, - "form": form, - "notes": notes, - "cred_type": cred_type, - "edit_link": edit_link, - "delete_link": delete_link, - "view_link": view_link, - }) - - -@user_is_authorized(Engagement, Permissions.Engagement_View, "eid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_View, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def view_cred_product_engagement(request, eid, ttid): - cred = get_object_or_404( - Cred_Mapping.objects.select_related("cred_id"), id=ttid) - cred_product = Cred_Mapping.objects.filter( - cred_id=cred.cred_id.id, product=cred.engagement.product.id).first() - notes = cred.cred_id.notes.all() - - if request.method == "POST": - form = NoteForm(request.POST) - - if form.is_valid(): - new_note = form.save(commit=False) - new_note.author = request.user - new_note.date = timezone.now() - new_note.save() - cred.cred_id.notes.add(new_note) - form = NoteForm() - messages.add_message( - request, - messages.SUCCESS, - "Note added successfully.", - extra_tags="alert-success") - else: - form = NoteForm() - - add_breadcrumb( - title="Credential Manager", top_level=False, request=request) - cred_type = "Engagement" - edit_link = "" - delete_link = reverse( - "delete_cred_engagement", args=( - eid, - cred.id, - )) - - return render( - request, "dojo/view_cred_all_details.html", { - "cred": cred, - "form": form, - "notes": notes, - "cred_type": cred_type, - "edit_link": edit_link, - "delete_link": delete_link, - "cred_product": cred_product, - }) - - -@user_is_authorized(Test, Permissions.Test_View, "tid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_View, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def view_cred_engagement_test(request, tid, ttid): - cred = get_object_or_404( - Cred_Mapping.objects.select_related("cred_id"), id=ttid) - cred_product = Cred_Mapping.objects.filter( - cred_id=cred.cred_id.id, - product=cred.test.engagement.product.id).first() - - notes = cred.cred_id.notes.all() - - if request.method == "POST": - form = NoteForm(request.POST) - - if form.is_valid(): - new_note = form.save(commit=False) - new_note.author = request.user - new_note.date = timezone.now() - new_note.save() - cred.cred_id.notes.add(new_note) - form = NoteForm() - messages.add_message( - request, - messages.SUCCESS, - "Note added successfully.", - extra_tags="alert-success") - else: - form = NoteForm() - - add_breadcrumb( - title="Credential Manager", top_level=False, request=request) - cred_type = "Test" - edit_link = None - delete_link = reverse( - "delete_cred_test", args=( - tid, - cred.id, - )) - - return render( - request, "dojo/view_cred_all_details.html", { - "cred": cred, - "form": form, - "notes": notes, - "cred_type": cred_type, - "edit_link": edit_link, - "delete_link": delete_link, - "cred_product": cred_product, - }) - - -@user_is_authorized(Finding, Permissions.Finding_View, "fid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_View, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def view_cred_finding(request, fid, ttid): - cred = get_object_or_404( - Cred_Mapping.objects.select_related("cred_id"), id=ttid) - cred_product = Cred_Mapping.objects.filter( - cred_id=cred.cred_id.id, - product=cred.finding.test.engagement.product.id).first() - - notes = cred.cred_id.notes.all() - - if request.method == "POST": - form = NoteForm(request.POST) - - if form.is_valid(): - new_note = form.save(commit=False) - new_note.author = request.user - new_note.date = timezone.now() - new_note.save() - cred.cred_id.notes.add(new_note) - form = NoteForm() - messages.add_message( - request, - messages.SUCCESS, - "Note added successfully.", - extra_tags="alert-success") - else: - form = NoteForm() - - add_breadcrumb( - title="Credential Manager", top_level=False, request=request) - cred_type = "Finding" - edit_link = None - delete_link = reverse( - "delete_cred_finding", args=( - fid, - cred.id, - )) - - return render( - request, "dojo/view_cred_all_details.html", { - "cred": cred, - "form": form, - "notes": notes, - "cred_type": cred_type, - "edit_link": edit_link, - "delete_link": delete_link, - "cred_product": cred_product, - }) - - -@user_is_authorized(Product, Permissions.Product_Edit, "pid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_Edit, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def edit_cred_product(request, pid, ttid): - cred = get_object_or_404( - Cred_Mapping.objects.select_related("cred_id"), id=ttid) - - prod = get_object_or_404(Product, pk=pid) - if request.method == "POST": - tform = CredMappingFormProd(request.POST, instance=cred) - if tform.is_valid(): - tform.save() - messages.add_message( - request, - messages.SUCCESS, - "Credential Successfully Updated.", - extra_tags="alert-success") - return HttpResponseRedirect(reverse("all_cred_product", args=(pid, ))) - else: - tform = CredMappingFormProd(instance=cred) - - product_tab = Product_Tab(prod, title="Edit Product Credential", tab="settings") - return render(request, "dojo/edit_cred_all.html", { - "tform": tform, - "product_tab": product_tab, - "cred_type": "Product", - }) - - -@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_Edit, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def edit_cred_product_engagement(request, eid, ttid): - cred = get_object_or_404( - Cred_Mapping.objects.select_related("cred_id"), id=ttid) - eng = get_object_or_404(Engagement, pk=eid) - - if request.method == "POST": - tform = CredMappingForm(request.POST, instance=cred) - if tform.is_valid(): - tform.save() - messages.add_message( - request, - messages.SUCCESS, - "Credential Successfully Updated.", - extra_tags="alert-success") - return HttpResponseRedirect( - reverse("view_engagement", args=(eid, ))) - else: - tform = CredMappingFormProd(instance=cred) - tform.fields["cred_id"].queryset = Cred_Mapping.objects.filter( - product=eng.product).order_by("cred_id") - - add_breadcrumb( - title="Edit Credential Configuration", - top_level=False, - request=request) - - return render(request, "dojo/edit_cred_all.html", { - "tform": tform, - "cred_type": "Engagement", - }) - - -@user_is_authorized(Product, Permissions.Product_Edit, "pid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def new_cred_product(request, pid): - prod = get_object_or_404(Product, pk=pid) - if request.method == "POST": - tform = CredMappingFormProd(request.POST) - if tform.is_valid(): - # Select the credential mapping object from the selected list and only allow if the credential is associated with the product - cred_user = Cred_Mapping.objects.filter( - cred_id=tform.cleaned_data["cred_id"].id, product=pid).first() - message = "Credential already associated." - status_tag = "alert-danger" - - if cred_user is None: - prod = Product.objects.get(id=pid) - new_f = tform.save(commit=False) - new_f.product = prod - new_f.save() - message = "Credential Successfully Updated." - status_tag = "alert-success" - - messages.add_message( - request, messages.SUCCESS, message, extra_tags=status_tag) - return HttpResponseRedirect(reverse("all_cred_product", args=(pid, ))) - else: - tform = CredMappingFormProd() - - product_tab = Product_Tab(prod, title="Add Credential Configuration", tab="settings") - - return render(request, "dojo/new_cred_product.html", { - "tform": tform, - "pid": pid, - "product_tab": product_tab, - }) - - -@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def new_cred_product_engagement(request, eid): - eng = get_object_or_404(Engagement, pk=eid) - - if request.method == "POST": - tform = CredMappingForm(request.POST) - tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter( - product=eng.product).order_by("cred_id") - if tform.is_valid() and tform.cleaned_data["cred_user"]: - # Select the credential mapping object from the selected list and only allow if the credential is associated with the product - cred_user = Cred_Mapping.objects.filter( - pk=tform.cleaned_data["cred_user"].id, - product=eng.product.id).order_by("cred_id").first() - # search for cred_user and engagement id - cred_lookup = Cred_Mapping.objects.filter( - cred_id=cred_user.cred_id, engagement=eng.id) - - message = "Credential already associated." - status_tag = "alert-danger" - - if not cred_user: - message = "Credential must first be associated with this product." - - if not cred_lookup and cred_user: - new_f = tform.save(commit=False) - new_f.engagement = eng - new_f.cred_id = cred_user.cred_id - new_f.save() - message = "Credential Successfully Updated." - status_tag = "alert-success" - - messages.add_message( - request, messages.SUCCESS, message, extra_tags=status_tag) - return HttpResponseRedirect( - reverse("view_engagement", args=(eid, ))) - else: - tform = CredMappingForm() - tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter( - product=eng.product).order_by("cred_id") - - add_breadcrumb( - title="Add Credential Configuration", top_level=False, request=request) - - return render( - request, "dojo/new_cred_mapping.html", { - "tform": tform, - "eid": eid, - "formlink": reverse("new_cred_product_engagement", args=(eid, )), - }) - - -@user_is_authorized(Test, Permissions.Test_Edit, "tid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def new_cred_engagement_test(request, tid): - test = get_object_or_404(Test, pk=tid) - - if request.method == "POST": - tform = CredMappingForm(request.POST) - tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter( - engagement=test.engagement).order_by("cred_id") - if tform.is_valid() and tform.cleaned_data["cred_user"]: - # Select the credential mapping object from the selected list and only allow if the credential is associated with the product - cred_user = Cred_Mapping.objects.filter( - pk=tform.cleaned_data["cred_user"].id, - engagement=test.engagement.id).first() - # search for cred_user and test id - cred_lookup = Cred_Mapping.objects.filter( - cred_id=cred_user.cred_id, test=test.id) - - message = "Credential already associated." - status_tag = "alert-danger" - - if not cred_user: - message = "Credential must first be associated with this product." - - if not cred_lookup and cred_user: - new_f = tform.save(commit=False) - new_f.test = test - new_f.cred_id = cred_user.cred_id - new_f.save() - message = "Credential Successfully Updated." - status_tag = "alert-success" - - messages.add_message( - request, messages.SUCCESS, message, extra_tags=status_tag) - return HttpResponseRedirect(reverse("view_test", args=(tid, ))) - else: - tform = CredMappingForm() - tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter( - engagement=test.engagement).order_by("cred_id") - - add_breadcrumb( - title="Add Credential Configuration", top_level=False, request=request) - - return render( - request, "dojo/new_cred_mapping.html", { - "tform": tform, - "eid": tid, - "formlink": reverse("new_cred_engagement_test", args=(tid, )), - }) - - -@user_is_authorized(Finding, Permissions.Finding_Edit, "fid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def new_cred_finding(request, fid): - finding = get_object_or_404(Finding, pk=fid) - - if request.method == "POST": - tform = CredMappingForm(request.POST) - tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter( - engagement=finding.test.engagement).order_by("cred_id") - - if tform.is_valid() and tform.cleaned_data["cred_user"]: - # Select the credential mapping object from the selected list and only allow if the credential is associated with the product - cred_user = Cred_Mapping.objects.filter( - pk=tform.cleaned_data["cred_user"].id, - engagement=finding.test.engagement.id).first() - # search for cred_user and test id - cred_lookup = Cred_Mapping.objects.filter( - cred_id=cred_user.cred_id, finding=finding.id) - - message = "Credential already associated." - status_tag = "alert-danger" - - if not cred_user: - message = "Credential must first be associated with this product." - - if not cred_lookup and cred_user: - new_f = tform.save(commit=False) - new_f.finding = finding - new_f.cred_id = cred_user.cred_id - new_f.save() - message = "Credential Successfully Updated." - status_tag = "alert-success" - - messages.add_message( - request, messages.SUCCESS, message, extra_tags=status_tag) - return HttpResponseRedirect(reverse("view_finding", args=(fid, ))) - else: - tform = CredMappingForm() - tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter( - engagement=finding.test.engagement).order_by("cred_id") - - add_breadcrumb( - title="Add Credential Configuration", top_level=False, request=request) - - return render( - request, "dojo/new_cred_mapping.html", { - "tform": tform, - "eid": fid, - "formlink": reverse("new_cred_finding", args=(fid, )), - }) - - -def delete_cred_controller(request, destination_url, elem_id, ttid): - cred = Cred_Mapping.objects.filter(pk=ttid).first() - if request.method == "POST": - tform = CredMappingForm(request.POST, instance=cred) - message = "" - status_tag = "" - delete_cred = False - - # Determine if the credential can be deleted - if destination_url == "cred": - if cred is None: - delete_cred = True - else: - cred_lookup = Cred_Mapping.objects.filter( - cred_id=cred.cred_id).exclude(product__isnull=True) - message = "Credential is associated with product(s). Remove the credential from the product(s) before this credential can be deleted." - if cred_lookup.exists() is False: - delete_cred = True - elif destination_url == "all_cred_product": - cred_lookup = Cred_Mapping.objects.filter( - cred_id=cred.cred_id).exclude(engagement__isnull=True) - message = "Credential is associated with engagement(s). Remove the credential from the engagement(s) before this credential can be deleted." - if cred_lookup.exists() is False: - delete_cred = True - elif destination_url == "view_engagement": - cred_lookup = Cred_Mapping.objects.filter( - cred_id=cred.cred_id).exclude(test__isnull=True) - message = "Credential is associated with test(s). Remove the test(s) before this credential can be deleted." - if cred_lookup.exists() is False: - cred_lookup = Cred_Mapping.objects.filter( - cred_id=cred.cred_id).exclude(finding__isnull=True) - message = "Credential is associated with finding(s). Remove the finding(s) before this credential can be deleted." - delete_cred = True - elif destination_url in {"view_test", "view_finding"}: - delete_cred = True - - # Allow deletion if no credentials are associated - if delete_cred is True: - message = "Credential Successfully Deleted." - status_tag = "alert-success" - # check if main cred delete - if destination_url == "cred": - cred = Cred_User.objects.get(pk=ttid) - cred.delete() - else: - cred.delete() - else: - status_tag = "alert-danger" - - messages.add_message( - request, messages.SUCCESS, message, extra_tags=status_tag) - - if destination_url == "cred": - return HttpResponseRedirect(reverse(destination_url)) - return HttpResponseRedirect(reverse(destination_url, args=(elem_id, ))) - tform = CredMappingForm(instance=cred) - - add_breadcrumb(title="Delete Credential", top_level=False, request=request) - product_tab = None - if elem_id: - product = None - if destination_url == "all_cred_product": - product = get_object_or_404(Product, id=elem_id) - elif destination_url == "view_engagement": - engagement = get_object_or_404(Engagement, id=elem_id) - product = engagement.product - elif destination_url == "view_test": - test = get_object_or_404(Test, id=elem_id) - product = test.engagement.product - elif destination_url == "view_finding": - finding = get_object_or_404(Finding, id=elem_id) - product = finding.test.engagement.product - product_tab = Product_Tab(product, title="Delete Credential Mapping", tab="settings") - return render(request, "dojo/delete_cred_all.html", { - "tform": tform, - "product_tab": product_tab, - }) - - -@user_is_configuration_authorized(Permissions.Credential_Delete) -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def delete_cred(request, ttid): - return delete_cred_controller(request, "cred", 0, ttid=ttid) - - -@user_is_authorized(Product, Permissions.Product_Edit, "pid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_Delete, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def delete_cred_product(request, pid, ttid): - return delete_cred_controller(request, "all_cred_product", pid, ttid) - - -@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_Delete, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def delete_cred_engagement(request, eid, ttid): - return delete_cred_controller(request, "view_engagement", eid, ttid) - - -@user_is_authorized(Test, Permissions.Test_Edit, "tid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_Delete, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def delete_cred_test(request, tid, ttid): - return delete_cred_controller(request, "view_test", tid, ttid) - - -@user_is_authorized(Finding, Permissions.Finding_Edit, "fid") -@user_is_authorized(Cred_Mapping, Permissions.Credential_Delete, "ttid") -@deprecated_view("Credential Manager", removal_version="2.59.0", removal_date="June 1, 2026") -def delete_cred_finding(request, fid, ttid): - return delete_cred_controller(request, "view_finding", fid, ttid) diff --git a/dojo/db_migrations/0266_remove_credential_manager.py b/dojo/db_migrations/0266_remove_credential_manager.py new file mode 100644 index 00000000000..ba04cf317db --- /dev/null +++ b/dojo/db_migrations/0266_remove_credential_manager.py @@ -0,0 +1,52 @@ +"""Remove the Credential Manager feature. + +Drops the `Cred_User`, `Cred_Mapping`, and `Cred_UserEvent` models, removes +the pghistory triggers that wrote into the latter, and removes the +`enable_credentials` switch from System_Settings. The Credential Manager +feature was deprecated in 2.57.0 and is end-of-life in 2.59. +""" + +import pgtrigger.migrations +from django.db import migrations + + +class Migration(migrations.Migration): + + dependencies = [ + ("dojo", "0265_remove_stub_finding"), + ] + + operations = [ + # Remove pghistory triggers that mirror Cred_User changes into + # Cred_UserEvent. Triggers must be dropped before the source / event + # tables can be removed. + pgtrigger.migrations.RemoveTrigger( + model_name="cred_user", + name="insert_insert", + ), + pgtrigger.migrations.RemoveTrigger( + model_name="cred_user", + name="update_update", + ), + pgtrigger.migrations.RemoveTrigger( + model_name="cred_user", + name="delete_delete", + ), + # Drop the audit/event table (FKs from Cred_UserEvent → Cred_User get + # cleaned up automatically as part of DeleteModel). + migrations.DeleteModel( + name="Cred_UserEvent", + ), + # Cred_Mapping holds an FK to Cred_User and must be dropped first. + migrations.DeleteModel( + name="Cred_Mapping", + ), + migrations.DeleteModel( + name="Cred_User", + ), + # The UI toggle no longer has anything to gate. + migrations.RemoveField( + model_name="system_settings", + name="enable_credentials", + ), + ] diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index 34c516bcc7b..b70f9b3ae88 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -55,7 +55,6 @@ from dojo.forms import ( AddFindingsRiskAcceptanceForm, CheckForm, - CredMappingForm, DeleteEngagementForm, DoneForm, EditRiskAcceptanceForm, @@ -78,7 +77,6 @@ from dojo.location.utils import save_locations_to_add from dojo.models import ( Check_List, - Cred_Mapping, Development_Environment, Dojo_User, Endpoint, @@ -486,11 +484,6 @@ def get(self, request, eid, *args, **kwargs): files = eng.files.all() form = TypedNoteForm(available_note_types=available_note_types) if note_type_activation else NoteForm() - creds = Cred_Mapping.objects.filter( - product=eng.product).select_related("cred_id").order_by("cred_id") - cred_eng = Cred_Mapping.objects.filter( - engagement=eng.id).select_related("cred_id").order_by("cred_id") - add_breadcrumb(parent=eng, top_level=False, request=request) title = "" @@ -513,8 +506,6 @@ def get(self, request, eid, *args, **kwargs): "risks_accepted": risks_accepted, "jissue": jissue, "jira_project": jira_project, - "creds": creds, - "cred_eng": cred_eng, "network": network, "preset_test_type": preset_test_type, }) @@ -573,10 +564,6 @@ def post(self, request, eid, *args, **kwargs): messages.SUCCESS, "Note added successfully.", extra_tags="alert-success") - creds = Cred_Mapping.objects.filter( - product=eng.product).select_related("cred_id").order_by("cred_id") - cred_eng = Cred_Mapping.objects.filter( - engagement=eng.id).select_related("cred_id").order_by("cred_id") add_breadcrumb(parent=eng, top_level=False, request=request) @@ -600,8 +587,6 @@ def post(self, request, eid, *args, **kwargs): "risks_accepted": risks_accepted, "jissue": jissue, "jira_project": jira_project, - "creds": creds, - "cred_eng": cred_eng, "network": network, "preset_test_type": preset_test_type, }) @@ -637,15 +622,9 @@ def prefetch_for_view_tests(tests): @user_is_authorized(Engagement, Permissions.Test_Add, "eid") def add_tests(request, eid): eng = Engagement.objects.get(id=eid) - cred_form = CredMappingForm() - cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter( - engagement=eng).order_by("cred_id") if request.method == "POST": form = TestForm(request.POST, engagement=eng) - cred_form = CredMappingForm(request.POST) - cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter( - engagement=eng).order_by("cred_id") if form.is_valid(): new_test = form.save(commit=False) # set default scan_type as it's used in reimport @@ -663,19 +642,6 @@ def add_tests(request, eid): new_test.save() - # Save the credential to the test - if cred_form.is_valid(): - if cred_form.cleaned_data["cred_user"]: - # Select the credential mapping object from the selected list and only allow if the credential is associated with the product - cred_user = Cred_Mapping.objects.filter( - pk=cred_form.cleaned_data["cred_user"].id, - engagement=eid).first() - - new_f = cred_form.save(commit=False) - new_f.test = new_test - new_f.cred_id = cred_user.cred_id - new_f.save() - messages.add_message( request, messages.SUCCESS, @@ -713,7 +679,6 @@ def add_tests(request, eid): return render(request, "dojo/add_tests.html", { "product_tab": product_tab, "form": form, - "cred_form": cred_form, "eid": eid, "eng": eng, }) @@ -769,30 +734,6 @@ def get_form( return ImportScanForm(request.POST, request.FILES, **kwargs) return ImportScanForm(**kwargs) - def get_credential_form( - self, - request: HttpRequest, - engagement: Engagement, - ) -> CredMappingForm: - """ - Return a new instance of a form managing credentials. If an engagement - it present at this time any existing credential objects will be attempted - to be fetched to populate the form - """ - if request.method == "POST": - return CredMappingForm(request.POST) - # If the engagement is not present, return an empty form - if engagement is None: - return CredMappingForm() - # Otherwise get all creds in the associated engagement - return CredMappingForm( - initial={ - "cred_user_queryset": Cred_Mapping.objects.filter( - engagement=engagement, - ).order_by("cred_id"), - }, - ) - def get_jira_form( self, request: HttpRequest, @@ -871,8 +812,6 @@ def handle_request( endpoints=endpoints, api_scan_configuration=Product_API_Scan_Configuration.objects.filter(product__id=product_tab.product.id), ) - # Get the credential mapping form - cred_form = self.get_credential_form(request, engagement) # Get the jira form jira_form, push_all_jira_issues = self.get_jira_form(request, engagement_or_product) # Return the request and the context @@ -887,7 +826,6 @@ def handle_request( "engagement_or_product": engagement_or_product, "custom_breadcrumb": custom_breadcrumb, "title": "Import Scan Results", - "cred_form": cred_form, "jform": jira_form, "scan_types": get_scan_types_sorted(), "push_all_jira_issues": push_all_jira_issues, @@ -902,7 +840,7 @@ def validate_forms( level are bubbled up to the user first before we process too much """ form_validation_list = [] - for form_name in ["form", "jform", "cred_form"]: + for form_name in ["form", "jform"]: if (form := context.get(form_name)) is not None: if errors := form.errors: form_validation_list.append(errors) @@ -1069,28 +1007,6 @@ def process_jira_form( context["push_to_jira"] = push_all_jira_issues or (form and form.cleaned_data.get("push_to_jira")) return None - def process_credentials_form( - self, - request: HttpRequest, - form: CredMappingForm, - context: dict, - ) -> str | None: - """Process the credentials form by creating""" - if cred_user := form.cleaned_data["cred_user"]: - # Select the credential mapping object from the selected list and only allow if the credential is associated with the product - cred_user = Cred_Mapping.objects.filter( - pk=cred_user.id, - engagement=context.get("engagement"), - ).first() - # Create the new credential mapping object - new_cred_mapping = form.save(commit=False) - new_cred_mapping.test = context.get("test") - new_cred_mapping.cred_id = cred_user.cred_id - new_cred_mapping.save() - # update the context - context["cred_user"] = cred_user - return None - def success_redirect( self, request: HttpRequest, @@ -1174,10 +1090,6 @@ def post( # Add test_id to pghistory context now that test is created if test := context.get("test"): pghistory.context(test_id=test.id) - # Process the credential form - if form_error := self.process_credentials_form(request, context.get("cred_form"), context): - add_error_message_to_response(form_error) - return self.failure_redirect(request, context) # Otherwise return the user back to the engagement (if present) or the product return self.success_redirect(request, context) diff --git a/dojo/filters.py b/dojo/filters.py index 64216673b7a..a586c35540d 100644 --- a/dojo/filters.py +++ b/dojo/filters.py @@ -62,7 +62,6 @@ SEVERITY_CHOICES, App_Analysis, ChoiceQuestion, - Cred_Mapping, Development_Environment, Dojo_Group, Dojo_User, @@ -3374,12 +3373,6 @@ class Meta: fields = ["product", "name", "user", "version"] -class ApiCredentialsFilter(DojoFilter): - class Meta: - model = Cred_Mapping - fields = "__all__" - - class EndpointReportFilter(DojoFilter): protocol = CharFilter(lookup_expr="icontains") userinfo = CharFilter(lookup_expr="icontains") diff --git a/dojo/finding/views.py b/dojo/finding/views.py index e4d5a3c1872..a557c4a97aa 100644 --- a/dojo/finding/views.py +++ b/dojo/finding/views.py @@ -78,7 +78,6 @@ from dojo.models import ( IMPORT_UNTOUCHED_FINDING, BurpRawRequestResponse, - Cred_Mapping, Dojo_User, Endpoint, Endpoint_Status, @@ -466,29 +465,6 @@ def get_previous_and_next_findings(self, finding: Finding): "findings_list_lastElement": findings[last_pos], } - def get_credential_objects(self, finding: Finding): - cred = ( - Cred_Mapping.objects.filter(test=finding.test.id) - .select_related("cred_id") - .order_by("cred_id") - ) - cred_engagement = ( - Cred_Mapping.objects.filter(engagement=finding.test.engagement.id) - .select_related("cred_id") - .order_by("cred_id") - ) - cred_finding = ( - Cred_Mapping.objects.filter(finding=finding.id) - .select_related("cred_id") - .order_by("cred_id") - ) - - return { - "cred_finding": cred_finding, - "cred": cred, - "cred_engagement": cred_engagement, - } - def get_request_response(self, finding: Finding): request_response = None burp_request = None @@ -698,7 +674,6 @@ def get(self, request: HttpRequest, finding_id: int): context = self.get_initial_context(request, finding, user) # Add in the other extras context |= self.get_previous_and_next_findings(finding) - context |= self.get_credential_objects(finding) # Add in more of the other extras context |= self.get_request_response(finding) context |= self.get_similar_findings(request, finding) diff --git a/dojo/fixtures/defect_dojo_sample_data.json b/dojo/fixtures/defect_dojo_sample_data.json index bcba938610b..880d98778aa 100644 --- a/dojo/fixtures/defect_dojo_sample_data.json +++ b/dojo/fixtures/defect_dojo_sample_data.json @@ -797,7 +797,6 @@ "enable_benchmark": true, "enable_calendar": true, "enable_checklists": true, - "enable_credentials": true, "enable_deduplication": false, "enable_endpoint_metadata_import": true, "enable_finding_groups": true, @@ -43164,60 +43163,6 @@ "model": "watson.searchentry", "pk": 3 }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "3", - "object_id_int": 3, - "title": "Web Scan (Feb 23, 2022)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 4 - }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "13", - "object_id_int": 13, - "title": "Web Scan (Mar 26, 2022)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 5 - }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "14", - "object_id_int": 14, - "title": "Web Scan (Feb 23, 2022)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 6 - }, { "fields": { "content": "", @@ -43470,60 +43415,6 @@ "model": "watson.searchentry", "pk": 25 }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "3", - "object_id_int": 3, - "title": "Web Scan (Feb 23, 2022)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 26 - }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "13", - "object_id_int": 13, - "title": "Web Scan (Mar 26, 2022)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 27 - }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "14", - "object_id_int": 14, - "title": "Web Scan (Feb 23, 2022)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 28 - }, { "fields": { "content": "April Monthly Engagement Requested by the team for regular manual checkup by the security team. None None None Completed threat_model none none Interactive None None None None", diff --git a/dojo/fixtures/defect_dojo_sample_data_locations.json b/dojo/fixtures/defect_dojo_sample_data_locations.json index 2547c43e1cb..00a71e5b94c 100644 --- a/dojo/fixtures/defect_dojo_sample_data_locations.json +++ b/dojo/fixtures/defect_dojo_sample_data_locations.json @@ -803,7 +803,6 @@ "enable_benchmark": true, "enable_calendar": true, "enable_checklists": true, - "enable_credentials": true, "enable_cvss3_display": true, "enable_cvss4_display": true, "enable_deduplication": false, @@ -78977,60 +78976,6 @@ "model": "watson.searchentry", "pk": 3 }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "3", - "object_id_int": 3, - "title": "Web Scan (Mar 21, 2021)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 4 - }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "13", - "object_id_int": 13, - "title": "Web Scan (Apr 21, 2021)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 5 - }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "14", - "object_id_int": 14, - "title": "Web Scan (Mar 21, 2021)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 6 - }, { "fields": { "content": "", @@ -79283,60 +79228,6 @@ "model": "watson.searchentry", "pk": 25 }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "3", - "object_id_int": 3, - "title": "Web Scan (Mar 21, 2021)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 26 - }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "13", - "object_id_int": 13, - "title": "Web Scan (Apr 21, 2021)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 27 - }, - { - "fields": { - "content": "", - "content_type": [ - "dojo", - "cred_user" - ], - "description": "", - "engine_slug": "default", - "meta_encoded": "{}", - "object_id": "14", - "object_id_int": 14, - "title": "Web Scan (Mar 21, 2021)", - "url": "" - }, - "model": "watson.searchentry", - "pk": 28 - }, { "fields": { "content": "April Monthly Engagement Requested by the team for regular manual checkup by the security team. None None None Completed threat_model none none Interactive None None None None", diff --git a/dojo/fixtures/dojo_testdata.json b/dojo/fixtures/dojo_testdata.json index ab36b3ca18f..29b02b41de5 100644 --- a/dojo/fixtures/dojo_testdata.json +++ b/dojo/fixtures/dojo_testdata.json @@ -2982,38 +2982,6 @@ "codename": "view_logentry" } }, - { - "model": "dojo.cred_user", - "pk": 1, - "fields": { - "name": "Cred Product", - "username": "admin", - "password": "AES.1:2f3cb6d1d412a0552a46b67d972d14f5:6617146b4d29492551dfc62e4a697aca", - "role": "admin", - "authentication": "Form", - "http_authentication": "Basic", - "description": "test", - "url": "https://google.com", - "environment": 1, - "login_regex": null, - "logout_regex": null, - "is_valid": true, - "notes": [] - } - }, - { - "model": "dojo.cred_mapping", - "pk": 1, - "fields": { - "cred_id": 1, - "product": 1, - "finding": null, - "engagement": null, - "test": null, - "is_authn_provider": false, - "url": "https://google.com" - } - }, { "model": "dojo.announcement", "pk": 1, diff --git a/dojo/fixtures/dojo_testdata_locations.json b/dojo/fixtures/dojo_testdata_locations.json index bdcc4928566..3d4eb06ff9b 100644 --- a/dojo/fixtures/dojo_testdata_locations.json +++ b/dojo/fixtures/dojo_testdata_locations.json @@ -3007,38 +3007,6 @@ "codename": "view_logentry" } }, - { - "model": "dojo.cred_user", - "pk": 1, - "fields": { - "name": "Cred Product", - "username": "admin", - "password": "AES.1:2f3cb6d1d412a0552a46b67d972d14f5:6617146b4d29492551dfc62e4a697aca", - "role": "admin", - "authentication": "Form", - "http_authentication": "Basic", - "description": "test", - "url": "https://google.com", - "environment": 1, - "login_regex": null, - "logout_regex": null, - "is_valid": true, - "notes": [] - } - }, - { - "model": "dojo.cred_mapping", - "pk": 1, - "fields": { - "cred_id": 1, - "product": 1, - "finding": null, - "engagement": null, - "test": null, - "is_authn_provider": false, - "url": "https://google.com" - } - }, { "model": "dojo.announcement", "pk": 1, diff --git a/dojo/forms.py b/dojo/forms.py index 8e841c784a9..9cffb68c6a3 100644 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -71,8 +71,6 @@ Choice, ChoiceAnswer, ChoiceQuestion, - Cred_Mapping, - Cred_User, Development_Environment, Dojo_Group, Dojo_Group_Member, @@ -2987,32 +2985,6 @@ def clean(self): return self.cleaned_data -class CredMappingForm(forms.ModelForm): - cred_user = forms.ModelChoiceField( - queryset=Cred_Mapping.objects.all().select_related("cred_id"), - required=False, - label="Select a Credential", - ) - - class Meta: - model = Cred_Mapping - fields = ["cred_user"] - exclude = ["product", "finding", "engagement", "test", "url", "is_authn_provider"] - - def __init__(self, *args, **kwargs): - cred_user_queryset = kwargs.pop("cred_user_queryset", None) - super().__init__(*args, **kwargs) - if cred_user_queryset is not None: - self.fields["cred_user"].queryset = cred_user_queryset - - -class CredMappingFormProd(forms.ModelForm): - class Meta: - model = Cred_Mapping - fields = ["cred_id", "url", "is_authn_provider"] - exclude = ["product", "finding", "engagement", "test"] - - class EngagementPresetsForm(forms.ModelForm): notes = forms.CharField(widget=forms.Textarea(attrs={}), @@ -3103,17 +3075,6 @@ def valid_value(self, value): return True -class CredUserForm(forms.ModelForm): - # selenium_script = forms.FileField(widget=forms.widgets.FileInput( - # attrs={"accept": ".py"}), - # label="Select a Selenium Script", required=False) - - class Meta: - model = Cred_User - exclude = [""] - # fields = ['selenium_script'] - - class LoginBanner(forms.Form): banner_enable = forms.BooleanField( label="Enable login banner", diff --git a/dojo/management/commands/pghistory_backfill.py b/dojo/management/commands/pghistory_backfill.py index 9c25017c598..037804462af 100644 --- a/dojo/management/commands/pghistory_backfill.py +++ b/dojo/management/commands/pghistory_backfill.py @@ -46,7 +46,6 @@ def get_excluded_fields(self, model_name): excluded_fields_map = { "Dojo_User": ["password"], "Product": ["updated"], # This is the key change - "Cred_User": ["password"], "Notification_Webhooks": ["header_name", "header_value"], } return excluded_fields_map.get(model_name, []) @@ -154,7 +153,7 @@ def handle(self, *args, **options): tracked_models = [ "Dojo_User", "Endpoint", "Engagement", "Finding", "Finding_Group", "Product_Type", "Product", "Test", "Risk_Acceptance", - "Finding_Template", "Cred_User", "Notification_Webhooks", + "Finding_Template", "Notification_Webhooks", "FindingReviewers", # M2M through table for Finding.reviewers # Tag through tables (tagulous auto-generated) "FindingTags", diff --git a/dojo/management/commands/pghistory_backfill_simple.py b/dojo/management/commands/pghistory_backfill_simple.py index dd4d08f1008..9c9f373321e 100644 --- a/dojo/management/commands/pghistory_backfill_simple.py +++ b/dojo/management/commands/pghistory_backfill_simple.py @@ -45,7 +45,6 @@ def handle(self, *args, **options): "Finding_Group", "Risk_Acceptance", "Finding_Template", - "Cred_User", "Notification_Webhooks", "FindingReviewers", # M2M through table for Finding.reviewers # Tag through tables (tagulous auto-generated) @@ -97,7 +96,6 @@ def get_excluded_fields(self, model_name): excluded_fields_map = { "Dojo_User": ["password"], "Product": ["updated"], - "Cred_User": ["password"], "Notification_Webhooks": ["header_name", "header_value"], } return excluded_fields_map.get(model_name, []) diff --git a/dojo/management/commands/pghistory_clear.py b/dojo/management/commands/pghistory_clear.py index 97b938293d7..54d1bc8a3d6 100644 --- a/dojo/management/commands/pghistory_clear.py +++ b/dojo/management/commands/pghistory_clear.py @@ -45,7 +45,6 @@ def handle(self, *args, **options): # All pghistory Event tables based on tracked models event_tables = [ - "Cred_UserEvent", "Dojo_UserEvent", "EndpointEvent", "EngagementEvent", diff --git a/dojo/models.py b/dojo/models.py index d44893a4312..63ca1cf31ba 100644 --- a/dojo/models.py +++ b/dojo/models.py @@ -551,11 +551,6 @@ class System_Settings(models.Model): risk_acceptance_form_default_days = models.IntegerField(null=True, blank=True, default=180, help_text=_("Default expiry period for risk acceptance form.")) risk_acceptance_notify_before_expiration = models.IntegerField(null=True, blank=True, default=10, verbose_name=_("Risk acceptance expiration heads up days"), help_text=_("Notify X days before risk acceptance expires. Leave empty to disable.")) - enable_credentials = models.BooleanField( - default=True, - blank=False, - verbose_name=_("Enable credentials"), - help_text=_("With this setting turned off, credentials will be disabled in the user interface.")) enable_questionnaires = models.BooleanField( default=True, blank=False, @@ -4128,55 +4123,6 @@ class Tool_Product_History(models.Model): blank=True) -class Cred_User(models.Model): - name = models.CharField(max_length=200, null=False) - username = models.CharField(max_length=200, null=False) - password = models.CharField(max_length=600, null=False) - role = models.CharField(max_length=200, null=False) - authentication = models.CharField(max_length=15, - choices=( - ("Form", "Form Authentication"), - ("SSO", "SSO Redirect")), - default="Form") - http_authentication = models.CharField(max_length=15, - choices=( - ("Basic", "Basic"), - ("NTLM", "NTLM")), - null=True, blank=True) - description = models.CharField(max_length=2000, null=True, blank=True) - url = models.URLField(max_length=2000, null=False) - environment = models.ForeignKey(Development_Environment, null=False, on_delete=models.RESTRICT) - login_regex = models.CharField(max_length=200, null=True, blank=True) - logout_regex = models.CharField(max_length=200, null=True, blank=True) - notes = models.ManyToManyField(Notes, blank=True, editable=False) - is_valid = models.BooleanField(default=True, verbose_name=_("Login is valid")) - - class Meta: - ordering = ["name"] - - def __str__(self): - return self.name + " (" + self.role + ")" - - -class Cred_Mapping(models.Model): - cred_id = models.ForeignKey(Cred_User, null=False, - related_name="cred_user", - verbose_name=_("Credential"), on_delete=models.CASCADE) - product = models.ForeignKey(Product, null=True, blank=True, - related_name="product", on_delete=models.CASCADE) - finding = models.ForeignKey(Finding, null=True, blank=True, - related_name="finding", on_delete=models.CASCADE) - engagement = models.ForeignKey(Engagement, null=True, blank=True, - related_name="engagement", on_delete=models.CASCADE) - test = models.ForeignKey(Test, null=True, blank=True, related_name="test", on_delete=models.CASCADE) - is_authn_provider = models.BooleanField(default=False, - verbose_name=_("Authentication Provider")) - url = models.URLField(max_length=2000, null=True, blank=True) - - def __str__(self): - return self.cred_id.name + " (" + self.cred_id.role + ")" - - class Language_Type(models.Model): language = models.CharField(max_length=100, null=False, unique=True) color = models.CharField(max_length=7, null=True, blank=True, verbose_name=_("HTML color")) @@ -4612,8 +4558,6 @@ def __str__(self): admin.site.register(Tool_Configuration, Tool_Configuration_Admin) admin.site.register(Tool_Product_Settings) admin.site.register(Tool_Type) -admin.site.register(Cred_User) -admin.site.register(Cred_Mapping) admin.site.register(System_Settings) admin.site.register(SLA_Configuration) admin.site.register(CWE) diff --git a/dojo/notes/views.py b/dojo/notes/views.py index dc8cc6ef6a6..7d27649afd6 100644 --- a/dojo/notes/views.py +++ b/dojo/notes/views.py @@ -13,21 +13,20 @@ from dojo.authorization.authorization import user_has_permission_or_403 from dojo.authorization.roles_permissions import Permissions -from dojo.cred.queries import get_authorized_cred_mappings from dojo.engagement.queries import get_authorized_engagements from dojo.finding.queries import get_authorized_findings # Local application/library imports from dojo.forms import DeleteNoteForm, NoteForm, TypedNoteForm -from dojo.models import Cred_User, Engagement, Finding, Note_Type, NoteHistory, Notes, Test +from dojo.models import Engagement, Finding, Note_Type, NoteHistory, Notes, Test from dojo.test.queries import get_authorized_tests logger = logging.getLogger(__name__) -SUPPORTED_PAGES = Literal["engagement", "test", "finding", "cred"] +SUPPORTED_PAGES = Literal["engagement", "test", "finding"] -def _get_page_details(request: HttpRequest, note_id: int, page: SUPPORTED_PAGES | None, objid: int) -> tuple[Notes, Engagement | Test | Finding | Cred_User, int, str]: +def _get_page_details(request: HttpRequest, note_id: int, page: SUPPORTED_PAGES | None, objid: int) -> tuple[Notes, Engagement | Test | Finding, int, str]: note = get_object_or_404(Notes, id=note_id) # Quick check to make sure we have a valid page if page is None or page not in get_args(SUPPORTED_PAGES): @@ -42,9 +41,6 @@ def _get_page_details(request: HttpRequest, note_id: int, page: SUPPORTED_PAGES elif page == "finding": obj = get_authorized_findings(Permissions.Finding_View).filter(id=objid).first() reverse_url = "view_finding" - elif page == "cred": - obj = get_authorized_cred_mappings(Permissions.Cred_View).filter(id=objid).first() - reverse_url = "view_cred_details" else: # If we get here, something is wrong, so let's just raise PermissionDenied raise PermissionDenied diff --git a/dojo/templates/base.html b/dojo/templates/base.html index b8f5489f1d7..244e4e0396e 100644 --- a/dojo/templates/base.html +++ b/dojo/templates/base.html @@ -548,13 +548,6 @@ {% endif %} - {% if system_settings.enable_credentials and "dojo.view_cred_user"|has_configuration_permission:request %} -
  • - - {% trans "Credential Manager" %} - -
  • - {% endif %} {% if system_settings.enable_github and "dojo.view_github_conf"|has_configuration_permission:request%}
  • @@ -978,21 +971,6 @@

  • {% endif %} - {% if system_settings.enable_credentials %} - -
  • - - - {% trans "Add Credentials" %} - -
  • -
  • - - - {% trans "View Credentials" %} - -
  • - {% endif %}
  • diff --git a/dojo/templates/dojo/delete_cred_all.html b/dojo/templates/dojo/delete_cred_all.html deleted file mode 100644 index cbe35b64633..00000000000 --- a/dojo/templates/dojo/delete_cred_all.html +++ /dev/null @@ -1,21 +0,0 @@ -{% extends "base.html" %} -{% block content %} - {{ block.super }} -

    Delete Credential Mapping

    - -
    -
    -

    Danger Zone

    -
    -
    - {% csrf_token %} - {{ form }} -
    -
    - -
    -
    -
    -
    -
    -{% endblock %} diff --git a/dojo/templates/dojo/edit_cred.html b/dojo/templates/dojo/edit_cred.html deleted file mode 100644 index 43ba1ff458e..00000000000 --- a/dojo/templates/dojo/edit_cred.html +++ /dev/null @@ -1,18 +0,0 @@ -{% extends "base.html" %} -{% load static %} - -{% block content %} - {{ block.super }} -

    Edit Credential Configuration

    -
    {% csrf_token %} - {% include "dojo/form_fields.html" with form=tform %} -
    -
    - -
    -
    -
    -{% endblock %} -{% block postscript %} - {{ block.super }} -{% endblock %} diff --git a/dojo/templates/dojo/edit_cred_all.html b/dojo/templates/dojo/edit_cred_all.html deleted file mode 100644 index 86177053603..00000000000 --- a/dojo/templates/dojo/edit_cred_all.html +++ /dev/null @@ -1,18 +0,0 @@ -{% extends "base.html" %} -{% load static %} - -{% block content %} - {{ block.super }} -

    Edit {{cred_type}} Credential

    -
    {% csrf_token %} - {% include "dojo/form_fields.html" with form=tform %} -
    -
    - -
    -
    -
    -{% endblock %} -{% block postscript %} - {{ block.super }} -{% endblock %} diff --git a/dojo/templates/dojo/new_cred.html b/dojo/templates/dojo/new_cred.html deleted file mode 100644 index 8fcaeee5816..00000000000 --- a/dojo/templates/dojo/new_cred.html +++ /dev/null @@ -1,13 +0,0 @@ -{% extends "base.html"%} -{% block content %} - {{ block.super }} -

    Add a Credential

    -
    {% csrf_token %} - {% include "dojo/form_fields.html" with form=tform %} -
    -
    - -
    -
    -
    -{% endblock %} diff --git a/dojo/templates/dojo/new_cred_mapping.html b/dojo/templates/dojo/new_cred_mapping.html deleted file mode 100644 index ecde7a8b500..00000000000 --- a/dojo/templates/dojo/new_cred_mapping.html +++ /dev/null @@ -1,13 +0,0 @@ -{% extends "base.html"%} -{% block content %} - {{ block.super }} -

    Add a Credential

    -
    {% csrf_token %} - {% include "dojo/form_fields.html" with form=tform %} -
    -
    - -
    -
    -
    -{% endblock %} diff --git a/dojo/templates/dojo/new_cred_product.html b/dojo/templates/dojo/new_cred_product.html deleted file mode 100644 index 651418a37d7..00000000000 --- a/dojo/templates/dojo/new_cred_product.html +++ /dev/null @@ -1,13 +0,0 @@ -{% extends "base.html"%} -{% block content %} - {{ block.super }} -

    Add a Credential

    -
    {% csrf_token %} - {% include "dojo/form_fields.html" with form=tform %} -
    -
    - -
    -
    -
    -{% endblock %} diff --git a/dojo/templates/dojo/view_cred.html b/dojo/templates/dojo/view_cred.html deleted file mode 100644 index 2282d283e48..00000000000 --- a/dojo/templates/dojo/view_cred.html +++ /dev/null @@ -1,96 +0,0 @@ -{% extends "base.html" %} -{% load navigation_tags %} -{% load get_config_setting %} -{% load authorization_tags %} -{% block content %} - {{ block.super }} -
    -{% endblock %} -{% block postscript %} - {{ block.super }} - {% include "dojo/filter_js_snippet.html" %} -{% endblock %} diff --git a/dojo/templates/dojo/view_cred_all_details.html b/dojo/templates/dojo/view_cred_all_details.html deleted file mode 100644 index d75a25b845d..00000000000 --- a/dojo/templates/dojo/view_cred_all_details.html +++ /dev/null @@ -1,308 +0,0 @@ -{% extends "base.html" %} -{% load display_tags %} -{% load get_config_setting %} -{% load static %} -{% block add_styles %} - {{ block.super }} - ul#select_by_severity a:hover, ul#bulk_edit a:hover { - cursor: pointer; - } -{% endblock %} -{% block content %} - {{ block.super }} -
    - -
    - - - - - - - - - - - - - - - - - - - - -
    NameAlternate URLUsernamePasswordRoleEnvironmentValid Login
    {{ cred.cred_id.name }} - {% if cred_product.url %} - Alternate URL - {% else %} - None Configured - {% endif %} - {{ cred.cred_id.username }}{{ cred.cred_id.password|get_pwd }}{{ cred.cred_id.role }}{{ cred.cred_id.environment }}{{ cred.cred_id.is_valid }}
    -
    -
    - -
    -
    -
    -
    -

    Login Details

    -
    -
    - - - - - - - - - - - - - - - -
    Authentication ProviderAuthentication TypeHTTP AuthenticationLogin RegExLogout RegEx
    {{ cred_product.is_authn_provider }}{{ cred.cred_id.authentication }}{{ cred.cred_id.http_authentication }}{{ cred.cred_id.login_regex }}{{ cred.cred_id.logout_regex }}
    -
    -
    -
    -
    - -
    -
    -
    -
    -

    Description

    -
    -
    - {{ cred.cred_id.description }} -
    -
    -
    -
    - -
    -
    -

    Notes

    -
    - {% if notes %} - - - - - - - - - - {% for note in notes %} - - - - - - {% endfor %} - - -
    UserDateNote
    - {{ note.author.username }} - - {{ note.date }} - - {{ note }} -
    - {% else %} - -

    No notes found.

    - {% endif %} -
    - -
    {% csrf_token %} - {% include "dojo/form_fields.html" with form=form %} -
    -
    - - -
    -
    -
    -
    -
    -
    -{% endblock %} - -{% block postscript %} - {{ block.super }} - - -{% endblock %} diff --git a/dojo/templates/dojo/view_cred_details.html b/dojo/templates/dojo/view_cred_details.html deleted file mode 100644 index 43d68ef1a70..00000000000 --- a/dojo/templates/dojo/view_cred_details.html +++ /dev/null @@ -1,328 +0,0 @@ -{% extends "base.html" %} -{% load display_tags %} -{% load get_config_setting %} -{% load static %} -{% block add_styles %} - {{ block.super }} - ul#select_by_severity a:hover, ul#bulk_edit a:hover { - cursor: pointer; - } -{% endblock %} -{% block content %} - {{ block.super }} -
    -
    -
    -

    Credential

    - - -
    -
    -
    - - - - - - - - - - - - - - - - - - - -
    NameAlternate URLUsernamePasswordRoleEnvironmentValid Login
    {{ cred.name }} - {% if cred.url %} - Alternate URL - {% endif %} - {{ cred.username }}{{ cred.password|get_pwd }}{{ cred.role }}{{ cred.environment }}{{ cred.is_valid }}
    -
    -
    - -
    -
    -
    -
    -

    Login Details

    -
    -
    - - - - - - - - - - - - - -
    Authentication TypeHTTP AuthenticationLogin RegExLogout RegEx
    {{ cred.authentication }}{{ cred.http_authentication }}{{ cred.login_regex }}{{ cred.logout_regex }}
    -
    -
    -
    -
    - -
    -
    -

    Associated Products

    -
    -
    - {% if cred_products %} - - - - - - - {% for cred in cred_products %} - - - - - - {% endfor %} - -
    Product NameAlernate URLAuthentication Provider
    - {{ cred.product }} - - {% if cred.url %} - Alternate URL - {% else %} - None Configured - {% endif %} - {{ cred.is_authn_provider }}
    - {% else %} -
    -

    No products associated with this credential.

    -
    - {% endif %} -
    -
    - -
    -
    -

    Notes

    -
    -
    - {% if notes %} - - - - - - - - - - {% for note in notes %} - - - - - - {% endfor %} - -
    UserDateNote
    - {{ note.author.username }} - - {{ note.date }} - - {{ note }} - {% if person == note.author.username %} -
    -
    - {% csrf_token %} - - -
    -
    - {% endif %} -
    - {% else %} -

    No notes found.

    - {% endif %} -
    -
    {% csrf_token %} - {% include "dojo/form_fields.html" with form=form %} -
    -
    - -
    -
    -
    -
    -
    -{% endblock %} - -{% block postscript %} - {{ block.super }} - - -{% endblock %} diff --git a/dojo/templates/dojo/view_cred_prod.html b/dojo/templates/dojo/view_cred_prod.html deleted file mode 100644 index b76d97c5cf8..00000000000 --- a/dojo/templates/dojo/view_cred_prod.html +++ /dev/null @@ -1,61 +0,0 @@ -{% extends "base.html" %} -{% load navigation_tags %} -{% load get_config_setting %} -{% block content %} - {{ block.super }} -
    -
    -
    -
    -

    Credentials - -

    -
    - {% if creds %} - - - - - - - - - - - - - - {% for cred in creds %} - - - - - - - - - - {% endfor %} - -
    NameUsernameRoleEnvironmentAuthentication ProviderLogin ValidActions
    - {{ cred.cred_id.name }} - {{ cred.cred_id.username }}{{ cred.cred_id.role }}{{ cred.cred_id.environment }}{{ cred.is_authn_provider }}{{ cred.cred_id.is_valid }} -
    - View - Edit - Delete -
    -
    - {% else %} -
    -

    No credentials configured.

    -
    - {% endif %} -
    -
    -
    -{% endblock %} diff --git a/dojo/templates/dojo/view_eng.html b/dojo/templates/dojo/view_eng.html index 71f660809ac..f53d3161824 100644 --- a/dojo/templates/dojo/view_eng.html +++ b/dojo/templates/dojo/view_eng.html @@ -927,110 +927,6 @@

  • {% endif %} - {% if system_settings.enable_credentials %} -
    -
    -
    -

    - Credentials - {% if creds and eng|has_object_permission:"Engagement_Edit" %} - - {% endif %} -

    -
    -
    - - - - - - - - - - {% if creds %} - - - - {% endif %} - {% for cred in cred_eng %} - - - - - - {% endfor %} - - - - {% for cred in creds %} - - - - - - {% endfor %} - -
    NameUsername
    - - {% if cred_eng %} - Credentials Configured for this Engagement - {% else %} - No Credentials Configured for this Engagement - {% endif %} - -
    - {{ cred.cred_id.name }} - -
      - -
    -
    {{ cred.cred_id.username }}
    - - {% if creds %} - Credentials Configured for this {{ labels.ASSET_LABEL }} - {% else %} - No Credentials Configured for this {{ labels.ASSET_LABEL }} - {% endif %} - -
    - {{ cred.cred_id.name }} - -
      - -
    -
    {{ cred.cred_id.username }}
    -
    -
    -
    - {% endif %}
    diff --git a/dojo/templates/dojo/view_finding.html b/dojo/templates/dojo/view_finding.html index 774c5438dd6..205a0c7c58f 100755 --- a/dojo/templates/dojo/view_finding.html +++ b/dojo/templates/dojo/view_finding.html @@ -1076,118 +1076,6 @@

    References -
    -
    - - {% if cred_finding or creds %} - - - - - - - - - - - - - - {% if cred_finding %} - - - - - {% for cred in cred_finding %} - - - - - - - - - - {% endfor %} - {% endif %} - {% if not cred_finding %} - - - - {% for cred in creds %} - - - - - - - - - - {% endfor %} - {% endif %} - - - -
    NameUsernameRoleEnvironmentAuthentication ProviderLogin ValidActions
    - Credential Configured for this Finding - {% if not cred_finding %} -
    -
    None configured
    - {% endif %} -
    - {{ cred.cred_id.name }} - {{ cred.cred_id.username }}{{ cred.cred_id.role }}{{ cred.cred_id.environment }}{{ cred.is_authn_provider }}{{ cred.cred_id.is_valid }} -
    - {% if user.is_superuser %} - View - {% endif %} - {% if finding|has_object_permission:"Finding_Edit" %} - Delete - {% endif %} -
    -
    - Credentials Inherited from Test: {{ finding.test }} -
    - {{ cred.cred_id.name }} - {{ cred.cred_id.username }}{{ cred.cred_id.role }}{{ cred.cred_id.environment }}{{ cred.is_authn_provider }}{{ cred.cred_id.is_valid }} -
    - View -
    -
    - {% else %} -
    -

    No credentials configured. - {% if not cred_engagement %} - Configure engagement credentials first, then add a credential to the test or - finding. - {% endif %} -

    -
    - {% endif %} -
    -
    -

    - - {% endif %} {% include "dojo/snippets/sonarqube_history.html" with finding=finding only %} diff --git a/dojo/templates/dojo/view_test.html b/dojo/templates/dojo/view_test.html index a22e23188ef..982dfcf9caf 100644 --- a/dojo/templates/dojo/view_test.html +++ b/dojo/templates/dojo/view_test.html @@ -1325,142 +1325,6 @@

    {% endif %} - - {% if system_settings.enable_credentials %} -
    -
    -
    -
    -

    - {% trans "Credentials" %} - {% if not cred_test and creds and test|has_object_permission:"Test_Edit" %} - - {% endif %} -

    -
    - {% if creds %} - - - - - - - - - - - - - - - - - {% for cred in cred_test %} - - - - - - - - - - {% endfor %} - - - - {% for cred in creds %} - - - - - - - - - - {% endfor %} - -
    - {% trans "Name" %} - - {% trans "Username" %} - - {% trans "Role" %} - - {% trans "Environment" %} - - {% trans "Authentication Provider" %} - - {% trans "Login Valid" %} - - {% trans "Actions" %} -
    - {% trans "Credentials Configured for this" %} {% trans "Test" %} - {% if not cred_test %} -
    -
    {% trans "None configured" %}
    - {% endif %} -
    - {{ cred.cred_id.name }} - - {{ cred.cred_id.username }} - - {{ cred.cred_id.role }} - - {{ cred.cred_id.environment }} - - {{ cred.is_authn_provider }} - - {{ cred.cred_id.is_valid }} - -
    - {% if user.is_superuser %} - {% trans "View" %} - {% endif %} - {% if test|has_object_permission:"Test_Edit" %} - {% trans "Delete" %} - {% endif %} -
    -
    - {% trans "Credentials Configured for this" %} {% trans "Engagement" %} -
    - {{ cred.cred_id.name }} - - {{ cred.cred_id.username }} - - {{ cred.cred_id.role }} - - {{ cred.cred_id.environment }} - - {{ cred.is_authn_provider }} - - {{ cred.cred_id.is_valid }} - - -
    - {% else %} -
    -

    - {% trans "No credentials configured." %} - {% if not creds %} - {% trans "Configure engagement credentials first, then add credentials to the test." %} - {% endif %} -

    -
    - {% endif %} -
    -
    -
    - {% endif %} -
    diff --git a/dojo/test/views.py b/dojo/test/views.py index c154e0fb598..e884938a3c5 100644 --- a/dojo/test/views.py +++ b/dojo/test/views.py @@ -49,7 +49,6 @@ from dojo.location.models import Location from dojo.models import ( BurpRawRequestResponse, - Cred_Mapping, Endpoint, Finding, Finding_Group, @@ -172,8 +171,6 @@ def get_initial_context(self, request: HttpRequest, test: Test): "person": request.user.username, "request": request, "show_re_upload": any(test.test_type.name in code for code in get_choices_sorted()), - "creds": Cred_Mapping.objects.filter(engagement=test.engagement).select_related("cred_id").order_by("cred_id"), - "cred_test": Cred_Mapping.objects.filter(test=test).select_related("cred_id").order_by("cred_id"), "jira_project": jira_services.get_project(test), "bulk_edit_form": FindingBulkUpdateForm(request.GET), "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), diff --git a/dojo/urls.py b/dojo/urls.py index 4e8dea6f965..b2b479ea9bd 100644 --- a/dojo/urls.py +++ b/dojo/urls.py @@ -17,8 +17,6 @@ BurpRawRequestResponseViewSet, CeleryViewSet, ConfigurationPermissionViewSet, - CredentialsMappingViewSet, - CredentialsViewSet, DevelopmentEnvironmentViewSet, DojoGroupMemberViewSet, DojoGroupViewSet, @@ -72,7 +70,6 @@ from dojo.banner.urls import urlpatterns as banner_urls from dojo.benchmark.urls import urlpatterns as benchmark_urls from dojo.components.urls import urlpatterns as component_urls -from dojo.cred.urls import urlpatterns as cred_urls from dojo.development_environment.urls import urlpatterns as dev_env_urls from dojo.endpoint.urls import urlpatterns as endpoint_urls from dojo.engagement.urls import urlpatterns as eng_urls @@ -121,8 +118,6 @@ v2_api = DefaultRouter() v2_api.register(r"announcements", AnnouncementViewSet, basename="announcement") v2_api.register(r"configuration_permissions", ConfigurationPermissionViewSet, basename="permission") -v2_api.register(r"credential_mappings", CredentialsMappingViewSet, basename="cred_mapping") -v2_api.register(r"credentials", CredentialsViewSet, basename="cred_user") v2_api.register(r"development_environments", DevelopmentEnvironmentViewSet, basename="development_environment") v2_api.register(r"dojo_groups", DojoGroupViewSet, basename="dojo_group") v2_api.register(r"dojo_group_members", DojoGroupMemberViewSet, basename="dojo_group_member") @@ -206,7 +201,6 @@ ur += tool_type_urls ur += tool_config_urls ur += tool_product_urls -ur += cred_urls ur += sla_urls ur += system_settings_urls ur += notifications_urls diff --git a/dojo/user/utils.py b/dojo/user/utils.py index 1544305ded6..34d5422259c 100644 --- a/dojo/user/utils.py +++ b/dojo/user/utils.py @@ -16,8 +16,6 @@ def __init__(self, *args, **kwargs): def display_name(self): if self.name == "bannerconf": return "Login Banner" - if self.name == "cred user": - return "Credentials" if self.name == "github conf": return "GitHub Configurations" if self.name == "engagement survey": @@ -89,7 +87,6 @@ def get_configuration_permissions_fields(): rules_permissions = [] return [ - Permission_Helper(name="cred user", app="dojo", view=True, add=True, change=True, delete=True), Permission_Helper(name="development environment", app="dojo", add=True, change=True, delete=True), Permission_Helper(name="finding template", app="dojo", view=True, add=True, change=True, delete=True), *github_permissions, diff --git a/tests/credential_test.py b/tests/credential_test.py deleted file mode 100644 index 20d5c7c5fdd..00000000000 --- a/tests/credential_test.py +++ /dev/null @@ -1,89 +0,0 @@ -import sys -import unittest - -from base_test_class import BaseTestCase, on_exception_html_source_logger, set_suite_settings -from product_test import ProductTest -from selenium.webdriver.common.by import By -from selenium.webdriver.support.ui import Select - - -class CredentialTest(BaseTestCase): - - @on_exception_html_source_logger - def test_list_credentials(self): - driver = self.driver - driver.get(self.base_url + "cred") - self.assertTrue(self.is_text_present_on_page(text="Credential")) - - @on_exception_html_source_logger - def test_add_credential(self): - driver = self.driver - driver.get(self.base_url + "cred") - driver.find_element(By.ID, "dropdownMenu1").click() - driver.find_element(By.LINK_TEXT, "Add Credential").click() - driver.find_element(By.ID, "id_name").clear() - driver.find_element(By.ID, "id_name").send_keys("Test Credential") - driver.find_element(By.ID, "id_username").clear() - driver.find_element(By.ID, "id_username").send_keys("test_user") - driver.find_element(By.ID, "id_password").clear() - driver.find_element(By.ID, "id_password").send_keys("test_password") - driver.find_element(By.ID, "id_role").clear() - driver.find_element(By.ID, "id_role").send_keys("Admin") - Select(driver.find_element(By.ID, "id_authentication")).select_by_visible_text("Form Authentication") - driver.find_element(By.ID, "id_url").clear() - driver.find_element(By.ID, "id_url").send_keys("https://example.com/login") - Select(driver.find_element(By.ID, "id_environment")).select_by_index(1) - driver.find_element(By.CSS_SELECTOR, "input.btn.btn-primary").click() - - self.assertTrue(self.is_success_message_present(text="Credential Successfully Created.")) - - @on_exception_html_source_logger - def test_view_credential(self): - driver = self.driver - driver.get(self.base_url + "cred") - # The cred list table has View/Edit/Delete links per row - driver.find_element(By.LINK_TEXT, "View").click() - self.assertTrue(self.is_text_present_on_page(text="Test Credential")) - - @on_exception_html_source_logger - def test_edit_credential(self): - driver = self.driver - driver.get(self.base_url + "cred") - # Click the Edit link in the credential list table - driver.find_element(By.LINK_TEXT, "Edit").click() - driver.find_element(By.ID, "id_name").clear() - driver.find_element(By.ID, "id_name").send_keys("Edited Test Credential") - driver.find_element(By.CSS_SELECTOR, "input.btn.btn-primary").click() - - self.assertTrue(self.is_success_message_present(text="Credential Successfully Updated.")) - - @on_exception_html_source_logger - def test_delete_credential(self): - driver = self.driver - driver.get(self.base_url + "cred") - # Click the Delete link in the credential list table - driver.find_element(By.LINK_TEXT, "Delete").click() - driver.find_element(By.CSS_SELECTOR, "button.btn.btn-danger").click() - - self.assertTrue(self.is_success_message_present(text="Credential Successfully Deleted.")) - - -def suite(): - suite = unittest.TestSuite() - suite.addTest(BaseTestCase("test_login")) - set_suite_settings(suite, jira=False, github=False, block_execution=False) - suite.addTest(ProductTest("test_create_product")) - suite.addTest(CredentialTest("test_list_credentials")) - suite.addTest(CredentialTest("test_add_credential")) - suite.addTest(CredentialTest("test_view_credential")) - suite.addTest(CredentialTest("test_edit_credential")) - suite.addTest(CredentialTest("test_delete_credential")) - suite.addTest(ProductTest("test_delete_product")) - return suite - - -if __name__ == "__main__": - runner = unittest.TextTestRunner(descriptions=True, failfast=True, verbosity=2) - ret = not runner.run(suite()).wasSuccessful() - BaseTestCase.tearDownDriver() - sys.exit(ret) diff --git a/tests/product_credential_test.py b/tests/product_credential_test.py deleted file mode 100644 index 84088319ca4..00000000000 --- a/tests/product_credential_test.py +++ /dev/null @@ -1,146 +0,0 @@ -import sys -import time -import unittest - -from base_test_class import BaseTestCase, on_exception_html_source_logger, set_suite_settings -from product_test import ProductTest -from selenium.webdriver.common.by import By -from selenium.webdriver.support.ui import Select - - -class ProductCredentialTest(BaseTestCase): - - def _get_product_id(self, driver): - """Navigate to QA Test product and return the product ID.""" - self.goto_product_overview(driver) - driver.find_element(By.LINK_TEXT, "QA Test").click() - current_url = driver.current_url - parts = current_url.rstrip("/").split("/") - return parts[-1] - - @on_exception_html_source_logger - def test_ensure_global_credential_exists(self): - """Ensure a global credential exists for product-level mapping.""" - driver = self.driver - driver.get(self.base_url + "cred") - time.sleep(1) - # Check if any credentials already exist - cred_links = driver.find_elements(By.CSS_SELECTOR, "table tbody tr td a") - if len(cred_links) == 0: - driver.get(self.base_url + "cred/add") - time.sleep(1) - driver.find_element(By.ID, "id_name").clear() - driver.find_element(By.ID, "id_name").send_keys("Test Product Credential") - driver.find_element(By.ID, "id_username").clear() - driver.find_element(By.ID, "id_username").send_keys("testuser") - driver.find_element(By.ID, "id_password").clear() - driver.find_element(By.ID, "id_password").send_keys("testpass123") - driver.find_element(By.CSS_SELECTOR, "input.btn.btn-primary").click() - time.sleep(1) - self.assertTrue( - self.is_success_message_present(text="Credential Successfully Created") - or self.is_text_present_on_page(text="Credential"), - ) - # Verify we're on the credential page - driver.get(self.base_url + "cred") - self.assertTrue(self.is_text_present_on_page(text="Credential")) - - @on_exception_html_source_logger - def test_list_product_credentials(self): - driver = self.driver - pid = self._get_product_id(driver) - driver.get(self.base_url + f"product/{pid}/cred/all") - time.sleep(1) - self.assertTrue( - self.is_text_present_on_page(text="Credential") - or self.is_text_present_on_page(text="No credentials"), - ) - - @on_exception_html_source_logger - def test_add_product_credential(self): - driver = self.driver - pid = self._get_product_id(driver) - driver.get(self.base_url + f"product/{pid}/cred/add") - time.sleep(1) - # Select a credential from the dropdown using Select helper - cred_select = driver.find_elements(By.ID, "id_cred_id") - if len(cred_select) > 0: - select = Select(cred_select[0]) - if len(select.options) > 1: - select.select_by_index(1) - driver.find_element(By.CSS_SELECTOR, "input.btn.btn-primary").click() - time.sleep(1) - - # The view sends "Credential Successfully Updated." on success with alert-success - # or "Credential already associated." with alert-danger - # After redirect, the page title has "Credentials" - self.assertTrue( - self.is_success_message_present(text="Credential Successfully Updated") - or self.is_text_present_on_page(text="Credential already associated") - or self.is_text_present_on_page(text="Credential"), - ) - - @on_exception_html_source_logger - def test_view_product_credential(self): - driver = self.driver - pid = self._get_product_id(driver) - driver.get(self.base_url + f"product/{pid}/cred/all") - time.sleep(1) - # Click on the first credential view link if any exist - view_links = driver.find_elements(By.CSS_SELECTOR, "a[href*='/cred/'][href*='/view']") - if len(view_links) > 0: - view_links[0].click() - time.sleep(1) - self.assertTrue( - self.is_text_present_on_page(text="Credential") - or self.is_text_present_on_page(text="View"), - ) - else: - self.assertFalse(self.is_error_message_present()) - - @on_exception_html_source_logger - def test_delete_product_credential(self): - driver = self.driver - pid = self._get_product_id(driver) - driver.get(self.base_url + f"product/{pid}/cred/all") - time.sleep(1) - delete_links = driver.find_elements(By.CSS_SELECTOR, "a[href*='/cred/'][href*='/delete']") - if len(delete_links) > 0: - delete_links[0].click() - time.sleep(1) - # Confirm deletion - confirm_btns = driver.find_elements(By.CSS_SELECTOR, "button.btn.btn-danger") - if len(confirm_btns) > 0: - confirm_btns[0].click() - else: - input_btns = driver.find_elements(By.CSS_SELECTOR, "input.btn.btn-danger") - if len(input_btns) > 0: - input_btns[0].click() - time.sleep(1) - self.assertTrue( - self.is_success_message_present(text="Credential Successfully Deleted") - or self.is_text_present_on_page(text="Credential"), - ) - else: - self.assertFalse(self.is_error_message_present()) - - -def suite(): - suite = unittest.TestSuite() - suite.addTest(BaseTestCase("test_login")) - set_suite_settings(suite, jira=False, github=False, block_execution=False) - suite.addTest(ProductCredentialTest("test_ensure_global_credential_exists")) - suite.addTest(ProductTest("test_create_product")) - suite.addTest(ProductCredentialTest("test_list_product_credentials")) - suite.addTest(ProductCredentialTest("test_add_product_credential")) - suite.addTest(ProductCredentialTest("test_view_product_credential")) - suite.addTest(ProductCredentialTest("test_delete_product_credential")) - suite.addTest(ProductTest("test_delete_product")) - return suite - - -if __name__ == "__main__": - runner = unittest.TextTestRunner(descriptions=True, failfast=True, verbosity=2) - ret = not runner.run(suite()).wasSuccessful() - BaseTestCase.tearDownDriver() - sys.exit(ret) diff --git a/unittests/test_apiv2_methods_and_endpoints.py b/unittests/test_apiv2_methods_and_endpoints.py index 4913a8e44aa..64ef2752d0d 100644 --- a/unittests/test_apiv2_methods_and_endpoints.py +++ b/unittests/test_apiv2_methods_and_endpoints.py @@ -60,7 +60,7 @@ def test_is_defined(self): # pghistory Event models (should not be exposed via API) "dojo_userevents", "endpointevents", "engagementevents", "findingevents", "finding_groupevents", "product_typeevents", "productevents", "testevents", - "risk_acceptanceevents", "finding_templateevents", "cred_userevents", + "risk_acceptanceevents", "finding_templateevents", "notification_webhooksevents", "location", } patch_exempt_list = { diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 4a8e5ec8c6e..bb295b14348 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -40,8 +40,6 @@ AppAnalysisViewSet, BurpRawRequestResponseViewSet, ConfigurationPermissionViewSet, - CredentialsMappingViewSet, - CredentialsViewSet, DevelopmentEnvironmentViewSet, DojoGroupMemberViewSet, DojoGroupViewSet, @@ -92,8 +90,6 @@ Announcement, App_Analysis, BurpRawRequestResponse, - Cred_Mapping, - Cred_User, Development_Environment, Dojo_Group, Dojo_Group_Member, @@ -4244,53 +4240,6 @@ def __init__(self, *args, **kwargs): BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) -@versioned_fixtures -class CredentialMappingTest(BaseClass.BaseClassTest): - fixtures = ["dojo_testdata.json"] - - def __init__(self, *args, **kwargs): - self.endpoint_model = Cred_Mapping - self.endpoint_path = "credential_mappings" - self.viewname = "cred_mapping" - self.viewset = CredentialsMappingViewSet - self.payload = { - "cred_id": 1, - "product": 1, - "url": "https://google.com", - } - self.update_fields = {"url": "https://bing.com"} - self.test_type = TestType.OBJECT_PERMISSIONS - self.permission_check_class = Product - self.permission_create = Permissions.Credential_Add - self.permission_update = Permissions.Credential_Edit - self.permission_delete = Permissions.Credential_Delete - self.deleted_objects = 1 - BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) - - -@versioned_fixtures -class CredentialTest(BaseClass.BaseClassTest): - fixtures = ["dojo_testdata.json"] - - def __init__(self, *args, **kwargs): - self.endpoint_model = Cred_User - self.endpoint_path = "credentials" - self.viewname = "cred_user" - self.viewset = CredentialsViewSet - self.payload = { - "name": "name", - "username": "usernmae", - "password": "password", - "role": "role", - "url": "https://some-url.com", - "environment": 1, - } - self.update_fields = {"name": "newname"} - self.test_type = TestType.STANDARD - self.deleted_objects = 2 - BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) - - @versioned_fixtures class AnnouncementTest(BaseClass.BaseClassTest): fixtures = ["dojo_testdata.json"] From 558a3d2e8aeb321654649d5807fe4b0118bbc8fc Mon Sep 17 00:00:00 2001 From: valentijnscholten Date: Fri, 8 May 2026 23:52:21 +0200 Subject: [PATCH 173/173] feat(importers): apply import-time tags per batch before post-processing (#14839) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, import-time tags (apply_tags_to_findings / apply_tags_to_endpoints) were applied after all findings were processed and post-processing tasks (deduplication, rules) had already been dispatched, so those tasks could not see the tags. Apply import-time tags per batch in process_findings(), immediately after parser tags and location persistence, before dojo_dispatch_task() — the same pattern already used by bulk_apply_parser_tags. Closed findings are intentionally excluded: they are absent from the current report and should not receive the import tags. Also renames the reimporter's ambiguous batch_findings (match-batch slice of unsaved parser objects) to unsaved_findings_batch, freeing batch_findings for the new dedupe-batch accumulator and preventing an iterator-mutation bug. Consolidates apply_import_tags() into apply_import_tags_for_batch(), removing a redundant DB re-query and unused Iterable import. Update performance test query counts accordingly (each import loses 1 query from the removed post-loop apply_import_tags call). --- dojo/importers/base_importer.py | 58 ++++++------------------- dojo/importers/default_importer.py | 10 ++--- dojo/importers/default_reimporter.py | 32 +++++++------- unittests/test_importers_performance.py | 24 +++++----- 4 files changed, 45 insertions(+), 79 deletions(-) diff --git a/dojo/importers/base_importer.py b/dojo/importers/base_importer.py index e42eae0f4a2..052b006356c 100644 --- a/dojo/importers/base_importer.py +++ b/dojo/importers/base_importer.py @@ -1,7 +1,6 @@ import base64 import logging import time -from collections.abc import Iterable from django.conf import settings from django.core.exceptions import ValidationError @@ -337,59 +336,28 @@ def update_test_tags(self): if self.tags is not None and len(self.tags) > 0: self.test.tags.set(self.tags) - def apply_import_tags( - self, - new_findings: Iterable[Finding] | None = None, - closed_findings: Iterable[Finding] | None = None, - reactivated_findings: Iterable[Finding] | None = None, - untouched_findings: Iterable[Finding] | None = None, - ) -> None: - """Apply tags to findings and endpoints from an import operation.""" - # Normalize None values to empty lists and convert sets/other iterables to lists - if untouched_findings is None: - untouched_findings = [] - elif not isinstance(untouched_findings, list): - untouched_findings = list(untouched_findings) - - if reactivated_findings is None: - reactivated_findings = [] - elif not isinstance(reactivated_findings, list): - reactivated_findings = list(reactivated_findings) - - if closed_findings is None: - closed_findings = [] - elif not isinstance(closed_findings, list): - closed_findings = list(closed_findings) - - if new_findings is None: - new_findings = [] - elif not isinstance(new_findings, list): - new_findings = list(new_findings) - - # Collect all affected findings - findings_to_tag = new_findings + closed_findings + reactivated_findings + untouched_findings + def apply_import_tags_for_batch(self, findings: list[Finding]) -> None: + """ + Apply import-time tags to a batch of already-saved findings and their endpoints. - if not findings_to_tag: + Called per batch inside process_findings(), before post_process_findings_batch is + dispatched, so that rules/deduplication tasks see the import tags on the findings. + """ + if not findings or not self.tags: return - - # Add any tags to the findings imported if necessary - if self.apply_tags_to_findings and self.tags: - findings_qs = Finding.objects.filter(id__in=[f.id for f in findings_to_tag]) + if self.apply_tags_to_findings: try: bulk_add_tags_to_instances( tag_or_tags=self.tags, - instances=findings_qs, + instances=findings, tag_field_name="tags", ) except IntegrityError: - # Fallback to safe per-instance tagging if concurrent deletes occur - for finding in findings_to_tag: + for finding in findings: for tag in self.tags: self.add_tags_safe(finding, tag) - - # Add any tags to any locations/endpoints of the findings imported if necessary - if self.apply_tags_to_endpoints and self.tags: - locations_qs = self.location_handler.get_locations_for_tagging(findings_to_tag) + if self.apply_tags_to_endpoints: + locations_qs = self.location_handler.get_locations_for_tagging(findings) try: bulk_add_tags_to_instances( tag_or_tags=self.tags, @@ -397,7 +365,7 @@ def apply_import_tags( tag_field_name="tags", ) except IntegrityError: - for finding in findings_to_tag: + for finding in findings: for location in self.location_handler.get_location_tag_fallback(finding): for tag in self.tags: self.add_tags_safe(location, tag) diff --git a/dojo/importers/default_importer.py b/dojo/importers/default_importer.py index 25d41c2b5cb..428b8ad01a7 100644 --- a/dojo/importers/default_importer.py +++ b/dojo/importers/default_importer.py @@ -132,11 +132,6 @@ def process_scan( new_findings=new_findings, closed_findings=closed_findings, ) - # Apply tags to findings and endpoints/locations - self.apply_import_tags( - new_findings=new_findings, - closed_findings=closed_findings, - ) # Send out some notifications to the user logger.debug("IMPORT_SCAN: Generating notifications") dojo_dispatch_task( @@ -169,6 +164,7 @@ def process_findings( ) -> list[Finding]: # Batched post-processing (no chord): dispatch a task per 1000 findings or on final finding batch_finding_ids: list[int] = [] + batch_findings: list[Finding] = [] batch_max_size = getattr(settings, "IMPORT_REIMPORT_DEDUPE_BATCH_SIZE", 1000) """ @@ -259,6 +255,7 @@ def process_findings( push_to_jira = self.push_to_jira and ((not self.findings_groups_enabled or not self.group_by) or not finding_will_be_grouped) logger.debug("process_findings: computed push_to_jira=%s", push_to_jira) batch_finding_ids.append(finding.id) + batch_findings.append(finding) # If batch is full or we're at the end, persist locations/endpoints and dispatch if len(batch_finding_ids) >= batch_max_size or is_final_finding: @@ -267,6 +264,9 @@ def process_findings( # so rules/deduplication tasks see the tags already on the findings. bulk_apply_parser_tags(findings_with_parser_tags) findings_with_parser_tags.clear() + # Apply import-time tags before post-processing so rules/deduplication see them. + self.apply_import_tags_for_batch(batch_findings) + batch_findings.clear() finding_ids_batch = list(batch_finding_ids) batch_finding_ids.clear() logger.debug("process_findings: dispatching batch with push_to_jira=%s (batch_size=%d, is_final=%s)", diff --git a/dojo/importers/default_reimporter.py b/dojo/importers/default_reimporter.py index 06f06ca368f..3df3c0bd4cc 100644 --- a/dojo/importers/default_reimporter.py +++ b/dojo/importers/default_reimporter.py @@ -137,13 +137,6 @@ def process_scan( reactivated_findings=reactivated_findings, untouched_findings=untouched_findings, ) - # Apply tags to findings and endpoints - self.apply_import_tags( - new_findings=new_findings, - closed_findings=closed_findings, - reactivated_findings=reactivated_findings, - untouched_findings=untouched_findings, - ) # Send out som notifications to the user logger.debug("REIMPORT_SCAN: Generating notifications") updated_count = ( @@ -173,7 +166,7 @@ def process_scan( def get_reimport_match_candidates_for_batch( self, - batch_findings: list[Finding], + unsaved_findings_batch: list[Finding], ) -> tuple[dict, dict, dict]: """ Fetch candidate matches for a batch of *unsaved* findings during reimport. @@ -195,23 +188,23 @@ def get_reimport_match_candidates_for_batch( if self.deduplication_algorithm == "hash_code": candidates_by_hash = find_candidates_for_deduplication_hash( self.test, - batch_findings, + unsaved_findings_batch, mode="reimport", ) elif self.deduplication_algorithm == "unique_id_from_tool": candidates_by_uid = find_candidates_for_deduplication_unique_id( self.test, - batch_findings, + unsaved_findings_batch, mode="reimport", ) elif self.deduplication_algorithm == "unique_id_from_tool_or_hash_code": candidates_by_uid, candidates_by_hash = find_candidates_for_deduplication_uid_or_hash( self.test, - batch_findings, + unsaved_findings_batch, mode="reimport", ) elif self.deduplication_algorithm == "legacy": - candidates_by_key = find_candidates_for_reimport_legacy(self.test, batch_findings) + candidates_by_key = find_candidates_for_reimport_legacy(self.test, unsaved_findings_batch) return candidates_by_hash, candidates_by_uid, candidates_by_key @@ -308,6 +301,7 @@ def process_findings( cleaned_findings.append(sanitized) batch_finding_ids: list[int] = [] + batch_findings: list[Finding] = [] findings_with_parser_tags: list[tuple] = [] # Batch size for deduplication/post-processing (only new findings) dedupe_batch_max_size = getattr(settings, "IMPORT_REIMPORT_DEDUPE_BATCH_SIZE", 1000) @@ -318,13 +312,13 @@ def process_findings( # This avoids the 1+N query problem by fetching all candidates for a batch at once for batch_start in range(0, len(cleaned_findings), match_batch_max_size): batch_end = min(batch_start + match_batch_max_size, len(cleaned_findings)) - batch_findings = cleaned_findings[batch_start:batch_end] + unsaved_findings_batch = cleaned_findings[batch_start:batch_end] is_final_batch = batch_end == len(cleaned_findings) logger.debug(f"Processing reimport batch {batch_start}-{batch_end} of {len(cleaned_findings)} findings") # Prepare findings in batch: set test, service, calculate hash codes - for unsaved_finding in batch_findings: + for unsaved_finding in unsaved_findings_batch: # Some parsers provide "mitigated" field but do not set timezone (because they are probably not available in the report) # Finding.mitigated is DateTimeField and it requires timezone if unsaved_finding.mitigated and not unsaved_finding.mitigated.tzinfo: @@ -342,12 +336,12 @@ def process_findings( # Fetch all candidates for this batch at once (batch candidate finding) candidates_by_hash, candidates_by_uid, candidates_by_key = self.get_reimport_match_candidates_for_batch( - batch_findings, + unsaved_findings_batch, ) # Process each finding in the batch using pre-fetched candidates - for idx, unsaved_finding in enumerate(batch_findings): - is_final = is_final_batch and idx == len(batch_findings) - 1 + for idx, unsaved_finding in enumerate(unsaved_findings_batch): + is_final = is_final_batch and idx == len(unsaved_findings_batch) - 1 # Match any findings to this new one coming in using pre-fetched candidates matched_findings = self.match_finding_to_candidate_reimport( @@ -403,6 +397,7 @@ def process_findings( # all data is already saved on the finding, we only need to trigger post processing in batches push_to_jira = self.push_to_jira and ((not self.findings_groups_enabled or not self.group_by) or not finding_will_be_grouped) batch_finding_ids.append(finding.id) + batch_findings.append(finding) # Post-processing batches (deduplication, rules, etc.) are separate from matching batches. # These batches only contain "new" findings that were saved (not matched to existing findings). @@ -425,6 +420,9 @@ def process_findings( # so rules/deduplication tasks see the tags already on the findings. bulk_apply_parser_tags(findings_with_parser_tags) findings_with_parser_tags.clear() + # Apply import-time tags before post-processing so rules/deduplication see them. + self.apply_import_tags_for_batch(batch_findings) + batch_findings.clear() finding_ids_batch = list(batch_finding_ids) batch_finding_ids.clear() dojo_dispatch_task( diff --git a/unittests/test_importers_performance.py b/unittests/test_importers_performance.py index c72a9b3c890..297f8733143 100644 --- a/unittests/test_importers_performance.py +++ b/unittests/test_importers_performance.py @@ -343,9 +343,9 @@ def test_import_reimport_reimport_performance_pghistory_async(self): configure_pghistory_triggers() self._import_reimport_performance( - expected_num_queries1=172, + expected_num_queries1=171, expected_num_async_tasks1=2, - expected_num_queries2=125, + expected_num_queries2=124, expected_num_async_tasks2=1, expected_num_queries3=29, expected_num_async_tasks3=1, @@ -367,9 +367,9 @@ def test_import_reimport_reimport_performance_pghistory_no_async(self): testuser.usercontactinfo.save() self._import_reimport_performance( - expected_num_queries1=188, + expected_num_queries1=187, expected_num_async_tasks1=2, - expected_num_queries2=133, + expected_num_queries2=132, expected_num_async_tasks2=1, expected_num_queries3=37, expected_num_async_tasks3=1, @@ -392,9 +392,9 @@ def test_import_reimport_reimport_performance_pghistory_no_async_with_product_gr self.system_settings(enable_product_grade=True) self._import_reimport_performance( - expected_num_queries1=198, + expected_num_queries1=197, expected_num_async_tasks1=4, - expected_num_queries2=143, + expected_num_queries2=142, expected_num_async_tasks2=3, expected_num_queries3=44, expected_num_async_tasks3=3, @@ -633,9 +633,9 @@ def test_import_reimport_reimport_performance_pghistory_async(self): configure_pghistory_triggers() self._import_reimport_performance( - expected_num_queries1=179, + expected_num_queries1=178, expected_num_async_tasks1=2, - expected_num_queries2=134, + expected_num_queries2=133, expected_num_async_tasks2=1, expected_num_queries3=37, expected_num_async_tasks3=1, @@ -657,9 +657,9 @@ def test_import_reimport_reimport_performance_pghistory_no_async(self): testuser.usercontactinfo.save() self._import_reimport_performance( - expected_num_queries1=197, + expected_num_queries1=196, expected_num_async_tasks1=2, - expected_num_queries2=144, + expected_num_queries2=143, expected_num_async_tasks2=1, expected_num_queries3=47, expected_num_async_tasks3=1, @@ -682,9 +682,9 @@ def test_import_reimport_reimport_performance_pghistory_no_async_with_product_gr self.system_settings(enable_product_grade=True) self._import_reimport_performance( - expected_num_queries1=210, + expected_num_queries1=209, expected_num_async_tasks1=4, - expected_num_queries2=157, + expected_num_queries2=156, expected_num_async_tasks2=3, expected_num_queries3=54, expected_num_async_tasks3=3,