├── zasca
├── __init__.py
├── maven_scanner
│ ├── __init__.py
│ └── maven_tree_generator.py
├── node_scanner
│ ├── __init__.py
│ └── node_tree_generator.py
├── template
│ ├── cyclonedx_template.json
│ └── report_template.html
├── data
│ └── queries.yaml
├── utils.py
├── main.py
└── scanner.py
├── entrypoint.sh
├── img
├── console.png
└── html_report.png
├── requirements_dev.txt
├── requirements.txt
├── MANIFEST.in
├── Dockerfile
├── Dockerfile-release
├── setup.cfg
├── setup.py
├── action.yml
├── LICENSE
├── .github
└── workflows
│ ├── pull_request.yaml
│ └── release.yaml
├── readme.md
└── sca_report sample.html
/zasca/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/zasca/maven_scanner/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/zasca/node_scanner/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 | all_args=$@
4 | zasca ${all_args}
--------------------------------------------------------------------------------
/img/console.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/javixeneize/zasca/HEAD/img/console.png
--------------------------------------------------------------------------------
/img/html_report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/javixeneize/zasca/HEAD/img/html_report.png
--------------------------------------------------------------------------------
/requirements_dev.txt:
--------------------------------------------------------------------------------
1 | flake8
2 | bandit
3 | safety
4 | bump2version
5 | twine
6 | wheel
7 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | Jinja2==3.0.1
2 | requests==2.25.1
3 | click==8.0.1
4 | tqdm==4.62.3
5 | PyYAML==6.0
6 |
--------------------------------------------------------------------------------
/MANIFEST.in:
--------------------------------------------------------------------------------
1 | include zasca/data/queries.yaml
2 | include zasca/template/report_template.html
3 | include zasca/template/cyclonedx_template.json
--------------------------------------------------------------------------------
/zasca/template/cyclonedx_template.json:
--------------------------------------------------------------------------------
1 | {
2 | "bomFormat": "CycloneDX",
3 | "specVersion": "1.4",
4 | "version": 1,
5 | "components": []
6 | }
7 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM javidr/yasca_base:latest
2 | COPY . zasca/
3 | RUN cd zasca && python setup.py sdist bdist_wheel && pip install dist/*.whl
4 | COPY entrypoint.sh .
5 | ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
6 |
--------------------------------------------------------------------------------
/Dockerfile-release:
--------------------------------------------------------------------------------
1 | FROM javidr/yasca_base:latest
2 | ARG zasca_version
3 | COPY dist/zasca-$zasca_version-py3-none-any.whl .
4 | RUN pip install zasca-$zasca_version-py3-none-any.whl && rm zasca-$zasca_version-py3-none-any.whl
5 | COPY entrypoint.sh .
6 | ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
7 |
--------------------------------------------------------------------------------
/setup.cfg:
--------------------------------------------------------------------------------
1 | [bumpversion]
2 | current_version = 2.1.0
3 |
4 | [flake8]
5 | max-line-length = 120
6 |
7 | [bumpversion:file:setup.py]
8 | search = __version__ = "{current_version}"
9 | replace = __version__ = "{new_version}"
10 |
11 | [bumpversion:file:setup.cfg]
12 | search = current_version = {current_version}
13 | replace = current_version = {new_version}
14 |
--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
1 | from setuptools import setup, find_packages
2 |
3 | with open('requirements.txt') as f:
4 | requirements = f.read()
5 |
6 | __version__ = "2.1.0"
7 |
8 | setup(
9 | name="zasca",
10 | version=__version__,
11 | description="Yet Another SCA tool, but with Z",
12 | author="Javier Dominguez",
13 | packages=find_packages(),
14 | include_package_data=True,
15 | entry_points={
16 | 'console_scripts': [
17 | 'zasca=zasca.main:run_cli',
18 | ],
19 | },
20 | install_requires=requirements,
21 | )
22 |
--------------------------------------------------------------------------------
/zasca/node_scanner/node_tree_generator.py:
--------------------------------------------------------------------------------
1 | import json
2 |
3 | dependency_list = []
4 |
5 |
6 | def get_dependencies(data, parent=''):
7 | for dependency, depdata in data.get('dependencies').items():
8 | item = {'package': dependency, 'version': depdata.get('version')}
9 | if parent:
10 | item['parent'] = '{}@{}'.format(parent, data.get('version'))
11 | if 'dependencies' in depdata:
12 | get_dependencies(depdata, dependency)
13 | dependency_list.append(item)
14 |
15 |
16 | def generate_tree(filepath):
17 | with open(filepath) as f:
18 | data = json.loads(f.read())
19 | get_dependencies(data)
20 | appname = {'package': data.get('name'), 'version': data.get('version')}
21 | return dependency_list, appname
22 |
--------------------------------------------------------------------------------
/action.yml:
--------------------------------------------------------------------------------
1 | name: 'Zasca-action'
2 | description: 'Github action to run Zasca'
3 | Author: 'javixeneize'
4 | branding:
5 | icon: 'shield'
6 | color: 'red'
7 | inputs:
8 | file:
9 | required: true
10 | sbom:
11 | required: false
12 | default: True
13 | include_dev:
14 | required: false
15 | default: False
16 | quality_gate:
17 | required: false
18 | default: "LOW"
19 | suppression_file:
20 | required: false
21 | default: "emptysuppression.json"
22 |
23 | runs:
24 | using: 'docker'
25 | image: 'Dockerfile'
26 | args:
27 | - '${{ inputs.file }}'
28 | - '--sbom'
29 | - '${{ inputs.sbom }}'
30 | - '--include_dev'
31 | - '${{ inputs.include_dev }}'
32 | - '--quality_gate'
33 | - '${{ inputs.quality_gate }}'
34 | - '--suppression_file'
35 | - '${{ inputs.suppression_file }}'
36 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 Javixeneize
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/.github/workflows/pull_request.yaml:
--------------------------------------------------------------------------------
1 | name: Zasca PR
2 |
3 | on: pull_request
4 | jobs:
5 | build:
6 | runs-on: ubuntu-latest
7 | steps:
8 | - name: Checkout Code
9 | uses: actions/checkout@v3
10 |
11 | - name: Set up Python
12 | uses: actions/setup-python@v1
13 | with:
14 | python-version: 3.9
15 |
16 | - name: Install PIP Dependencies
17 | run: pip install -r requirements_dev.txt
18 |
19 | - name: Flake8 styles
20 | run: python -m flake8 ./zasca
21 |
22 | - name: Bandit security scan
23 | run: python -m bandit -r ./zasca
24 |
25 | - name: Safety dependency scan
26 | run: python -m safety check
27 |
28 | - name: Checkout origin branch if PR 'to-branch' is main
29 | if: github.base_ref == 'main'
30 | uses: actions/checkout@v2
31 | with:
32 | ref: ${{ github.head_ref }}
33 |
34 | - name: BumpVersion if PR 'to-branch' is main
35 | if: github.base_ref == 'main'
36 | run: |
37 | bump2version minor
38 |
39 | - name: Commit back to the repo
40 | if: github.base_ref == 'main'
41 | uses: stefanzweifel/git-auto-commit-action@v4
42 | with:
43 | commit_message: Bumpversion changes
--------------------------------------------------------------------------------
/zasca/data/queries.yaml:
--------------------------------------------------------------------------------
1 | MAVEN: "
2 | query ($package: String, $after: String)
3 | {
4 | securityVulnerabilities(
5 | first: 100
6 | ecosystem: MAVEN
7 | package: $package
8 | after: $after
9 | ) {
10 | nodes {
11 | severity
12 | vulnerableVersionRange
13 | advisory {
14 | cvss {
15 | score
16 | }
17 | identifiers {
18 | type
19 | value
20 | }
21 | description
22 | summary
23 | }
24 | updatedAt
25 | firstPatchedVersion {
26 | identifier
27 | }
28 | }
29 | totalCount
30 | pageInfo {
31 | hasNextPage
32 | endCursor
33 | }
34 | }
35 | }
36 | "
37 | NPM: "
38 | query ($package: String, $after: String)
39 | {
40 | securityVulnerabilities(
41 | first: 100
42 | ecosystem: NPM
43 | package: $package
44 | after: $after
45 | ) {
46 | nodes {
47 | severity
48 | vulnerableVersionRange
49 | advisory {
50 | cvss {
51 | score
52 | }
53 | identifiers {
54 | type
55 | value
56 | }
57 | description
58 | summary
59 | }
60 | updatedAt
61 | firstPatchedVersion {
62 | identifier
63 | }
64 | }
65 | totalCount
66 | pageInfo {
67 | hasNextPage
68 | endCursor
69 | }
70 | }
71 | }
72 | "
73 |
--------------------------------------------------------------------------------
/zasca/maven_scanner/maven_tree_generator.py:
--------------------------------------------------------------------------------
1 | import subprocess # nosec
2 | import sys
3 | import os
4 |
5 | PATH_PROJECT = os.path.realpath(os.path.dirname(__file__))
6 | DEP_FILE = PATH_PROJECT + '/zasca_dep_tree.txt'
7 |
8 |
9 | def generate_tree(filepath, include_dev):
10 | scope = '-Dscope=compile'
11 | exitcode = 0
12 | try:
13 | if include_dev:
14 | scope = '-Dscope=test'
15 | exitcode = subprocess.call(['mvn', 'dependency:tree', '-Doutput={}'.format(DEP_FILE), '-f', # nosec
16 | filepath, scope],
17 | stdout=subprocess.DEVNULL,
18 | stderr=subprocess.STDOUT)
19 | except FileNotFoundError:
20 | print("Looks like maven is not correctly installed or the pom.xml file can't be resolved. Please check")
21 | if exitcode != 0:
22 | print("There has been an error building the tree")
23 | sys.exit(exitcode)
24 | else:
25 | return exitcode
26 |
27 |
28 | def get_dependencies():
29 | dependencies = []
30 | dependency_info = {}
31 | with open(DEP_FILE) as f:
32 | data = f.read().replace('+-', '').replace('|', '').replace('\-', ''). \
33 | replace(' ', '').rstrip().split('\n') # noqa: W605
34 | for dependency in data:
35 | dependency = dependency.replace('\n', '').split(':')
36 | if len(dependency) == 5 or len(dependency) == 4:
37 | dependency.pop(2)
38 | dependency_info['package'] = dependency[0] + ':' + dependency[1]
39 | dependency_info['group'] = dependency[0]
40 | dependency_info['name'] = dependency[1]
41 | dependency_info['version'] = dependency[2]
42 | dependencies.append(dependency_info.copy())
43 | appname = dependencies[0]
44 | del dependencies[0]
45 | os.remove(DEP_FILE)
46 | return dependencies, appname
47 |
--------------------------------------------------------------------------------
/zasca/template/report_template.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
18 |
19 |
20 |
21 |
22 |
23 | Zasca report
24 |
25 | {{ appname.package }}:{{ appname.version }} Report
26 | Time: {{ now }}
27 |
28 |
29 |
30 |
31 | | Library |
32 | Advisory ID |
33 | Severity |
34 | CVSS Score |
35 | Summary |
36 | Vulnerable range |
37 | Fix version |
38 |
39 | {% for item in report %}
40 | {% if item.advisory.severity == "CRITICAL" %}
41 |
42 | {% elif item.advisory.severity == "HIGH" %}
43 |
44 | {% elif item.advisory.severity == "MODERATE" %}
45 |
46 | {% elif item.advisory.severity == "MODERATE" %}
47 |
48 | {% else %}
49 |
50 | {% endif %}
51 | | {{item.package}} |
52 | {{item.advisory.advisory.ghsa.value}}
{{item.advisory.advisory.cve.value}} |
53 | {{item.advisory.severity}} |
54 | {{item.advisory.advisory.cvss.score}} |
55 | {{item.advisory.advisory.summary}} |
56 | {{item.advisory.vulnerableVersionRange}} |
57 | {{item.advisory.firstPatchedVersion.identifier}} |
58 |
59 |
60 | {% endfor %}
61 |
62 |
63 |
64 |
65 |
--------------------------------------------------------------------------------
/.github/workflows/release.yaml:
--------------------------------------------------------------------------------
1 | name: Zasca Release
2 | on:
3 | push:
4 | branches: [ main ]
5 | jobs:
6 | build:
7 | runs-on: ubuntu-latest
8 | steps:
9 | - name: Checkout Code
10 | uses: actions/checkout@v3
11 |
12 | - name: Set up Python
13 | uses: actions/setup-python@v1
14 | with:
15 | python-version: 3.9
16 |
17 | - name: Install PIP Dependencies
18 | run: pip install -r requirements_dev.txt
19 |
20 | - name: Flake8 styles
21 | run: python -m flake8 ./zasca
22 |
23 | - name: Bandit security scan
24 | run: python -m bandit -r ./zasca
25 |
26 | - name: Safety dependency scan
27 | run: python -m safety check
28 |
29 | - name: Build release
30 | run: python3 setup.py sdist bdist_wheel
31 |
32 | - name: Get bumpversion
33 | run: echo "VERSION"=$(grep -i '__version__ = ' setup.py | tr -d '__version__ = "') >> $GITHUB_ENV
34 |
35 | - name: Create Release
36 | id: create_release
37 | uses: actions/create-release@v1.0.1
38 | env:
39 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
40 | with:
41 | tag_name: v${{ env.VERSION}}
42 | release_name: Release v${{ env.VERSION }}
43 | draft: false
44 | prerelease: false
45 |
46 | - name: Upload Wheel
47 | id: upload_wheel
48 | uses: actions/upload-release-asset@v1.0.1
49 | env:
50 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
51 | with:
52 | upload_url: ${{ steps.create_release.outputs.upload_url }}
53 | asset_path: ./dist/zasca-${{ env.VERSION }}-py3-none-any.whl
54 | asset_name: Zasca Wheel
55 | asset_content_type: application/x-python-wheel
56 |
57 | - name: Publish
58 | env:
59 | TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}
60 | TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
61 | run: |
62 | twine upload dist/*
63 |
64 | - name: Build and push docker image
65 | run: |
66 | docker build -f Dockerfile-release -t javidr/zasca:latest -t javidr/zasca:${{ env.VERSION }} --build-arg zasca_version=${{ env.VERSION }} . --progress=plain
67 | echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin
68 | docker push javidr/zasca -a
69 |
--------------------------------------------------------------------------------
/zasca/utils.py:
--------------------------------------------------------------------------------
1 | import json
2 | from operator import itemgetter
3 | import os
4 | from jinja2 import Template
5 | from datetime import datetime
6 |
7 | PATH_PROJECT = os.path.realpath(os.path.dirname(__file__))
8 | SEVERITY = {'CRITICAL': 4, 'HIGH': 3, 'MODERATE': 2, 'LOW': 1, 'OFF': 5}
9 |
10 |
11 | def check_quality_gate(severity_data, threshold):
12 | qg_passed = True
13 | try:
14 | threshold_value = SEVERITY.get(threshold)
15 | for k, v in severity_data.items():
16 | if SEVERITY.get(k) >= threshold_value:
17 | qg_passed = False
18 | return qg_passed
19 | except TypeError:
20 | print("Quality gate not valid. It has to be CRITICAL, HIGH, MODERATE or LOW")
21 | return False
22 |
23 |
24 | def suppress_fp(report, suppression_file):
25 | suppressed_issues = []
26 | try:
27 | with open(suppression_file) as file:
28 | fp_list = json.loads(file.read())
29 | for fp in fp_list:
30 | for vuln in report:
31 | advisory_list = vuln.get('advisory').get('advisory').get('identifiers')
32 | if vuln['package'] == fp.get('package') and fp.get('vulnerability') in map(itemgetter('value'),
33 | advisory_list):
34 | report.remove(vuln)
35 | suppressed_issues.append(vuln.copy())
36 | except FileNotFoundError:
37 | print("File not found. Skipping suppression process..")
38 | except json.decoder.JSONDecodeError:
39 | print("JSON malformed. Skipping suppression process..")
40 | return report, suppressed_issues
41 |
42 |
43 | def generate_cyclonedx_sbom(dependencies):
44 | with open(PATH_PROJECT + '/template/cyclonedx_template.json') as file:
45 | cyclone_data = json.loads(file.read())
46 |
47 | for item in dependencies:
48 | del item['package']
49 | item['type'] = 'library'
50 | cyclone_data['components'].append(item.copy())
51 |
52 | with open('cyclonedx_report.json', 'w') as file:
53 | file.write(json.dumps(cyclone_data))
54 |
55 |
56 | def generate_html_report(data, appname):
57 | with open(PATH_PROJECT + '/template/report_template.html') as file:
58 | template = Template(file.read())
59 | template.globals['now'] = datetime.now().strftime("%d-%m-%Y %H:%M:%S")
60 | with open('sca_report.html', 'w') as file:
61 | file.write(template.render(report=data, appname=appname))
62 |
--------------------------------------------------------------------------------
/zasca/main.py:
--------------------------------------------------------------------------------
1 | from zasca import utils, scanner
2 | from zasca.maven_scanner import maven_tree_generator
3 | from zasca.node_scanner import node_tree_generator
4 | from tqdm import tqdm
5 | import collections
6 | import sys
7 | import click
8 |
9 | EMPTY_SUPPRESSION = 'emptysuppression.json'
10 |
11 |
12 | def scan_maven(filepath, include_dev):
13 | maven_tree_generator.generate_tree(filepath, include_dev)
14 | dependencies, appname = maven_tree_generator.get_dependencies()
15 | mavenscan = scanner.Scanner(appname)
16 | trigger_scan(dependencies, mavenscan, 'MAVEN')
17 | return mavenscan.advisory_list, mavenscan.appname, dependencies
18 |
19 |
20 | def scan_node(filepath):
21 | dependencies, appname = node_tree_generator.generate_tree(filepath)
22 | nodescan = scanner.Scanner(appname)
23 | trigger_scan(dependencies, nodescan, 'NPM')
24 | return nodescan.advisory_list, nodescan.appname, dependencies
25 |
26 |
27 | def trigger_scan(dependencies, scanner, ecosystem):
28 | print("Scanning dependencies...")
29 | for dependency in tqdm(dependencies):
30 | advisories = scanner.get_advisories(dependency.get('package'), ecosystem)
31 | if advisories:
32 | scanner.validate_vulnerable_version(advisories, dependency.get('package'), dependency.get('version'))
33 |
34 |
35 | def write_output(num_issues, unique_libraries, num_fp, qg):
36 | print('{} vulnerabilities detected in {} vulnerable libraries'.format(num_issues, unique_libraries))
37 | if num_fp:
38 | print('{} vulnerabilities supressed'.format(num_fp))
39 | print('Quality gate passed: {}'.format(qg))
40 |
41 |
42 | @click.command()
43 | @click.argument('file', required=True)
44 | @click.option('--sbom', help='Generates CycloneDX SBOM', default=True)
45 | @click.option('--include_dev', help='Include dev dependencies', default=False)
46 | @click.option('--quality_gate', help='Maximum severity allowed', default='LOW')
47 | @click.option('--suppression_file', help='False positives to remove', default=EMPTY_SUPPRESSION)
48 | def run_cli(file, sbom, include_dev, quality_gate, suppression_file):
49 | suppressed_items = []
50 | if file == 'pom.xml':
51 | data, appname, dependencies = scan_maven(file, include_dev)
52 | if file == 'package-lock.json':
53 | data, appname, dependencies = scan_node(file)
54 | if sbom:
55 | utils.generate_cyclonedx_sbom(dependencies)
56 | if suppression_file != EMPTY_SUPPRESSION:
57 | maven_data, suppressed_items = utils.suppress_fp(data, suppression_file)
58 | utils.generate_html_report(data, appname)
59 | unique_vuln_libraries = collections.Counter(item['package'] for item in data)
60 | severity_data = collections.Counter(item.get('advisory').get('severity') for item in data)
61 | qg_passed = utils.check_quality_gate(severity_data, quality_gate)
62 | write_output(len(data), len(unique_vuln_libraries), len(suppressed_items), qg_passed)
63 | sys.exit(not qg_passed)
64 |
--------------------------------------------------------------------------------
/zasca/scanner.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 | import yaml
4 | import os
5 |
6 | headers = {"Authorization": "bearer {}".format(os.getenv("GITHUB_TOKEN"))}
7 |
8 | PATH_PROJECT = os.path.realpath(os.path.dirname(__file__))
9 |
10 |
11 | class Scanner():
12 | def __init__(self, appname):
13 | self.appname = appname
14 | self.advisory_list = []
15 |
16 | def get_advisories(self, package, ecosystem):
17 | vulndata = []
18 | hasnext = True
19 | nextcursor = None
20 | query = yaml.safe_load(open(PATH_PROJECT + '/data/queries.yaml')).get(ecosystem)
21 | while hasnext:
22 | variables = {'package': package, 'after': nextcursor}
23 | request = requests.post('https://api.github.com/graphql',
24 | json={'query': query, 'variables': variables}, headers=headers)
25 | if request.status_code == 200:
26 | data = json.loads(request.content)
27 | vulndata = vulndata + data.get('data').get('securityVulnerabilities').get('nodes')
28 | hasnext = data.get('data').get('securityVulnerabilities').get('pageInfo').get('hasNextPage')
29 | nextcursor = data.get('data').get('securityVulnerabilities').get('pageInfo').get('endCursor')
30 | else:
31 | raise Exception("Error running the query. Error {}".format(request.status_code))
32 |
33 | return vulndata
34 |
35 | def validate_vulnerable_version(self, advisories, package, version):
36 | for advisory in advisories:
37 | major_eq = False
38 | minor_eq = False
39 | try:
40 | bottom, top = advisory.get('vulnerableVersionRange').split(',')
41 | if '>=' in bottom:
42 | major_eq = True
43 | if '<=' in top:
44 | minor_eq = True
45 | bottomnumber = bottom.replace('>', '').replace('=', '').strip()
46 | topnumber = top.replace('<', '').replace('=', '').strip()
47 | if bottomnumber < version < topnumber or (version == bottomnumber and minor_eq) or (
48 | version == topnumber and major_eq):
49 | advisory = self.parse_identifiers(advisory)
50 | self.advisory_list.append({'package': package + ':' + version, 'advisory': advisory.copy()})
51 | except ValueError: # no top version
52 | top = advisory.get('vulnerableVersionRange')
53 | if '<=' in top:
54 | minor_eq = True
55 | topnumber = top.replace('<', '').replace('=', '').strip()
56 | if version < topnumber or (version == topnumber and minor_eq):
57 | advisory = self.parse_identifiers(advisory)
58 | self.advisory_list.append({'package': package + ':' + version, 'advisory': advisory.copy()})
59 |
60 | def parse_identifiers(self, advisory):
61 | dicts = advisory.get('advisory').get('identifiers')
62 | advisory.get('advisory')['cve'] = next((id for id in dicts if id.get('type') == "CVE"),
63 | {'type': 'CVE', 'value': ''})
64 | advisory.get('advisory')['ghsa'] = next((id for id in dicts if id.get('type') == "GHSA"),
65 | {'type': 'GHSA', 'value': ''})
66 | return advisory
67 |
--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | # Zasca
2 |
3 | ~~Yasca (Yet Another SCA) tool - or just Yasca~~, Zasca (Initially created as Yasca, but since there is another tool with the same name, it was renamed as Zasca ) is an opensource SCA tool written in Python. It is relies on Github advisories to detect vulnerabilities in the libraries.
4 |
5 | In this first release, it only works with Java projects built with Maven, but there are plans to expand it to Gradle,
6 |
7 | ## How does it work
8 |
9 | Zasca is written in python, and therefore the CLI can be installed with pip
10 |
11 | `pip install zasca`
12 |
13 | It can also be used as a github action, or as a [docker image](https://hub.docker.com/repository/docker/javidr/zasca)
14 |
15 | Zasca requires an input file (pom.xml) to perform the scan. It builds the dependency tree from that file, and then, queries Github Advisories to search for vulnerabilities in the libraries.Because of this, a github token needs to be set as environmental variable under GITHUB_TOKEN.
16 |
17 |
18 |
19 | export GITHUB_TOKEN=YOUR_TOKEN
20 |
21 | Once the scan is finished, it generates an html report called sca_report.html, with the issues found, and prints in the console a summary of the scan
22 |
23 |
24 |
25 | 
26 |
27 |
28 |
29 | 
30 |
31 |
32 |
33 | Zasca has some optional functionalities that can be enabled through a flag:
34 |
35 | **--sbom**: **True**/False. This flag is set to true by default. If it is enabled, it generates a cyclonedx SBOM file called cyclonedx_report.json
36 |
37 | **--include_dev**: True/**False**. By default it is set to false, which means the tool will not scan dev dependencies
38 |
39 | **--quality_gate**: OFF/**LOW**/MEDIUM/HIGH/CRITICAL. Set to LOW by default, this is the maximum level of severity allowed. The tool returns an error if there are vulnerabilities with a severity equal or bigger to the quality gate.
40 |
41 | **--suppression_file**: Zasca will ignore the vulnerabilities included in the file sent as parameter with this flag. The suppression file is a json that needs to include the vulnerability to ignore (CVE or GHSA) and the package where the vulnerability will be ignored, as for example:
42 |
43 | ```
44 | [
45 | {
46 | "vulnerability": "CVE-2022-22965",
47 | "package": "org.springframework.boot:spring-boot-starter-web:1.2.1.RELEASE"
48 | },
49 | {
50 | "vulnerability": "CVE-2019-0199",
51 | "package": "org.apache.tomcat.embed:tomcat-embed-core:8.0.15"
52 | }
53 | ]
54 | ```
55 |
56 |
57 |
58 | ## Github action
59 |
60 | Zasca works perfectly in github workflows, and in fact it was designed to be a github action! Here is the interface for the action, with all the available parameters:
61 |
62 |
63 |
64 | file:
65 | required: true
66 | sbom:
67 | required: false
68 | default: True
69 | include_dev:
70 | required: false
71 | default: False
72 | quality_gate:
73 | required: false
74 | default: "LOW"
75 | suppression_file:
76 | required: false
77 |
78 |
79 |
80 | The action requires the github token as an env variable. This token already exists in github repositories, so you just need to set it inside the action as follows:
81 |
82 | env:
83 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
84 |
85 |
86 | ## Github action - Example
87 |
88 | Here is an example of how to use the action in a workflow:
89 |
90 | name: Zasca test
91 |
92 | on: push
93 | jobs:
94 | build:
95 | runs-on: ubuntu-latest
96 | steps:
97 | - name: Checkout Code
98 | uses: actions/checkout@v3
99 |
100 | - name: zascatest
101 | uses: javixeneize/zasca@main
102 | with:
103 | file: pom.xml
104 | env:
105 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
106 |
107 | - uses: actions/upload-artifact@v3
108 | if: always()
109 | with:
110 | name: html_report
111 | path: sca_report.html
112 | - uses: actions/upload-artifact@v3
113 | if: always()
114 | with:
115 | name: cycloneDx_report
116 | path: cyclonedx_report.json
117 | Note that If the quality gate is not matched, it will break the workflow, so you will need to use if: always() syntax to save the reports.
118 |
119 |
120 |
121 | ## Roadmap
122 |
123 | - [ ] Generate sarif report
124 | - [ ] Improve CycloneDX report to include vulnerabilities
125 | - [ ] Support NodeJS
126 | - [ ] Support Gradle
--------------------------------------------------------------------------------
/sca_report sample.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
17 |
18 |
19 |
20 |
21 |
22 | SCA report
23 |
24 | com.example:demo:0.0.1-SNAPSHOT Report
25 | Time: 01-03-2022 16:57:46
26 |
27 |
28 |
29 |
30 | | Library |
31 | Advisory ID |
32 | Severity |
33 | CVSS Score |
34 | Summary |
35 | Vulnerable range |
36 | Fix version |
37 |
38 |
39 |
40 |
41 |
42 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
43 | GHSA-jgwr-3qm3-26f3
CVE-2021-25329 |
44 | CRITICAL |
45 | 7.0 |
46 | Potential remote code execution in Apache Tomcat |
47 | >= 8.0.0, < 8.5.61 |
48 | 8.5.61 |
49 |
50 |
51 |
52 |
53 |
54 |
55 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
56 | GHSA-qcxh-w3j9-58qr
CVE-2019-0199 |
57 | HIGH |
58 | 7.5 |
59 | Denial of Service in Tomcat |
60 | >= 8.0.0, < 8.5.38 |
61 | 8.5.38 |
62 |
63 |
64 |
65 |
66 |
67 |
68 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
69 | GHSA-c9hw-wf7x-jp9j
CVE-2020-1938 |
70 | CRITICAL |
71 | 9.8 |
72 | Improper Privilege Management in Tomcat |
73 | >= 8.0.0, < 8.5.51 |
74 | 8.5.51 |
75 |
76 |
77 |
78 |
79 |
80 |
81 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
82 | GHSA-344f-f5vg-2jfj
CVE-2020-9484 |
83 | HIGH |
84 | 7.0 |
85 | Potential remote code execution in Apache Tomcat |
86 | >= 8.0.0, < 8.5.55 |
87 | 8.5.55 |
88 |
89 |
90 |
91 |
92 |
93 |
94 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
95 | GHSA-qxf4-chvg-4r8r
CVE-2020-1935 |
96 | MODERATE |
97 | 4.8 |
98 | Potential HTTP request smuggling in Apache Tomcat |
99 | >= 8.0.0, < 8.5.51 |
100 | 8.5.51 |
101 |
102 |
103 |
104 |
105 |
106 |
107 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
108 | GHSA-hh3j-x4mc-g48r
CVE-2019-12418 |
109 | HIGH |
110 | 7.0 |
111 | In Apache Tomcat, a local attacker may be able to perform a man-in-the-middle attack to capture user names
112 | and passwords
113 | |
114 | >= 8.0.0, < 8.5.48 |
115 | 8.5.49 |
116 |
117 |
118 |
119 |
120 |
121 |
122 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
123 | GHSA-9xcj-c8cr-8c3c
CVE-2019-17563 |
124 | HIGH |
125 | 7.5 |
126 | In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform
127 | a session fixation attack
128 | |
129 | >= 8.0.0, < 8.5.50 |
130 | 8.5.50 |
131 |
132 |
133 |
134 |
135 |
136 |
137 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
138 | GHSA-jjpq-gp5q-8q6w
CVE-2019-0221 |
139 | MODERATE |
140 | 6.1 |
141 | Cross-site scripting in Apache Tomcat |
142 | >= 8.0.0, < 8.5.40 |
143 | 8.5.40 |
144 |
145 |
146 |
147 |
148 |
149 |
150 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
151 | GHSA-8vmx-qmch-mpqg
CVE-2019-0232 |
152 | HIGH |
153 | 8.1 |
154 | High severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core |
155 | >= 8.0.0, < 8.5.40 |
156 | 8.5.40 |
157 |
158 |
159 |
160 |
161 |
162 |
163 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
164 | GHSA-46j3-r4pj-4835
CVE-2018-8034 |
165 | HIGH |
166 | 7.5 |
167 | Low severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core |
168 | >= 8.0.0, < 8.0.53 |
169 | 8.0.53 |
170 |
171 |
172 |
173 |
174 |
175 |
176 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
177 | GHSA-r4x2-3cq5-hqvp
CVE-2018-8014 |
178 | CRITICAL |
179 | 9.8 |
180 | High severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core |
181 | >= 8.0.0, < 8.0.53 |
182 | 8.0.53 |
183 |
184 |
185 |
186 |
187 |
188 |
189 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
190 | GHSA-m59c-jpc8-m2x4
CVE-2018-1336 |
191 | HIGH |
192 | 7.5 |
193 | Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core |
194 | >= 8.0.0, < 8.0.51 |
195 | 8.0.51 |
196 |
197 |
198 |
199 |
200 |
201 |
202 | | org.apache.tomcat.embed:tomcat-embed-core:8.0.15 |
203 | GHSA-6rxj-58jh-436r
CVE-2018-1304 |
204 | MODERATE |
205 | 5.9 |
206 | Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core |
207 | >= 8.0.0, < 8.0.51 |
208 | 8.0.51 |
209 |
210 |
211 |
212 |
213 |
214 |
215 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
216 | GHSA-v585-23hc-c647
CVE-2020-36186 |
217 | HIGH |
218 | 8.1 |
219 | Unsafe Deserialization in jackson-databind |
220 | >= 2.0, <= 2.9.10.7 |
221 | 2.9.10.8 |
222 |
223 |
224 |
225 |
226 |
227 |
228 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
229 | GHSA-cjjf-94ff-43w7
CVE-2018-12022 |
230 | HIGH |
231 | 7.5 |
232 | High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind |
233 | <= 2.7.9.3 |
234 | 2.7.9.4 |
235 |
236 |
237 |
238 |
239 |
240 |
241 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
242 | GHSA-645p-88qh-w398
CVE-2018-14718 |
243 | CRITICAL |
244 | 9.8 |
245 | High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind |
246 | >= 2.0.0, <= 2.7.9.4 |
247 | 2.7.9.5 |
248 |
249 |
250 |
251 |
252 |
253 |
254 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
255 | GHSA-4gq5-ch57-c2mg
CVE-2018-14719 |
256 | CRITICAL |
257 | 9.8 |
258 | High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind |
259 | >= 2.0.0, <= 2.7.9.4 |
260 | 2.7.9.5 |
261 |
262 |
263 |
264 |
265 |
266 |
267 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
268 | GHSA-cggj-fvv3-cqwv
CVE-2018-7489 |
269 | CRITICAL |
270 | 9.8 |
271 | High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind |
272 | <= 2.8.11.0 |
273 | 2.8.11.1 |
274 |
275 |
276 |
277 |
278 |
279 |
280 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
281 | GHSA-qxxx-2pp7-5hmx
CVE-2017-7525 |
282 | CRITICAL |
283 | 9.8 |
284 | High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind |
285 | <= 2.6.7.0 |
286 | 2.6.7.1 |
287 |
288 |
289 |
290 |
291 |
292 |
293 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
294 | GHSA-h3cw-g4mq-c5x2
CVE-2020-24616 |
295 | HIGH |
296 | 8.1 |
297 | Code Injection in jackson-databind |
298 | >= 2.0.0, <= 2.9.10.5 |
299 | 2.9.10.6 |
300 |
301 |
302 |
303 |
304 |
305 |
306 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
307 | GHSA-6fpp-rgj9-8rwc
CVE-2019-14379 |
308 | CRITICAL |
309 | 9.8 |
310 | Deserialization of untrusted data in FasterXML jackson-databind |
311 | <= 2.9.9.1 |
312 | 2.9.9.2 |
313 |
314 |
315 |
316 |
317 |
318 |
319 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
320 | GHSA-mx7p-6679-8g3q
CVE-2019-16942 |
321 | CRITICAL |
322 | 9.8 |
323 | Polymorphic Typing in FasterXML jackson-databind |
324 | >= 2.0.0, <= 2.9.10 |
325 | 2.9.10.1 |
326 |
327 |
328 |
329 |
330 |
331 |
332 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
333 | GHSA-fmmc-742q-jg75
CVE-2019-16943 |
334 | CRITICAL |
335 | 9.8 |
336 | Polymorphic typing issue |
337 | <= 2.9.10.0 |
338 | 2.9.10.1 |
339 |
340 |
341 |
342 |
343 |
344 |
345 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
346 | GHSA-gjmw-vf9h-g25v
CVE-2019-17531 |
347 | CRITICAL |
348 | 9.8 |
349 | Polymorphic typing issue |
350 | <= 2.9.10.0 |
351 | 2.9.10.1 |
352 |
353 |
354 |
355 |
356 |
357 |
358 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
359 | GHSA-qr7j-h6gg-jmgc
CVE-2018-11307 |
360 | CRITICAL |
361 | 9.8 |
362 | Deserialization of Untrusted Data in jackson-databind |
363 | >= 2.0.0, <= 2.7.9.3 |
364 | 2.7.9.4 |
365 |
366 |
367 |
368 |
369 |
370 |
371 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
372 | GHSA-mph4-vhrx-mv67
CVE-2019-12384 |
373 | MODERATE |
374 | 5.9 |
375 | Deserialization of Untrusted Data in FasterXML jackson-databind |
376 | <= 2.9.9 |
377 | 2.9.9.1 |
378 |
379 |
380 |
381 |
382 |
383 |
384 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
385 | GHSA-cmfg-87vq-g5g4
CVE-2019-12814 |
386 | MODERATE |
387 | 5.9 |
388 | Deserialization of untrusted data in FasterXML jackson-databind |
389 | >= 2.0.0, <= 2.9.9 |
390 | 2.9.9.1 |
391 |
392 |
393 |
394 |
395 |
396 |
397 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
398 | GHSA-gwp4-hfv6-p7hw
CVE-2019-14439 |
399 | HIGH |
400 | 7.5 |
401 | Deserialization of untrusted data in FasterXML jackson-databind |
402 | <= 2.9.9.1 |
403 | 2.9.9.2 |
404 |
405 |
406 |
407 |
408 |
409 |
410 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
411 | GHSA-wh8g-3j2c-rqj5
CVE-2020-35490 |
412 | HIGH |
413 | 8.1 |
414 | Serialization gadgets exploit in jackson-databind |
415 | >= 2.0.0, <= 2.9.10.7 |
416 | 2.9.10.8 |
417 |
418 |
419 |
420 |
421 |
422 |
423 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
424 | GHSA-r3gr-cxrf-hg25
CVE-2020-35491 |
425 | HIGH |
426 | 8.1 |
427 | Serialization gadgets exploit in jackson-databind |
428 | >= 2.0.0, <= 2.9.10.7 |
429 | 2.9.10.8 |
430 |
431 |
432 |
433 |
434 |
435 |
436 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
437 | GHSA-qjw2-hr98-qgfh
CVE-2020-24750 |
438 | CRITICAL |
439 | 8.1 |
440 | Unsafe Deserialization in jackson-databind |
441 | >= 2.0, <= 2.9.10.5 |
442 | 2.9.10.6 |
443 |
444 |
445 |
446 |
447 |
448 |
449 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
450 | GHSA-89qr-369f-5m5x
CVE-2020-36182 |
451 | HIGH |
452 | 8.1 |
453 | Unsafe Deserialization in jackson-databind |
454 | >= 2.0, <= 2.9.10.7 |
455 | 2.9.10.8 |
456 |
457 |
458 |
459 |
460 |
461 |
462 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
463 | GHSA-9gph-22xh-8x98
CVE-2020-36179 |
464 | HIGH |
465 | 8.1 |
466 | Unsafe Deserialization in jackson-databind |
467 | >= 2.0, <= 2.9.10.7 |
468 | 2.9.10.8 |
469 |
470 |
471 |
472 |
473 |
474 |
475 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
476 | GHSA-8w26-6f25-cm9x
CVE-2020-36185 |
477 | HIGH |
478 | 8.1 |
479 | Unsafe Deserialization in jackson-databind |
480 | >= 2.0, <= 2.9.10.7 |
481 | 2.9.10.8 |
482 |
483 |
484 |
485 |
486 |
487 |
488 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
489 | GHSA-cvm9-fjm9-3572
CVE-2020-36181 |
490 | HIGH |
491 | 8.1 |
492 | Unsafe Deserialization in jackson-databind |
493 | >= 2.0, <= 2.9.10.7 |
494 | 2.9.10.8 |
495 |
496 |
497 |
498 |
499 |
500 |
501 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
502 | GHSA-8c4j-34r4-xr8g
CVE-2020-36180 |
503 | HIGH |
504 | 8.1 |
505 | Unsafe Deserialization in jackson-databind |
506 | >= 2.0, <= 2.9.10.7 |
507 | 2.9.10.8 |
508 |
509 |
510 |
511 |
512 |
513 |
514 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
515 | GHSA-m6x4-97wx-4q27
CVE-2020-36184 |
516 | HIGH |
517 | 8.1 |
518 | Unsafe Deserialization in jackson-databind |
519 | >= 2.0, <= 2.9.10.7 |
520 | 2.9.10.8 |
521 |
522 |
523 |
524 |
525 |
526 |
527 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
528 | GHSA-9m6f-7xcq-8vf8
CVE-2020-36183 |
529 | HIGH |
530 | 8.1 |
531 | Unsafe Deserialization in jackson-databind |
532 | >= 2.0, <= 2.9.10.7 |
533 | 2.9.10.8 |
534 |
535 |
536 |
537 |
538 |
539 |
540 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
541 | GHSA-f9xh-2qgp-cq57
CVE-2020-36188 |
542 | HIGH |
543 | 8.1 |
544 | Unsafe Deserialization in jackson-databind |
545 | >= 2.0, <= 2.9.10.7 |
546 | 2.9.10.8 |
547 |
548 |
549 |
550 |
551 |
552 |
553 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
554 | GHSA-r695-7vr9-jgc2
CVE-2020-36187 |
555 | HIGH |
556 | 8.1 |
557 | Unsafe Deserialization in jackson-databind |
558 | >= 2.0, <= 2.9.10.7 |
559 | 2.9.10.8 |
560 |
561 |
562 |
563 |
564 |
565 |
566 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
567 | GHSA-vfqx-33qm-g869
CVE-2020-36189 |
568 | HIGH |
569 | 8.1 |
570 | Unsafe Deserialization in jackson-databind |
571 | >= 2.0, <= 2.9.10.7 |
572 | 2.9.10.8 |
573 |
574 |
575 |
576 |
577 |
578 |
579 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
580 | GHSA-288c-cq4h-88gq
CVE-2020-25649 |
581 | HIGH |
582 | 7.5 |
583 | XML External Entity (XXE) Injection in Jackson Databind |
584 | <= 2.6.7.3 |
585 | 2.6.7.4 |
586 |
587 |
588 |
589 |
590 |
591 |
592 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
593 | GHSA-5949-rw7g-wx7w
CVE-2021-20190 |
594 | HIGH |
595 | 0.0 |
596 | Deserialization of untrusted data in jackson-databind |
597 | <= 2.9.10.6 |
598 | 2.9.10.7 |
599 |
600 |
601 |
602 |
603 |
604 |
605 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
606 | GHSA-w3f4-3q6j-rh82
CVE-2018-5968 |
607 | HIGH |
608 | 8.1 |
609 | Deserialization of Untrusted Data in jackson-databind |
610 | < 2.8.11 |
611 | 2.8.11 |
612 |
613 |
614 |
615 |
616 |
617 |
618 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
619 | GHSA-f3j5-rmmp-3fc5
CVE-2019-17267 |
620 | CRITICAL |
621 | 9.8 |
622 | Improper Input Validation in jackson-databind |
623 | < 2.9.10 |
624 | 2.9.10 |
625 |
626 |
627 |
628 |
629 |
630 |
631 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
632 | GHSA-cf6r-3wgc-h863
CVE-2019-14892 |
633 | HIGH |
634 | 7.5 |
635 | Polymorphic deserialization of malicious object in jackson-databind |
636 | <= 2.6.7.2 |
637 | 2.6.7.3 |
638 |
639 |
640 |
641 |
642 |
643 |
644 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
645 | GHSA-p43x-xfjf-5jhr
CVE-2020-9548 |
646 | CRITICAL |
647 | 9.8 |
648 | jackson-databind mishandles the interaction between serialization gadgets and typing |
649 | >= 2.0.0, <= 2.9.10.3 |
650 | 2.9.10.4 |
651 |
652 |
653 |
654 |
655 |
656 |
657 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
658 | GHSA-q93h-jc49-78gg
CVE-2020-9547 |
659 | CRITICAL |
660 | 9.8 |
661 | jackson-databind mishandles the interaction between serialization gadgets and typing |
662 | >= 2.0.0, <= 2.9.10.3 |
663 | 2.9.10.4 |
664 |
665 |
666 |
667 |
668 |
669 |
670 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
671 | GHSA-fqwf-pjwf-7vqv
CVE-2020-10673 |
672 | MODERATE |
673 | 0.0 |
674 | jackson-databind mishandles the interaction between serialization gadgets and typing |
675 | >= 2.0.0, <= 2.9.10.3 |
676 | 2.9.10.4 |
677 |
678 |
679 |
680 |
681 |
682 |
683 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
684 | GHSA-4w82-r329-3q67
CVE-2020-8840 |
685 | CRITICAL |
686 | 9.8 |
687 | Deserialization of Untrusted Data in jackson-databind |
688 | >= 2.4.0, <= 2.4.6.1 |
689 | |
690 |
691 |
692 |
693 |
694 |
695 |
696 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
697 | GHSA-gww7-p5w4-wrfv
CVE-2019-20330 |
698 | CRITICAL |
699 | 9.8 |
700 | Deserialization of Untrusted Data in jackson-databind |
701 | >= 2.4.0, <= 2.4.6.1 |
702 | |
703 |
704 |
705 |
706 |
707 |
708 |
709 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
710 | GHSA-h822-r4r5-v8jg
CVE-2019-14540 |
711 | CRITICAL |
712 | 9.8 |
713 | Polymorphic Typing issue in FasterXML jackson-databind |
714 | < 2.9.10 |
715 | 2.9.10 |
716 |
717 |
718 |
719 |
720 |
721 |
722 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
723 | GHSA-85cw-hj65-qqv9
CVE-2019-16335 |
724 | CRITICAL |
725 | 9.8 |
726 | Polymorphic Typing issue in FasterXML jackson-databind |
727 | < 2.9.10 |
728 | 2.9.10 |
729 |
730 |
731 |
732 |
733 |
734 |
735 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
736 | GHSA-5ww9-j83m-q7qx
CVE-2019-12086 |
737 | HIGH |
738 | 7.5 |
739 | Information exposure in FasterXML jackson-databind |
740 | >= 2.0.0, < 2.9.9 |
741 | 2.9.9 |
742 |
743 |
744 |
745 |
746 |
747 |
748 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
749 | GHSA-rfx6-vp9g-rh7v
CVE-2017-17485 |
750 | CRITICAL |
751 | 9.8 |
752 | High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind |
753 | < 2.8.11 |
754 | 2.8.11 |
755 |
756 |
757 |
758 |
759 |
760 |
761 | | com.fasterxml.jackson.core:jackson-databind:2.4.4 |
762 | GHSA-h592-38cm-4ggp
CVE-2017-15095 |
763 | CRITICAL |
764 | 9.8 |
765 | High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind |
766 | < 2.8.11 |
767 | 2.8.11 |
768 |
769 |
770 |
771 |
772 |
773 |
774 | | org.springframework:spring-core:4.1.4.RELEASE |
775 | GHSA-ffvq-7w96-97p7
CVE-2018-15756 |
776 | HIGH |
777 | 7.5 |
778 | Denial of Service in Spring Framework |
779 | < 4.3.20 |
780 | 4.3.20 |
781 |
782 |
783 |
784 |
785 |
786 |
787 | | org.springframework:spring-core:4.1.4.RELEASE |
788 | GHSA-8crv-49fr-2h6j
CVE-2016-5007 |
789 | HIGH |
790 | 7.5 |
791 | Moderate severity vulnerability that affects org.springframework.security:spring-security-core and
792 | org.springframework:spring-core
793 | |
794 | < 4.3.1 |
795 | 4.3.1 |
796 |
797 |
798 |
799 |
800 |
801 |
802 | | org.springframework:spring-core:4.1.4.RELEASE |
803 | GHSA-pgf9-h69p-pcgf
CVE-2015-5211 |
804 | HIGH |
805 | 8.6 |
806 | High severity vulnerability that affects org.springframework:spring-core |
807 | >= 4.0.0, < 4.1.8 |
808 | 4.1.8 |
809 |
810 |
811 |
812 |
813 |
814 |
815 | | org.springframework:spring-core:4.1.4.RELEASE |
816 | GHSA-6v7w-535j-rq5m
CVE-2015-3192 |
817 | MODERATE |
818 | 5.5 |
819 | Moderate severity vulnerability that affects org.springframework:spring-core |
820 | >= 4.0.0, < 4.1.7 |
821 | 4.1.7 |
822 |
823 |
824 |
825 |
826 |
827 |
828 | | org.springframework:spring-core:4.1.4.RELEASE |
829 | GHSA-45vg-2v73-vm62
CVE-2015-0201 |
830 | MODERATE |
831 | 0.0 |
832 | Moderate severity vulnerability that affects org.springframework:spring-core |
833 | >= 4.1.0, < 4.1.5 |
834 | 4.1.5 |
835 |
836 |
837 |
838 |
839 |
840 |
841 | | org.springframework:spring-core:4.1.4.RELEASE |
842 | GHSA-3rmv-2pg5-xvqj
CVE-2018-1275 |
843 | CRITICAL |
844 | 9.8 |
845 | High severity vulnerability that affects org.springframework:spring-core |
846 | < 4.3.16 |
847 | 4.3.16 |
848 |
849 |
850 |
851 |
852 |
853 |
854 | | org.springframework:spring-core:4.1.4.RELEASE |
855 | GHSA-4487-x383-qpph
CVE-2018-1272 |
856 | HIGH |
857 | 7.5 |
858 | Moderate severity vulnerability that affects org.springframework:spring-core |
859 | < 4.3.15 |
860 | 4.3.15 |
861 |
862 |
863 |
864 |
865 |
866 |
867 | | org.springframework:spring-core:4.1.4.RELEASE |
868 | GHSA-g8hw-794c-4j9g
CVE-2018-1271 |
869 | MODERATE |
870 | 5.9 |
871 | Moderate severity vulnerability that affects org.springframework:spring-core |
872 | < 4.3.15 |
873 | 4.3.15 |
874 |
875 |
876 |
877 |
878 |
879 |
880 | | org.springframework:spring-core:4.1.4.RELEASE |
881 | GHSA-p5hg-3xm3-gcjg
CVE-2018-1270 |
882 | CRITICAL |
883 | 9.8 |
884 | High severity vulnerability that affects org.springframework:spring-core |
885 | < 4.3.16 |
886 | 4.3.16 |
887 |
888 |
889 |
890 |
891 |
892 |
893 | | org.springframework:spring-core:4.1.4.RELEASE |
894 | GHSA-rcpf-vj53-7h2m
CVE-2018-1257 |
895 | MODERATE |
896 | 6.5 |
897 | Moderate severity vulnerability that affects org.springframework:spring-core |
898 | < 4.3.17 |
899 | 4.3.17 |
900 |
901 |
902 |
903 |
904 |
905 |
906 | | ch.qos.logback:logback-classic:1.1.2 |
907 | GHSA-vmfg-rjjm-rjrj
CVE-2017-5929 |
908 | CRITICAL |
909 | 9.8 |
910 | Deserialization of Untrusted Data |
911 | < 1.2.0 |
912 | 1.2.0 |
913 |
914 |
915 |
916 |
917 |
918 |
919 | | ch.qos.logback:logback-core:1.1.2 |
920 | GHSA-668q-qrv7-99fm
CVE-2021-42550 |
921 | MODERATE |
922 | 6.6 |
923 | Deserialization of Untrusted Data in logback |
924 | <= 1.2.7 |
925 | |
926 |
927 |
928 |
929 |
930 |
931 |
932 | | ch.qos.logback:logback-core:1.1.2 |
933 | GHSA-vmfg-rjjm-rjrj
CVE-2017-5929 |
934 | CRITICAL |
935 | 9.8 |
936 | Deserialization of Untrusted Data |
937 | < 1.2.0 |
938 | 1.2.0 |
939 |
940 |
941 |
942 |
943 |
944 |
945 | | org.yaml:snakeyaml:1.14 |
946 | GHSA-rvwf-54qp-4r6v
CVE-2017-18640 |
947 | HIGH |
948 | 7.5 |
949 | XML Entity Expansion |
950 | < 1.26 |
951 | 1.26 |
952 |
953 |
954 |
955 |
956 |
957 |
958 |
959 |
--------------------------------------------------------------------------------