├── .github ├── ISSUE_TEMPLATE │ ├── bug-report.md │ ├── contribution-request.md │ ├── feature-request.md │ └── question.md └── workflows │ └── ci.yml ├── .gitignore ├── .gitlab-ci.yml ├── .whitesource ├── CLA.md ├── Dockerfile ├── LICENSE ├── README.md ├── ToDo.md ├── requirements.txt ├── samples ├── gl-dependency-scanning-report-alert-based.json ├── gl-dependency-scanning-report.json └── gl-license-scanning-report.json └── ws_gitlab_integration ├── __init__.py ├── _version.py ├── tests ├── __init__.py └── test_ws2gl_format_convertor.py └── ws2gl_format_convertor.py /.github/ISSUE_TEMPLATE/bug-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug Report 3 | about: Create a report to help us improve 4 | title: "[BUG] [ws-tool-name] Issue Short Description" 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Bug Description** 11 | A clear and concise description of what the bug is. 12 | 13 | **Steps to Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected Behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Environment Details** 27 | - OS: [e.g. Ubuntu 18.04] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Additional Context** 32 | Add any other context about the problem here. 33 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/contribution-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Contribution Request 3 | about: Discuss potential changes you wish to contribute 4 | title: "[CR] [ws-tool-name] Contribution Request Topic" 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Tool:** ws-tool-name 11 | 12 | **Planned Changes:** 13 | Describe the changes you wish to contribute, to initiate a discussion with WhiteSource-PS team. 14 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature Request 3 | about: Suggest an idea for this project 4 | title: "[FR] [ws-tool-name] Feature Short Description" 5 | labels: feature request 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: General question/how-to 4 | title: "[Question] [ws-tool-name] Question Topic" 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Question** 11 | Ask your question here. Please be as specific as possible. 12 | 13 | **Environment Details** 14 | - OS: [e.g. Ubuntu 18.04] 15 | - Browser [e.g. chrome, safari] 16 | - Version [e.g. 22] 17 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: 3 | push: 4 | branches: 5 | - '**' 6 | - '!ws-iac-scan-results/**' 7 | - '!whitesource-remediate/master-all**' 8 | - '!whitesource/migrate-configuration**' 9 | tags: 10 | - '*' 11 | jobs: 12 | build-and-publish: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Set Environment Variables 16 | run: | 17 | echo "TOOL_NAME=ws2gl_format_convertor.py" >> $GITHUB_ENV 18 | echo "VERSION=0.0.0.ci0" >> $GITHUB_ENV 19 | echo "TOOL_DIR=$(echo '${{ github.repository }}' |awk -F '/' '{gsub(/-/, "_", $0) ;print $NF}')" >> $GITHUB_ENV 20 | if [[ $GITHUB_REF == refs/tags/v* ]]; then 21 | echo "VERSION=$(echo ${{github.ref}} | sed -r 's/^[\/a-zA-z-]+//')" >> $GITHUB_ENV 22 | fi 23 | - uses: actions/checkout@v2 24 | # - uses: UnicornGlobal/trufflehog-actions-scan@master 25 | # with: 26 | # branch: ${{ github.head_ref }} 27 | - name: Set up Python 28 | uses: actions/setup-python@v2 29 | with: 30 | python-version: 3.9 31 | - name: Set package version 32 | run: | 33 | sed -E -i "s/^__version__ = \"[a-z0-9\.]+\"/__version__ = \"$VERSION\"/g" ${{ env.TOOL_DIR }}/_version.py 34 | - uses: UnicornGlobal/trufflehog-actions-scan@master 35 | with: 36 | branch: ${{ github.head_ref }} 37 | - name: Install dependencies 38 | run: | 39 | python -m pip install --upgrade pip 40 | pip install flake8 spdx-tools jsonschema 41 | pip install -r requirements.txt 42 | - name: Lint with flake8 43 | run: | 44 | # stop the build if there are Python syntax errors or undefined names 45 | flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --ignore=E501,F841 46 | # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide 47 | flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics 48 | - name: Perform integration test and compare to existing JSON 49 | if: ${{ !startsWith(github.ref, 'refs/tags/v') }} 50 | env: 51 | WS_USER_KEY: ${{ secrets.WS_USER_KEY }} 52 | WS_SCOPE_PROJ: ${{ secrets.WS_SCOPE_PROJ_WEBGOAT_INTEGRATION_TESTS }} 53 | run: python -m unittest 54 | - name: Full test (License) 55 | if: ${{ !startsWith(github.ref, 'refs/tags/v') }} 56 | run: python ${TOOL_DIR}/ws2gl_format_convertor.py -u ${{ secrets.WS_USER_KEY }} -k ${{ secrets.WS_SCOPE_PROJ_WEBGOAT_INTEGRATION_TESTS }} -t license 57 | - name: Full test (Security Violance) 58 | if: ${{ !startsWith(github.ref, 'refs/tags/v') }} 59 | run: python ${TOOL_DIR}/ws2gl_format_convertor.py -u ${{ secrets.WS_USER_KEY }} -k ${{ secrets.WS_SCOPE_PROJ_WEBGOAT_INTEGRATION_TESTS }} -t dependency -o /tmp 60 | - name: Full test (Security Violance alert based) 61 | if: ${{ !startsWith(github.ref, 'refs/tags/v') }} 62 | run: python ${TOOL_DIR}/${TOOL_NAME} -u ${{ secrets.WS_USER_KEY }} -k ${{ secrets.WS_SCOPE_PROJ_WEBGOAT_INTEGRATION_TESTS }} -t dependency_alert_based -o /tmp 63 | - name: Prepare tag 64 | if: contains(github.ref, 'refs/tags/v') 65 | id: prep 66 | run: | 67 | DOCKER_IMAGE=whitesourcetools/ws-gl-int 68 | VERSION=latest 69 | TAGS="${DOCKER_IMAGE}:${VERSION}" 70 | if [[ $GITHUB_REF == refs/tags/v* ]]; then 71 | VERSION=${GITHUB_REF#refs/tags/v} 72 | TAGS="$TAGS,${DOCKER_IMAGE}:${VERSION}" 73 | fi 74 | echo ::set-output name=tags::${TAGS} 75 | - name: Set up Docker Buildx 76 | if: contains(github.ref, 'refs/tags/v') 77 | uses: docker/setup-buildx-action@v1 78 | - name: Login to DockerHub 79 | if: contains(github.ref, 'refs/tags/v') 80 | uses: docker/login-action@v1 81 | with: 82 | username: ${{ secrets.DOCKER_USERNAME }} 83 | password: ${{ secrets.DOCKER_PASSWORD }} 84 | - name: Build and push to DockerHub 85 | if: startsWith(github.ref, 'refs/tags/v') 86 | id: docker_build 87 | uses: docker/build-push-action@v2 88 | with: 89 | push: true 90 | tags: ${{ steps.prep.outputs.tags }} 91 | - name: confluence-markdown-sync 92 | if: contains(github.ref, 'refs/tags/v') 93 | uses: cupcakearmy/confluence-markdown-sync@v1 94 | with: 95 | from: README.md 96 | to: 2141159930 97 | cloud: whitesource 98 | user: ${{ secrets.CONFLUENCE_USER }} 99 | token: ${{ secrets.CONFLUENCE_TOKEN }} 100 | - name: confluence-markdown-sync 101 | uses: cupcakearmy/confluence-markdown-sync@v1 102 | with: 103 | from: README.md 104 | to: 2319843680 105 | cloud: whitesource 106 | user: ${{ secrets.CONFLUENCE_USER }} 107 | token: ${{ secrets.CONFLUENCE_TOKEN }} 108 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Excluded IDE Directories 2 | .idea/ 3 | .vs/ 4 | .vscode/ 5 | .ws/ 6 | 7 | # Excluded Local/User Directories 8 | _archive/ 9 | _misc/ 10 | local/ 11 | log/ 12 | target/ 13 | 14 | # Excluded Files - Extensions 15 | *.iml 16 | *.png 17 | *.tar.gz 18 | *.url 19 | 20 | # Excluded Files - Naming Convention 21 | local-env.* 22 | /venv/ 23 | /build/ 24 | /dist/ 25 | 26 | ws_gitlab_integration/__pycache__/ 27 | ws_gitlab_integration/tests/__pycache__/ -------------------------------------------------------------------------------- /.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - template: License-Scanning.gitlab-ci.yml 3 | 4 | license_scanning: 5 | image: 6 | name: "docker.io/whitesourcetools/ws-gl-int:latest" 7 | script: 8 | - python3 /opt/ws_gl_int/gitlab_integration/ws2gl_format_convertor.py -k $WS_PROJ_TOKEN -u $WS_USER_KEY -t license -o $CI_PROJECT_DIR/ 9 | 10 | dependency_scanning: 11 | image: 12 | name: docker.io/whitesourcetools/ws-gl-int:latest 13 | entrypoint: [""] 14 | script: 15 | - python3 /opt/ws_gl_int/gitlab_integration/ws2gl_format_convertor.py -k $WS_PROJ_TOKEN -u $WS_USER_KEY -t dependency -o $CI_PROJECT_DIR/ 16 | artifacts: 17 | reports: 18 | dependency_scanning: gl-dependency-scanning-report.json 19 | -------------------------------------------------------------------------------- /.whitesource: -------------------------------------------------------------------------------- 1 | { 2 | "settingsInheritedFrom": "whitesource-ps/whitesource-config@main" 3 | } -------------------------------------------------------------------------------- /CLA.md: -------------------------------------------------------------------------------- 1 | # WhiteSource Software Contributor License Agreement 2 | Thank you for your interest in contributing to the open source software projects (the "Projects") made available by WhiteSource Software or its affiliates (the “Company”) 3 | By Submitting Your Contribution (as these terms are defined below), You agree to the terms and conditions of this Contributor License Agreement (the "Agreement"). In case You are an entity, the individual submitting the Contribution for the entity confirms that they have the proper authority to legally bind the entity to this Agreement. They also confirm they agree, on behalf of that entity, to be contractually bound by this Agreement. 4 | If You have any questions regarding this Agreement, please contact support@whitesourcesoftware.com. 5 | ### 1. Definitions 6 | “Contribution” means any source code, bug fixes, configuration changes, tools, documentation, data, materials, feedback, information or other works of authorship that You Submit or have Submitted, in any form and in any manner, to the Company in connection with any Project(s), excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution." 7 | "You" means any individual or legal entity that Submits Contributions to the Project. 8 | "Source Code" means human-readable software code (including any comments therein), which is the preferred way for modifying a software. 9 | "Submit" means to upload a Contribution to the Project's Source Code management system, to distribute a Contribution under the Open Source License or to otherwise make a Contribution available to the Company – e.g., by email, electronic communication or by any other way. 10 | "Open Source License" means the [please complete] license or any other open source license that the Company may designate to the Project from time to time. 11 | “Patents” means all patent claims that You own or control that would be infringed by any manner of using the Contribution in accordance with this Agreement. 12 | ### 2. Representations 13 | - 2.1. You represent and warrants that - 14 | - 2.1.1. Your Contributions is an original work that You created. 15 | - 2.1.2. Your Contribution is free from any third party rights or claims (including copyright, patents, trademarks, trade secrets and other intellectual property rights) – unless You included the details of any such rights clearly and conspicuously in Your Contribution by including the phrase “Submission containing materials of a third party:” followed by the names of the third party and any licenses or other restrictions of which You are aware. 16 | - 2.1.3. You are legally entitled to Submit the Contribution to the Company and grant the Company the rights and licenses mentioned in section 3 below. 17 | - 2.1.4. If Your Contribution was created in the course of Your employment or under any other agreement according to which not You but rather a third party is the copyright owner in Your Contribution, including (but not limited to) as a work made for hire, then Your employer – or, as the case may be, the copyright owner - has given You all licenses and permissions required to enable You to lawfully Submit the Contributions to the Company under this Agreement. 18 | ### 3. License Grant 19 | - 3.1. Copyright License 20 | Subject to the terms and conditions of this Agreement, You hereby grant the Company a worldwide, royalty-free, non-exclusive, transferrable, sublicensable, assignable, perpetual and irrevocable license to reproduce, prepare derivative works of, display and perform publicly, sublicense, make available to the public and distribute Your Contribution and any work derived from it. 21 | - 3.2. Patent License 22 | You grant the Company a free-of-charge and royalty free, non-exclusive, worldwide, perpetual, irrevocable, transferrable, assignable license under the Patents, with the right to sublicense through multiple tiers, to use, make, have made, sell, have sold, develop, manufacture and produce, have developed, manufactured and produced, in connection with the Project. 23 | - 3.3. Moral Rights 24 | Moral Rights remain unaffected to the extent they are recognized and not waivable by applicable law. To the extent permitted under applicable law, You hereby waive, and agree not to assert, all of Your “moral rights” in or relating to Your Contributions for the Company’s benefit. If not waivable, You hereby agree not to bring a claim against the Company in connection thereto. Notwithstanding, You may add your name to the attribution mechanism customary used in the materials You Contribute to, such as the header of the Source Code files of Your Contribution, and the Company will make a good-faith effort, but will not be obligated, to include Your name in the copyright notices in the headers of every file that contains Your Contribution. 25 | - 3.4. Licensing the Project and Your Contribution 26 | The Company will license the Project under the Open Source License. However, as long as the Company makes the Project available under an Open Source License, the Company may also license the Project, including Your Contribution, under commercial licenses. 27 | ### 4. Disclaimer 28 | You are not expected to provide support for Your Contributions. You may provide support for free, for a fee, or not at all. The Contribution is provided "as is". More particularly, all express or implied warranties including, without limitation, any implied warranty of satisfactory quality, fitness for a particular purpose and non-infringement are expressly disclaimed by You to the Company and by the Company to You. To the extent that any such warranties cannot be disclaimed, such warranty is limited in duration and extent to the minimum period and extent permitted by law. 29 | ### 5. No Obligation to Use 30 | The Company is under no obligation to use Your Contribution and it retains the sole discretion to decide whether or not to use Your Contribution or incorporate it in the Project. 31 | ### 6. Miscellaneous 32 | - 6.1. Governing Law and Jurisdiction. This Agreement and all disputes, claims, actions, suits or other proceedings arising out of this Agreement or relating in any way to it shall be governed by the laws of Israel excluding its conflict of law provisions. You and the Company each consent to the sole and exclusive personal jurisdiction and venue for any legal proceedings in connection with this Agreement, in the competent courts in the District of Tel-Aviv-Jaffa, Israel, and waive any objections related thereto. 33 | - 6.2. Entire Agreement. This Agreement sets out the entire agreement between You and the Company regarding Your Contribution and overrides all other agreements or understandings. 34 | - 6.3. Severability. If any provision of this Agreement is found void or unenforceable, such provision will be replaced to the extent possible with a provision that comes closest to the meaning of the original provision and that is enforceable. 35 | - 6.4. Status. This Agreement does not establish a partnership, joint venture, agency or employment relationship between the You and the Company. 36 | - 6.5. Notification. You agree to notify the Company of any facts or circumstances of which you become aware that would make Your representations in this Agreement inaccurate in any respect. 37 | 38 | 39 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8-slim-buster 2 | 3 | COPY . /opt/ws_gl_int 4 | 5 | RUN python3 -m pip install --upgrade pip 6 | WORKDIR /opt/ws_gl_int 7 | RUN pip3 install -r requirements.txt 8 | 9 | ENTRYPOINT ["python3", "/opt/ws_gl_int/ws_gitlab_integration/ws2gl_format_convertor.py"] 10 | CMD ["-h"] 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | > [!Warning] 2 | **This repository has been deprecated. We will not be making any changes or enhancements to this repository. If you are actively using this utility. Please contact your Customer Success Manager to get in touch with a Mend Professional Services Engineer to discuss possible alternative solutions.** 3 | 4 | ![Logo](https://whitesource-resources.s3.amazonaws.com/ws-sig-images/Whitesource_Logo_178x44.png) 5 | [![License](https://img.shields.io/badge/License-Apache%202.0-yellowgreen.svg)](https://opensource.org/licenses/Apache-2.0) 6 | ![Docker Image Version (latest by date)](https://img.shields.io/docker/v/whitesourcetools/ws-gl-int) 7 | 8 | # WhiteSource GitLab Integration 9 | WhiteSource lightweight Integration to populate Security and License data from WhiteSource Into GitLab 10 | 11 | ## Prerequisites 12 | - GitLab Ultimate 13 | - Auto DevOps enabled 14 | 15 | ## Usage 16 | 1. For each project define **WS_PROJ_TOKEN** and **WS_USER_KEY** variables in Projects's _Settings -> CI/CD -> Variables_ where: 17 | * WS_PROJ_TOKEN - WhiteSource Project Token. 18 | * WS_USER_KEY - WhiteSource User Key. 19 | * (Optional) WS_URL - WhiteSource URL (Default: saas). For non-default, add to the syntax below -a url (e.g. saas-eu, app, app-eu, url.full.path) 20 | * To create Vulnerabilities based on WhiteSource Alerts, replace `-t dependency` with `-t dependency_alert_based` 21 | 22 | 1. Create a GitLab pipeline job that consists: 23 | ```shell 24 | include: 25 | - template: License-Scanning.gitlab-ci.yml 26 | 27 | license_scanning: 28 | image: 29 | name: "docker.io/whitesourcetools/ws-gl-int:latest" 30 | script: 31 | - python3 /opt/ws_gl_int/gitlab_integration/ws2gl_format_convertor.py -k $WS_PROJ_TOKEN -u $WS_USER_KEY -t license -o $CI_PROJECT_DIR/ 32 | 33 | dependency_scanning: 34 | image: 35 | name: docker.io/whitesourcetools/ws-gl-int:latest 36 | entrypoint: [""] 37 | script: 38 | - python3 /opt/ws_gl_int/gitlab_integration/ws2gl_format_convertor.py -k $WS_PROJ_TOKEN -u $WS_USER_KEY -t dependency -o $CI_PROJECT_DIR/ 39 | artifacts: 40 | reports: 41 | dependency_scanning: gl-dependency-scanning-report.json 42 | ``` 43 | -------------------------------------------------------------------------------- /ToDo.md: -------------------------------------------------------------------------------- 1 | # To Do List 2 | - Item 1 3 | - Item 2 4 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | ws-sdk~=0.3.1 2 | spdx-tools~=0.6.1 3 | jsonschema[DEBUG]~=3.2.0 4 | -------------------------------------------------------------------------------- /samples/gl-dependency-scanning-report-alert-based.json: -------------------------------------------------------------------------------- 1 | {"version": "14.0.2", "vulnerabilities": [{"category": "dependency_scanning", "name": "CVE-2020-26259:xstream:1.4.5", "message": "CVE-2020-26259 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", "cve": "CVE-2020-26259", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.15", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2020-26259:xstream:1.4.5", "value": "CVE-2020-26259:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26259"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26259"}]}, {"category": "dependency_scanning", "name": "WS-2016-7107:spring-security-web:5.4.5", "message": "WS-2016-7107 in spring-security-web-5.4.5.jar - Detected by WhiteSource", "description": "CSRF tokens in Spring Security through 5.4.6 are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.", "cve": "WS-2016-7107", "severity": "Medium", "confidence": "Confirmed", "solution": "Fix unknown", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "spring-security-web-5.4.5.jar", "dependency": {"version": "5.4.5", "package": {"name": "spring-security-web"}}}, "identifiers": [{"type": "whitesource", "name": "WS-2016-7107:spring-security-web:5.4.5", "value": "WS-2016-7107:spring-security-web:5.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2016-7107"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2016-7107"}]}, {"category": "dependency_scanning", "name": "CVE-2012-2098:ant:1.6.5", "message": "CVE-2012-2098 in ant-1.6.5.jar - Detected by WhiteSource", "description": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.", "cve": "CVE-2012-2098", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.apache.ant:ant:1.8.4,org.apache.commons:commons-compress:1.4.1", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "ant-1.6.5.jar", "dependency": {"version": "1.6.5", "package": {"name": "ant"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2012-2098:ant:1.6.5", "value": "CVE-2012-2098:ant:1.6.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2012-2098"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2012-2098"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21351:xstream:1.4.5", "message": "CVE-2021-21351 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21351", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21351:xstream:1.4.5", "value": "CVE-2021-21351:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21351"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21351"}]}, {"category": "dependency_scanning", "name": "WS-2019-0490:jcommander:1.72", "message": "WS-2019-0490 in jcommander-1.72.jar - Detected by WhiteSource", "description": "Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.", "cve": "WS-2019-0490", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.beust:jcommander:1.75", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "jcommander-1.72.jar", "dependency": {"version": "1.72", "package": {"name": "jcommander"}}}, "identifiers": [{"type": "whitesource", "name": "WS-2019-0490:jcommander:1.72", "value": "WS-2019-0490:jcommander:1.72", "url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0490"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0490"}]}, {"category": "dependency_scanning", "name": "CVE-2016-3674:xstream:1.4.5", "message": "CVE-2016-3674 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.", "cve": "CVE-2016-3674", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version 1.4.9", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2016-3674:xstream:1.4.5", "value": "CVE-2016-3674:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2016-3674"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2016-3674"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21345:xstream:1.4.5", "message": "CVE-2021-21345 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21345", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21345:xstream:1.4.5", "value": "CVE-2021-21345:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21345"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21345"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21342:xstream:1.4.5", "message": "CVE-2021-21342 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21342", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21342:xstream:1.4.5", "value": "CVE-2021-21342:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21342"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21342"}]}, {"category": "dependency_scanning", "name": "CVE-2018-14040:bootstrap:3.3.7", "message": "CVE-2018-14040 in bootstrap-3.3.7.jar - Detected by WhiteSource", "description": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "cve": "CVE-2018-14040", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "bootstrap-3.3.7.jar", "dependency": {"version": "3.3.7", "package": {"name": "bootstrap"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2018-14040:bootstrap:3.3.7", "value": "CVE-2018-14040:bootstrap:3.3.7", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2018-14040"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2018-14040"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21349:xstream:1.4.5", "message": "CVE-2021-21349 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21349", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21349:xstream:1.4.5", "value": "CVE-2021-21349:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21349"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21349"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21348:xstream:1.4.5", "message": "CVE-2021-21348 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21348", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21348:xstream:1.4.5", "value": "CVE-2021-21348:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21348"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21348"}]}, {"category": "dependency_scanning", "name": "CVE-2017-7957:xstream:1.4.5", "message": "CVE-2017-7957 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"\") call.", "cve": "CVE-2017-7957", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version 1.4.10", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2017-7957:xstream:1.4.5", "value": "CVE-2017-7957:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2017-7957"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2017-7957"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21347:xstream:1.4.5", "message": "CVE-2021-21347 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21347", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21347:xstream:1.4.5", "value": "CVE-2021-21347:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21347"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21347"}]}, {"category": "dependency_scanning", "name": "CVE-2013-7285:xstream:1.4.5", "message": "CVE-2013-7285 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.", "cve": "CVE-2013-7285", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version 1.4.7,1.4.11", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2013-7285:xstream:1.4.5", "value": "CVE-2013-7285:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2013-7285"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2013-7285"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21350:xstream:1.4.5", "message": "CVE-2021-21350 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21350", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21350:xstream:1.4.5", "value": "CVE-2021-21350:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21350"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21350"}]}, {"category": "dependency_scanning", "name": "CVE-2020-26258:xstream:1.4.5", "message": "CVE-2020-26258 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", "cve": "CVE-2020-26258", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.15", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2020-26258:xstream:1.4.5", "value": "CVE-2020-26258:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26258"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26258"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21343:xstream:1.4.5", "message": "CVE-2021-21343 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21343", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21343:xstream:1.4.5", "value": "CVE-2021-21343:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21343"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21343"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21346:xstream:1.4.5", "message": "CVE-2021-21346 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21346", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21346:xstream:1.4.5", "value": "CVE-2021-21346:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21346"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21346"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21341:xstream:1.4.5", "message": "CVE-2021-21341 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21341", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21341:xstream:1.4.5", "value": "CVE-2021-21341:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21341"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21341"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21344:xstream:1.4.5", "message": "CVE-2021-21344 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21344", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21344:xstream:1.4.5", "value": "CVE-2021-21344:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21344"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21344"}]}, {"category": "dependency_scanning", "name": "CVE-2018-14042:bootstrap:3.3.7", "message": "CVE-2018-14042 in bootstrap-3.3.7.jar - Detected by WhiteSource", "description": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "cve": "CVE-2018-14042", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "bootstrap-3.3.7.jar", "dependency": {"version": "3.3.7", "package": {"name": "bootstrap"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2018-14042:bootstrap:3.3.7", "value": "CVE-2018-14042:bootstrap:3.3.7", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2018-14042"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2018-14042"}]}, {"category": "dependency_scanning", "name": "CVE-2021-22118:spring-web:5.3.4", "message": "CVE-2021-22118 in spring-web-5.3.4.jar - Detected by WhiteSource", "description": "In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.", "cve": "CVE-2021-22118", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.springframework:spring-web:5.2.15,5.3.7", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "spring-web-5.3.4.jar", "dependency": {"version": "5.3.4", "package": {"name": "spring-web"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-22118:spring-web:5.3.4", "value": "CVE-2021-22118:spring-web:5.3.4", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-22118"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-22118"}]}, {"category": "dependency_scanning", "name": "CVE-2020-26217:xstream:1.4.5", "message": "CVE-2020-26217 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.", "cve": "CVE-2020-26217", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.14", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2020-26217:xstream:1.4.5", "value": "CVE-2020-26217:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26217"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26217"}]}, {"category": "dependency_scanning", "name": "CVE-2021-29505:xstream:1.4.5", "message": "CVE-2021-29505 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.", "cve": "CVE-2021-29505", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.17", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-29505:xstream:1.4.5", "value": "CVE-2021-29505:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-29505"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-29505"}]}], "remediations": [], "dependency_files": []} -------------------------------------------------------------------------------- /samples/gl-dependency-scanning-report.json: -------------------------------------------------------------------------------- 1 | {"version": "14.0.2", "vulnerabilities": [{"category": "dependency_scanning", "name": "CVE-2021-39145:xstream:1.4.5", "message": "CVE-2021-39145 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39145", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39145:xstream:1.4.5", "value": "CVE-2021-39145:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39145"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39145"}]}, {"category": "dependency_scanning", "name": "CVE-2020-26259:xstream:1.4.5", "message": "CVE-2020-26259 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", "cve": "CVE-2020-26259", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.15", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2020-26259:xstream:1.4.5", "value": "CVE-2020-26259:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26259"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26259"}]}, {"category": "dependency_scanning", "name": "WS-2016-7107:spring-security-web:5.4.5", "message": "WS-2016-7107 in spring-security-web-5.4.5.jar - Detected by WhiteSource", "description": "CSRF tokens in Spring Security are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.", "cve": "WS-2016-7107", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.springframework.security:spring-security-web - 5.6.0", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "spring-security-web-5.4.5.jar", "dependency": {"version": "5.4.5", "package": {"name": "spring-security-web"}}}, "identifiers": [{"type": "whitesource", "name": "WS-2016-7107:spring-security-web:5.4.5", "value": "WS-2016-7107:spring-security-web:5.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2016-7107"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2016-7107"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39152:xstream:1.4.5", "message": "CVE-2021-39152 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.", "cve": "CVE-2021-39152", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39152:xstream:1.4.5", "value": "CVE-2021-39152:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39152"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39152"}]}, {"category": "dependency_scanning", "name": "CVE-2021-22096:spring-web:5.3.4", "message": "CVE-2021-22096 in spring-web-5.3.4.jar - Detected by WhiteSource", "description": "In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.", "cve": "CVE-2021-22096", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.springframework:spring-core:5.2.18.RELEASE,5.3.12;org.springframework:spring-web:5.2.18.RELEASE,5.3.12;org.springframework:spring-webmvc:5.2.18.RELEASE,5.3.12;org.springframework:spring-webflux:5.2.18.RELEASE,5.3.12", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "spring-web-5.3.4.jar", "dependency": {"version": "5.3.4", "package": {"name": "spring-web"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-22096:spring-web:5.3.4", "value": "CVE-2021-22096:spring-web:5.3.4", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-22096"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-22096"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39144:xstream:1.4.5", "message": "CVE-2021-39144 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39144", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39144:xstream:1.4.5", "value": "CVE-2021-39144:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39144"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39144"}]}, {"category": "dependency_scanning", "name": "CVE-2012-2098:ant:1.6.5", "message": "CVE-2012-2098 in ant-1.6.5.jar - Detected by WhiteSource", "description": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.", "cve": "CVE-2012-2098", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.apache.ant:ant:1.8.4,org.apache.commons:commons-compress:1.4.1", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "ant-1.6.5.jar", "dependency": {"version": "1.6.5", "package": {"name": "ant"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2012-2098:ant:1.6.5", "value": "CVE-2012-2098:ant:1.6.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2012-2098"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2012-2098"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39139:xstream:1.4.5", "message": "CVE-2021-39139 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39139", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39139:xstream:1.4.5", "value": "CVE-2021-39139:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39139"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39139"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21351:xstream:1.4.5", "message": "CVE-2021-21351 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21351", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21351:xstream:1.4.5", "value": "CVE-2021-21351:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21351"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21351"}]}, {"category": "dependency_scanning", "name": "CVE-2016-3674:xstream:1.4.5", "message": "CVE-2016-3674 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.", "cve": "CVE-2016-3674", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version 1.4.9", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2016-3674:xstream:1.4.5", "value": "CVE-2016-3674:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2016-3674"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2016-3674"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21345:xstream:1.4.5", "message": "CVE-2021-21345 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21345", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21345:xstream:1.4.5", "value": "CVE-2021-21345:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21345"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21345"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21342:xstream:1.4.5", "message": "CVE-2021-21342 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21342", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21342:xstream:1.4.5", "value": "CVE-2021-21342:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21342"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21342"}]}, {"category": "dependency_scanning", "name": "CVE-2018-14040:bootstrap:3.3.7", "message": "CVE-2018-14040 in bootstrap-3.3.7.jar - Detected by WhiteSource", "description": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "cve": "CVE-2018-14040", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "bootstrap-3.3.7.jar", "dependency": {"version": "3.3.7", "package": {"name": "bootstrap"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2018-14040:bootstrap:3.3.7", "value": "CVE-2018-14040:bootstrap:3.3.7", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2018-14040"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2018-14040"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21349:xstream:1.4.5", "message": "CVE-2021-21349 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21349", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21349:xstream:1.4.5", "value": "CVE-2021-21349:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21349"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21349"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21348:xstream:1.4.5", "message": "CVE-2021-21348 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21348", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21348:xstream:1.4.5", "value": "CVE-2021-21348:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21348"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21348"}]}, {"category": "dependency_scanning", "name": "CVE-2017-7957:xstream:1.4.5", "message": "CVE-2017-7957 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"\") call.", "cve": "CVE-2017-7957", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version 1.4.10", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2017-7957:xstream:1.4.5", "value": "CVE-2017-7957:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2017-7957"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2017-7957"}]}, {"category": "dependency_scanning", "name": "CVE-2021-43859:xstream:1.4.5", "message": "CVE-2021-43859 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.", "cve": "CVE-2021-43859", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.19", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-43859:xstream:1.4.5", "value": "CVE-2021-43859:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-43859"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-43859"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21347:xstream:1.4.5", "message": "CVE-2021-21347 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21347", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21347:xstream:1.4.5", "value": "CVE-2021-21347:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21347"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21347"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39150:xstream:1.4.5", "message": "CVE-2021-39150 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.", "cve": "CVE-2021-39150", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39150:xstream:1.4.5", "value": "CVE-2021-39150:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39150"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39150"}]}, {"category": "dependency_scanning", "name": "CVE-2013-7285:xstream:1.4.5", "message": "CVE-2013-7285 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.", "cve": "CVE-2013-7285", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version 1.4.7,1.4.11", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2013-7285:xstream:1.4.5", "value": "CVE-2013-7285:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2013-7285"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2013-7285"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21350:xstream:1.4.5", "message": "CVE-2021-21350 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21350", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21350:xstream:1.4.5", "value": "CVE-2021-21350:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21350"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21350"}]}, {"category": "dependency_scanning", "name": "CVE-2020-26258:xstream:1.4.5", "message": "CVE-2020-26258 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", "cve": "CVE-2020-26258", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.15", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2020-26258:xstream:1.4.5", "value": "CVE-2020-26258:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26258"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26258"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39147:xstream:1.4.5", "message": "CVE-2021-39147 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39147", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39147:xstream:1.4.5", "value": "CVE-2021-39147:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39147"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39147"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39146:xstream:1.4.5", "message": "CVE-2021-39146 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39146", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39146:xstream:1.4.5", "value": "CVE-2021-39146:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39146"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39146"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39141:xstream:1.4.5", "message": "CVE-2021-39141 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39141", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39141:xstream:1.4.5", "value": "CVE-2021-39141:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39141"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39141"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39154:xstream:1.4.5", "message": "CVE-2021-39154 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39154", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39154:xstream:1.4.5", "value": "CVE-2021-39154:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39154"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39154"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39140:xstream:1.4.5", "message": "CVE-2021-39140 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39140", "severity": "Low", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39140:xstream:1.4.5", "value": "CVE-2021-39140:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39140"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39140"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39151:xstream:1.4.5", "message": "CVE-2021-39151 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39151", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39151:xstream:1.4.5", "value": "CVE-2021-39151:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39151"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39151"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39148:xstream:1.4.5", "message": "CVE-2021-39148 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39148", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39148:xstream:1.4.5", "value": "CVE-2021-39148:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39148"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39148"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21343:xstream:1.4.5", "message": "CVE-2021-21343 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21343", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21343:xstream:1.4.5", "value": "CVE-2021-21343:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21343"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21343"}]}, {"category": "dependency_scanning", "name": "CVE-2021-28170:jakarta.el:3.0.3", "message": "CVE-2021-28170 in jakarta.el-3.0.3.jar - Detected by WhiteSource", "description": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.", "cve": "CVE-2021-28170", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.glassfish:jakarta.el:3.0.4; com.sun.el:el-ri:3.0.4", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "jakarta.el-3.0.3.jar", "dependency": {"version": "3.0.3", "package": {"name": "jakarta.el"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-28170:jakarta.el:3.0.3", "value": "CVE-2021-28170:jakarta.el:3.0.3", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-28170"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-28170"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21346:xstream:1.4.5", "message": "CVE-2021-21346 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21346", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21346:xstream:1.4.5", "value": "CVE-2021-21346:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21346"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21346"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21341:xstream:1.4.5", "message": "CVE-2021-21341 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21341", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21341:xstream:1.4.5", "value": "CVE-2021-21341:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21341"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21341"}]}, {"category": "dependency_scanning", "name": "CVE-2021-21344:xstream:1.4.5", "message": "CVE-2021-21344 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", "cve": "CVE-2021-21344", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.16", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-21344:xstream:1.4.5", "value": "CVE-2021-21344:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21344"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-21344"}]}, {"category": "dependency_scanning", "name": "CVE-2018-14042:bootstrap:3.3.7", "message": "CVE-2018-14042 in bootstrap-3.3.7.jar - Detected by WhiteSource", "description": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "cve": "CVE-2018-14042", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "bootstrap-3.3.7.jar", "dependency": {"version": "3.3.7", "package": {"name": "bootstrap"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2018-14042:bootstrap:3.3.7", "value": "CVE-2018-14042:bootstrap:3.3.7", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2018-14042"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2018-14042"}]}, {"category": "dependency_scanning", "name": "CVE-2021-22118:spring-web:5.3.4", "message": "CVE-2021-22118 in spring-web-5.3.4.jar - Detected by WhiteSource", "description": "In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.", "cve": "CVE-2021-22118", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.springframework:spring-web:5.2.15,5.3.7", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "spring-web-5.3.4.jar", "dependency": {"version": "5.3.4", "package": {"name": "spring-web"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-22118:spring-web:5.3.4", "value": "CVE-2021-22118:spring-web:5.3.4", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-22118"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-22118"}]}, {"category": "dependency_scanning", "name": "CVE-2021-43466:thymeleaf-spring5:3.0.12.RELEASE", "message": "CVE-2021-43466 in thymeleaf-spring5-3.0.12.RELEASE.jar - Detected by WhiteSource", "description": "In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.", "cve": "CVE-2021-43466", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.thymeleaf:thymeleaf-spring3:3.0.13.RELEASE;org.thymeleaf:thymeleaf-spring4:3.0.13.RELEASE;org.thymeleaf:thymeleaf-spring5:3.0.13.RELEASE", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "thymeleaf-spring5-3.0.12.RELEASE.jar", "dependency": {"version": "3.0.12.RELEASE", "package": {"name": "thymeleaf-spring5"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-43466:thymeleaf-spring5:3.0.12.RELEASE", "value": "CVE-2021-43466:thymeleaf-spring5:3.0.12.RELEASE", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-43466"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-43466"}]}, {"category": "dependency_scanning", "name": "WS-2019-0490:jcommander:1.72", "message": "WS-2019-0490 in jcommander-1.72.jar - Detected by WhiteSource", "description": "Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.", "cve": "WS-2019-0490", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.beust:jcommander:1.75", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "jcommander-1.72.jar", "dependency": {"version": "1.72", "package": {"name": "jcommander"}}}, "identifiers": [{"type": "whitesource", "name": "WS-2019-0490:jcommander:1.72", "value": "WS-2019-0490:jcommander:1.72", "url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0490"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0490"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39153:xstream:1.4.5", "message": "CVE-2021-39153 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39153", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39153:xstream:1.4.5", "value": "CVE-2021-39153:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39153"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39153"}]}, {"category": "dependency_scanning", "name": "CVE-2021-39149:xstream:1.4.5", "message": "CVE-2021-39149 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", "cve": "CVE-2021-39149", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.18", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-39149:xstream:1.4.5", "value": "CVE-2021-39149:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39149"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-39149"}]}, {"category": "dependency_scanning", "name": "WS-2021-0616:jackson-databind:2.11.4", "message": "WS-2021-0616 in jackson-databind-2.11.4.jar - Detected by WhiteSource", "description": "FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.", "cve": "WS-2021-0616", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "jackson-databind-2.11.4.jar", "dependency": {"version": "2.11.4", "package": {"name": "jackson-databind"}}}, "identifiers": [{"type": "whitesource", "name": "WS-2021-0616:jackson-databind:2.11.4", "value": "WS-2021-0616:jackson-databind:2.11.4", "url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2021-0616"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2021-0616"}]}, {"category": "dependency_scanning", "name": "CVE-2021-3690:undertow-websockets-jsr:2.2.4.Final", "message": "CVE-2021-3690 in undertow-websockets-jsr-2.2.4.Final.jar - Detected by WhiteSource", "description": "A flaw was found in Undertow before 2.0.40 and 2.2.10. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.", "cve": "CVE-2021-3690", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version io.undertow:undertow-websockets-jsr:2.0.40.Final, 2.2.10.Final", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "undertow-websockets-jsr-2.2.4.Final.jar", "dependency": {"version": "2.2.4.Final", "package": {"name": "undertow-websockets-jsr"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-3690:undertow-websockets-jsr:2.2.4.Final", "value": "CVE-2021-3690:undertow-websockets-jsr:2.2.4.Final", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-3690"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-3690"}]}, {"category": "dependency_scanning", "name": "WS-2021-0616:jackson-core:2.11.4", "message": "WS-2021-0616 in jackson-core-2.11.4.jar - Detected by WhiteSource", "description": "FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.", "cve": "WS-2021-0616", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "jackson-core-2.11.4.jar", "dependency": {"version": "2.11.4", "package": {"name": "jackson-core"}}}, "identifiers": [{"type": "whitesource", "name": "WS-2021-0616:jackson-core:2.11.4", "value": "WS-2021-0616:jackson-core:2.11.4", "url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2021-0616"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2021-0616"}]}, {"category": "dependency_scanning", "name": "CVE-2021-22096:spring-webmvc:5.3.4", "message": "CVE-2021-22096 in spring-webmvc-5.3.4.jar - Detected by WhiteSource", "description": "In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.", "cve": "CVE-2021-22096", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version org.springframework:spring-core:5.2.18.RELEASE,5.3.12;org.springframework:spring-web:5.2.18.RELEASE,5.3.12;org.springframework:spring-webmvc:5.2.18.RELEASE,5.3.12;org.springframework:spring-webflux:5.2.18.RELEASE,5.3.12", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "spring-webmvc-5.3.4.jar", "dependency": {"version": "5.3.4", "package": {"name": "spring-webmvc"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-22096:spring-webmvc:5.3.4", "value": "CVE-2021-22096:spring-webmvc:5.3.4", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-22096"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-22096"}]}, {"category": "dependency_scanning", "name": "CVE-2020-26217:xstream:1.4.5", "message": "CVE-2020-26217 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.", "cve": "CVE-2020-26217", "severity": "High", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.14", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2020-26217:xstream:1.4.5", "value": "CVE-2020-26217:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26217"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26217"}]}, {"category": "dependency_scanning", "name": "CVE-2021-29505:xstream:1.4.5", "message": "CVE-2021-29505 in xstream-1.4.5.jar - Detected by WhiteSource", "description": "XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.", "cve": "CVE-2021-29505", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version com.thoughtworks.xstream:xstream:1.4.17", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "xstream-1.4.5.jar", "dependency": {"version": "1.4.5", "package": {"name": "xstream"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-29505:xstream:1.4.5", "value": "CVE-2021-29505:xstream:1.4.5", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-29505"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-29505"}]}, {"category": "dependency_scanning", "name": "CVE-2021-3597:undertow-core:2.2.4.Final", "message": "CVE-2021-3597 in undertow-core-2.2.4.Final.jar - Detected by WhiteSource", "description": " A flaw was found in undertow where HTTP2SourceChannel fails to write final frame under some circumstances may result in DoS. The highest impact of this vulnerability is availability.", "cve": "CVE-2021-3597", "severity": "Medium", "confidence": "Confirmed", "solution": "Upgrade to version io.undertow:undertow-core:2.2.8.Final", "scanner": {"id": "ws-gl-int", "name": "WhiteSource"}, "location": {"file": "undertow-core-2.2.4.Final.jar", "dependency": {"version": "2.2.4.Final", "package": {"name": "undertow-core"}}}, "identifiers": [{"type": "whitesource", "name": "CVE-2021-3597:undertow-core:2.2.4.Final", "value": "CVE-2021-3597:undertow-core:2.2.4.Final", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-3597"}], "links": [{"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-3597"}]}], "remediations": [], "dependency_files": []} -------------------------------------------------------------------------------- /samples/gl-license-scanning-report.json: -------------------------------------------------------------------------------- 1 | {"version": "2.1", "licenses": [{"id": "Apache-2.0", "name": "Apache License 2.0", "url": "http://www.opensource.org/licenses/Apache-2.0"}, {"id": "BSD-2-Clause", "name": "BSD 2-Clause \"Simplified\" License", "url": "http://www.opensource.org/licenses/BSD-2-Clause"}, {"id": "BSD-3-Clause", "name": "BSD 3-Clause \"New\" or \"Revised\" License", "url": "http://www.opensource.org/licenses/BSD-3-Clause"}, {"id": "CC-PDDC", "name": "Creative Commons Public Domain Dedication and Certification", "url": "http://creativecommons.org/licenses/publicdomain/"}, {"id": "CC0-1.0", "name": "Creative Commons Zero v1.0 Universal", "url": "http://creativecommons.org/publicdomain/zero/1.0/legalcode"}, {"id": "CDDL-1.0", "name": "Common Development and Distribution License 1.0", "url": "http://www.opensource.org/licenses/CDDL-1.0"}, {"id": "CDDL-1.1", "name": "Common Development and Distribution License 1.1", "url": "http://glassfish.java.net/public/CDDL+GPL_1_1.html"}, {"id": "EPL-1.0", "name": "Eclipse Public License 1.0", "url": "http://www.opensource.org/licenses/EPL-1.0"}, {"id": "EPL-2.0", "name": "Eclipse Public License 2.0", "url": "http://www.eclipse.org/legal/epl-v20.html"}, {"id": "GPL-2.0", "name": "GNU General Public License v2.0 only", "url": "http://www.opensource.org/licenses/GPL-2.0"}, {"id": "GPL-2.0-with-classpath-exception", "name": "GNU General Public License v2.0 w/Classpath exception", "url": "http://www.gnu.org/software/classpath/license.html"}, {"id": "LGPL-2.1", "name": "GNU Lesser General Public License v2.1 only", "url": "http://www.gnu.org/licenses/lgpl-2.1.html"}, {"id": "MIT", "name": "MIT License", "url": "http://www.opensource.org/licenses/MIT"}, {"id": "MPL-1.1", "name": "Mozilla Public License 1.1", "url": "http://www.opensource.org/licenses/MPL-1.1"}], "dependencies": [{"name": "XML Pull Parsing API", "version": "1.1.3.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\xmlpull\\xmlpull\\1.1.3.1\\xmlpull-1.1.3.1.jar", "licenses": ["CC-PDDC"]}, {"name": "ant-launcher", "version": "1.6.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\ant\\ant-launcher\\1.6.5\\ant-launcher-1.6.5.jar", "licenses": ["Apache-2.0"]}, {"name": "AntLR Parser Generator", "version": "2.7.7", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\antlr\\antlr\\2.7.7\\antlr-2.7.7.jar", "licenses": ["BSD-3-Clause"]}, {"name": "ant", "version": "1.6.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\ant\\ant\\1.6.5\\ant-1.6.5.jar", "licenses": ["Apache-2.0"]}, {"name": "Code Generation Library", "version": "2.2", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\cglib\\cglib-nodep\\2.2\\cglib-nodep-2.2.jar", "licenses": ["Apache-2.0"]}, {"name": "xml-commons-resolver", "version": "1.2", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\xml-resolver\\xml-resolver\\1.2\\xml-resolver-1.2.jar", "licenses": ["Apache-2.0"]}, {"name": "JavaBeans(TM) Activation Framework", "version": "1.1.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\javax\\activation\\activation\\1.1.1\\activation-1.1.1.jar", "licenses": ["CDDL-1.0"]}, {"name": "XStream Core", "version": "1.4.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\thoughtworks\\xstream\\xstream\\1.4.5\\xstream-1.4.5.jar", "licenses": ["BSD-3-Clause"]}, {"name": "nailgun-server", "version": "0.9.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\martiansoftware\\nailgun-server\\0.9.1\\nailgun-server-0.9.1.jar", "licenses": ["Apache-2.0"]}, {"name": "JZlib", "version": "1.1.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\jcraft\\jzlib\\1.1.3\\jzlib-1.1.3.jar", "licenses": ["BSD-3-Clause"]}, {"name": "Apache Commons Exec", "version": "1.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\apache\\commons\\commons-exec\\1.3\\commons-exec-1.3.jar", "licenses": ["Apache-2.0"]}, {"name": "Bootstrap", "version": "3.3.7", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\webjars\\bootstrap\\3.3.7\\bootstrap-3.3.7.jar", "licenses": ["Apache-2.0"]}, {"name": "LatencyUtils", "version": "2.0.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\latencyutils\\LatencyUtils\\2.0.3\\LatencyUtils-2.0.3.jar", "licenses": ["CC0-1.0"]}, {"name": "Dirgra", "version": "0.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jruby\\dirgra\\0.3\\dirgra-0.3.jar", "licenses": ["EPL-1.0"]}, {"name": "options", "version": "1.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\headius\\options\\1.4\\options-1.4.jar", "licenses": ["Apache-2.0"]}, {"name": "jcommander", "version": "1.72", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\beust\\jcommander\\1.72\\jcommander-1.72.jar", "licenses": ["Apache-2.0"]}, {"name": "JavaBeans Activation Framework API jar", "version": "1.2.0", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\javax\\activation\\javax.activation-api\\1.2.0\\javax.activation-api-1.2.0.jar", "licenses": ["GPL-2.0-with-classpath-exception"]}, {"name": "javax.annotation API", "version": "1.3.2", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\javax\\annotation\\javax.annotation-api\\1.3.2\\javax.annotation-api-1.3.2.jar", "licenses": ["CDDL-1.1"]}, {"name": "attoparser", "version": "2.0.5.RELEASE", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\attoparser\\attoparser\\2.0.5.RELEASE\\attoparser-2.0.5.RELEASE.jar", "licenses": ["Apache-2.0"]}, {"name": "unbescape", "version": "1.1.6.RELEASE", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\unbescape\\unbescape\\1.1.6.RELEASE\\unbescape-1.1.6.RELEASE.jar", "licenses": ["Apache-2.0"]}, {"name": "JSON Web Token support for the JVM", "version": "0.9.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\io\\jsonwebtoken\\jjwt\\0.9.1\\jjwt-0.9.1.jar", "licenses": ["Apache-2.0"]}, {"name": "jaxb-api", "version": "2.3.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\javax\\xml\\bind\\jaxb-api\\2.3.1\\jaxb-api-2.3.1.jar", "licenses": ["CDDL-1.1", "GPL-2.0-with-classpath-exception"]}, {"name": "thymeleaf-extras-springsecurity5", "version": "3.0.4.RELEASE", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\thymeleaf\\extras\\thymeleaf-extras-springsecurity5\\3.0.4.RELEASE\\thymeleaf-extras-springsecurity5-3.0.4.RELEASE.jar", "licenses": ["Apache-2.0"]}, {"name": "WildFly Client Configuration", "version": "1.0.1.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\wildfly\\client\\wildfly-client-config\\1.0.1.Final\\wildfly-client-config-1.0.1.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "invokebinder", "version": "1.11", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\headius\\invokebinder\\1.11\\invokebinder-1.11.jar", "licenses": ["Apache-2.0"]}, {"name": "thymeleaf-extras-java8time", "version": "3.0.4.RELEASE", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\thymeleaf\\extras\\thymeleaf-extras-java8time\\3.0.4.RELEASE\\thymeleaf-extras-java8time-3.0.4.RELEASE.jar", "licenses": ["Apache-2.0"]}, {"name": "JBoss Logging 3", "version": "3.4.1.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jboss\\logging\\jboss-logging\\3.4.1.Final\\jboss-logging-3.4.1.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "javax.transaction API", "version": "1.3.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\jakarta\\transaction\\jakarta.transaction-api\\1.3.3\\jakarta.transaction-api-1.3.3.jar", "licenses": ["EPL-2.0", "GPL-2.0-with-classpath-exception"]}, {"name": "Jakarta Persistence API", "version": "2.2.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\jakarta\\persistence\\jakarta.persistence-api\\2.2.3\\jakarta.persistence-api-2.2.3.jar", "licenses": ["BSD-3-Clause", "EPL-2.0"]}, {"name": "Jakarta Bean Validation API", "version": "2.0.2", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\jakarta\\validation\\jakarta.validation-api\\2.0.2\\jakarta.validation-api-2.0.2.jar", "licenses": ["Apache-2.0"]}, {"name": "Jakarta Expression Language 3.0", "version": "3.0.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\glassfish\\jakarta.el\\3.0.3\\jakarta.el-3.0.3.jar", "licenses": ["EPL-2.0", "GPL-2.0-with-classpath-exception"]}, {"name": "wildfly-common", "version": "1.5.2.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\wildfly\\common\\wildfly-common\\1.5.2.Final\\wildfly-common-1.5.2.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "Jakarta WebSocket - Server API", "version": "2.0.0.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jboss\\spec\\javax\\websocket\\jboss-websocket-api_1.1_spec\\2.0.0.Final\\jboss-websocket-api_1.1_spec-2.0.0.Final.jar", "licenses": ["EPL-2.0", "GPL-2.0-with-classpath-exception"]}, {"name": "JBoss Jakarta Annotations API", "version": "2.0.1.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jboss\\spec\\javax\\annotation\\jboss-annotations-api_1.3_spec\\2.0.1.Final\\jboss-annotations-api_1.3_spec-2.0.1.Final.jar", "licenses": ["EPL-2.0", "GPL-2.0-with-classpath-exception"]}, {"name": "Joda-Time", "version": "2.10.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\joda-time\\joda-time\\2.10.5\\joda-time-2.10.5.jar", "licenses": ["Apache-2.0"]}, {"name": "ClassMate", "version": "1.5.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\fasterxml\\classmate\\1.5.1\\classmate-1.5.1.jar", "licenses": ["Apache-2.0"]}, {"name": "HdrHistogram", "version": "2.1.12", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\hdrhistogram\\HdrHistogram\\2.1.12\\HdrHistogram-2.1.12.jar", "licenses": ["BSD-2-Clause", "CC0-1.0"]}, {"name": "Jakarta Activation", "version": "1.2.2", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\sun\\activation\\jakarta.activation\\1.2.2\\jakarta.activation-1.2.2.jar", "licenses": ["BSD-3-Clause"]}, {"name": "Joni", "version": "2.1.31", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jruby\\joni\\joni\\2.1.31\\joni-2.1.31.jar", "licenses": ["MIT"]}, {"name": "JCodings", "version": "1.0.46", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jruby\\jcodings\\jcodings\\1.0.46\\jcodings-1.0.46.jar", "licenses": ["MIT"]}, {"name": "Javassist", "version": "3.27.0-GA", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\javassist\\javassist\\3.27.0-GA\\javassist-3.27.0-GA.jar", "licenses": ["Apache-2.0", "LGPL-2.1", "MPL-1.1"]}, {"name": "JBoss Threads", "version": "3.1.0.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jboss\\threads\\jboss-threads\\3.1.0.Final\\jboss-threads-3.1.0.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "dom4j", "version": "2.1.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\dom4j\\dom4j\\2.1.3\\dom4j-2.1.3.jar", "licenses": []}, {"name": "XNIO NIO Implementation", "version": "3.8.0.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jboss\\xnio\\xnio-nio\\3.8.0.Final\\xnio-nio-3.8.0.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "XNIO API", "version": "3.8.0.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jboss\\xnio\\xnio-api\\3.8.0.Final\\xnio-api-3.8.0.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "istack common utility code runtime", "version": "3.0.11", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\sun\\istack\\istack-commons-runtime\\3.0.11\\istack-commons-runtime-3.0.11.jar", "licenses": ["BSD-3-Clause"]}, {"name": "JAXB Runtime", "version": "2.3.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\glassfish\\jaxb\\jaxb-runtime\\2.3.3\\jaxb-runtime-2.3.3.jar", "licenses": ["BSD-3-Clause"]}, {"name": "TXW2 Runtime", "version": "2.3.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\glassfish\\jaxb\\txw2\\2.3.3\\txw2-2.3.3.jar", "licenses": ["BSD-3-Clause"]}, {"name": "MXP1: Xml Pull Parser 3rd Edition (XPP3)", "version": "1.1.4c", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\xpp3\\xpp3_min\\1.1.4c\\xpp3_min-1.1.4c.jar", "licenses": ["CC-PDDC"]}, {"name": "Commons Lang", "version": "2.6", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\commons-lang\\commons-lang\\2.6\\commons-lang-2.6.jar", "licenses": ["Apache-2.0"]}, {"name": "HikariCP", "version": "3.4.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\zaxxer\\HikariCP\\3.4.5\\HikariCP-3.4.5.jar", "licenses": ["Apache-2.0"]}, {"name": "jquery", "version": "3.5.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\webjars\\jquery\\3.5.1\\jquery-3.5.1.jar", "licenses": ["MIT"]}, {"name": "Jakarta Servlet", "version": "4.0.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\jakarta\\servlet\\jakarta.servlet-api\\4.0.4\\jakarta.servlet-api-4.0.4.jar", "licenses": ["EPL-2.0", "GPL-2.0-with-classpath-exception"]}, {"name": "HyperSQL Database", "version": "2.5.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\hsqldb\\hsqldb\\2.5.1\\hsqldb-2.5.1.jar", "licenses": ["BSD-3-Clause"]}, {"name": "Checker Qual", "version": "3.5.0", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\checkerframework\\checker-qual\\3.5.0\\checker-qual-3.5.0.jar", "licenses": ["MIT"]}, {"name": "AspectJ weaver", "version": "1.9.6", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\aspectj\\aspectjweaver\\1.9.6\\aspectjweaver-1.9.6.jar", "licenses": ["EPL-1.0"]}, {"name": "PostgreSQL JDBC Driver", "version": "42.2.18", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\postgresql\\postgresql\\42.2.18\\postgresql-42.2.18.jar", "licenses": ["BSD-2-Clause"]}, {"name": "backport9", "version": "1.8", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\headius\\backport9\\1.8\\backport9-1.8.jar", "licenses": ["Apache-2.0"]}, {"name": "Hibernate Commons Annotations", "version": "5.1.2.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\hibernate\\common\\hibernate-commons-annotations\\5.1.2.Final\\hibernate-commons-annotations-5.1.2.Final.jar", "licenses": ["LGPL-2.1"]}, {"name": "flyway-core", "version": "7.1.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\flywaydb\\flyway-core\\7.1.1\\flyway-core-7.1.1.jar", "licenses": ["Apache-2.0"]}, {"name": "jackson-databind", "version": "2.11.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\fasterxml\\jackson\\core\\jackson-databind\\2.11.4\\jackson-databind-2.11.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Jackson datatype: JSR310", "version": "2.11.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\fasterxml\\jackson\\datatype\\jackson-datatype-jsr310\\2.11.4\\jackson-datatype-jsr310-2.11.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Jackson-annotations", "version": "2.11.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\fasterxml\\jackson\\core\\jackson-annotations\\2.11.4\\jackson-annotations-2.11.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Jackson-core", "version": "2.11.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\fasterxml\\jackson\\core\\jackson-core\\2.11.4\\jackson-core-2.11.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Hibernate Validator Engine", "version": "6.1.7.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\hibernate\\validator\\hibernate-validator\\6.1.7.Final\\hibernate-validator-6.1.7.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "Jackson datatype: jdk8", "version": "2.11.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\fasterxml\\jackson\\datatype\\jackson-datatype-jdk8\\2.11.4\\jackson-datatype-jdk8-2.11.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Jackson-module-parameter-names", "version": "2.11.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\fasterxml\\jackson\\module\\jackson-module-parameter-names\\2.11.4\\jackson-module-parameter-names-2.11.4.jar", "licenses": ["Apache-2.0"]}, {"name": "thymeleaf-spring5", "version": "3.0.12.RELEASE", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\thymeleaf\\thymeleaf-spring5\\3.0.12.RELEASE\\thymeleaf-spring5-3.0.12.RELEASE.jar", "licenses": ["Apache-2.0"]}, {"name": "thymeleaf", "version": "3.0.12.RELEASE", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\thymeleaf\\thymeleaf\\3.0.12.RELEASE\\thymeleaf-3.0.12.RELEASE.jar", "licenses": ["Apache-2.0"]}, {"name": "jnr-enxio", "version": "0.32.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\github\\jnr\\jnr-enxio\\0.32.3\\jnr-enxio-0.32.3.jar", "licenses": ["Apache-2.0"]}, {"name": "jnr-netdb", "version": "1.2.0", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\github\\jnr\\jnr-netdb\\1.2.0\\jnr-netdb-1.2.0.jar", "licenses": ["Apache-2.0"]}, {"name": "JRuby Lib Setup", "version": "9.2.14.0", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jruby\\jruby-stdlib\\9.2.14.0\\jruby-stdlib-9.2.14.0.jar", "licenses": ["EPL-2.0", "GPL-2.0", "LGPL-2.1"]}, {"name": "JRuby Main Maven Artifact", "version": "9.2.14.0", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jruby\\jruby\\9.2.14.0\\jruby-9.2.14.0.jar", "licenses": ["EPL-2.0", "GPL-2.0", "LGPL-2.1"]}, {"name": "jnr-unixsocket", "version": "0.38.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\github\\jnr\\jnr-unixsocket\\0.38.5\\jnr-unixsocket-0.38.5.jar", "licenses": ["Apache-2.0"]}, {"name": "jffi", "version": "1.3.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\github\\jnr\\jffi\\1.3.1\\jffi-1.3.1-native.jar", "licenses": ["Apache-2.0"]}, {"name": "jnr-constants", "version": "0.10.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\github\\jnr\\jnr-constants\\0.10.1\\jnr-constants-0.10.1.jar", "licenses": ["Apache-2.0"]}, {"name": "jnr-posix", "version": "3.1.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\github\\jnr\\jnr-posix\\3.1.4\\jnr-posix-3.1.4.jar", "licenses": ["EPL-2.0", "GPL-2.0", "LGPL-2.1"]}, {"name": "JRuby Core", "version": "9.2.14.0", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jruby\\jruby-core\\9.2.14.0\\jruby-core-9.2.14.0.jar", "licenses": ["EPL-2.0", "GPL-2.0", "LGPL-2.1"]}, {"name": "jffi", "version": "1.3.1", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\github\\jnr\\jffi\\1.3.1\\jffi-1.3.1.jar", "licenses": ["Apache-2.0"]}, {"name": "Java Annotation Indexer", "version": "2.2.3.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\jboss\\jandex\\2.2.3.Final\\jandex-2.2.3.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "Undertow Core", "version": "2.2.4.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\io\\undertow\\undertow-core\\2.2.4.Final\\undertow-core-2.2.4.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "Undertow Servlet", "version": "2.2.4.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\io\\undertow\\undertow-servlet\\2.2.4.Final\\undertow-servlet-2.2.4.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "jose4j", "version": "0.7.6", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\bitbucket\\b_c\\jose4j\\0.7.6\\jose4j-0.7.6.jar", "licenses": ["Apache-2.0"]}, {"name": "Hibernate ORM - hibernate-core", "version": "5.4.28.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\hibernate\\hibernate-core\\5.4.28.Final\\hibernate-core-5.4.28.Final.jar", "licenses": ["LGPL-2.1"]}, {"name": "Spring Object/Relational Mapping", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-orm\\5.3.4\\spring-orm-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Undertow WebSockets JSR356 implementations", "version": "2.2.4.Final", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\io\\undertow\\undertow-websockets-jsr\\2.2.4.Final\\undertow-websockets-jsr-2.2.4.Final.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring AOP", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-aop\\5.3.4\\spring-aop-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Web", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-web\\5.3.4\\spring-web-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Beans", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-beans\\5.3.4\\spring-beans-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Expression Language (SpEL)", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-expression\\5.3.4\\spring-expression-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Web MVC", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-webmvc\\5.3.4\\spring-webmvc-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Context", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-context\\5.3.4\\spring-context-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Aspects", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-aspects\\5.3.4\\spring-aspects-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Transaction", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-tx\\5.3.4\\spring-tx-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring JDBC", "version": "5.3.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\spring-jdbc\\5.3.4\\spring-jdbc-5.3.4.jar", "licenses": ["Apache-2.0"]}, {"name": "micrometer-core", "version": "1.6.4", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\io\\micrometer\\micrometer-core\\1.6.4\\micrometer-core-1.6.4.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-security-config", "version": "5.4.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\security\\spring-security-config\\5.4.5\\spring-security-config-5.4.5.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-security-core", "version": "5.4.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\security\\spring-security-core\\5.4.5\\spring-security-core-5.4.5.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-security", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-security\\2.4.3\\spring-boot-starter-security-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-thymeleaf", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-thymeleaf\\2.4.3\\spring-boot-starter-thymeleaf-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-jdbc", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-jdbc\\2.4.3\\spring-boot-starter-jdbc-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-actuator-autoconfigure", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-actuator-autoconfigure\\2.4.3\\spring-boot-actuator-autoconfigure-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-actuator", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-actuator\\2.4.3\\spring-boot-starter-actuator-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-web", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-web\\2.4.3\\spring-boot-starter-web-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-validation", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-validation\\2.4.3\\spring-boot-starter-validation-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-data-jpa", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-data-jpa\\2.4.3\\spring-boot-starter-data-jpa-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-undertow", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-undertow\\2.4.3\\spring-boot-starter-undertow-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-actuator", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-actuator\\2.4.3\\spring-boot-actuator-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-aop", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-aop\\2.4.3\\spring-boot-starter-aop-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-boot-starter-json", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\boot\\spring-boot-starter-json\\2.4.3\\spring-boot-starter-json-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Data JPA", "version": "2.4.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\data\\spring-data-jpa\\2.4.5\\spring-data-jpa-2.4.5.jar", "licenses": ["Apache-2.0"]}, {"name": "Spring Data Core", "version": "2.4.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\data\\spring-data-commons\\2.4.5\\spring-data-commons-2.4.5.jar", "licenses": ["Apache-2.0"]}, {"name": "spring-security-web", "version": "5.4.5", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\springframework\\security\\spring-security-web\\5.4.5\\spring-security-web-5.4.5.jar", "licenses": ["Apache-2.0"]}, {"name": "asciidoctorj", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\asciidoctor\\asciidoctorj\\2.4.3\\asciidoctorj-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "zxcvbn4j", "version": "1.4.0", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\com\\nulab-inc\\zxcvbn\\1.4.0\\zxcvbn-1.4.0.jar", "licenses": ["MIT"]}, {"name": "asciidoctorj-api", "version": "2.4.3", "package_manager": "Maven", "path": "C:\\Users\\EladSalti\\.m2\\repository\\org\\asciidoctor\\asciidoctorj-api\\2.4.3\\asciidoctorj-api-2.4.3.jar", "licenses": ["Apache-2.0"]}, {"name": "webgoat-container", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "webgoat-server", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "challenge", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "webgoat-lesson-template", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "idor", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "bypass-restrictions", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "insecure-deserialization", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "missing-function-ac", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "http-basics", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "vulnerable-components", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "ssrf", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "xxe", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "webgoat-introduction", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "cross-site-scripting", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "crypto", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "cia", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "insecure-login", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "auth-bypass", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "password-reset", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "webwolf", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "html-tampering", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "webwolf-introduction", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "sql-injection", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "secure-passwords", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "csrf", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "path-traversal", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "client-side-filtering", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "jwt", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "chrome-dev-tools", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}, {"name": "http-proxies", "version": "8.2.0-SNAPSHOT", "package_manager": "Maven", "path": null, "licenses": []}]} -------------------------------------------------------------------------------- /ws_gitlab_integration/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/whitesource-ps/ws-gitlab-integration/1c650cb67516cf67fe879bd7e606dbdff3a38eda/ws_gitlab_integration/__init__.py -------------------------------------------------------------------------------- /ws_gitlab_integration/_version.py: -------------------------------------------------------------------------------- 1 | __version__ = "0.0.0.dev0" 2 | __tool_name__ = "ws_gitlab_int" 3 | __description__ = "WS gitLab Integration" 4 | -------------------------------------------------------------------------------- /ws_gitlab_integration/tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/whitesource-ps/ws-gitlab-integration/1c650cb67516cf67fe879bd7e606dbdff3a38eda/ws_gitlab_integration/tests/__init__.py -------------------------------------------------------------------------------- /ws_gitlab_integration/tests/test_ws2gl_format_convertor.py: -------------------------------------------------------------------------------- 1 | import os 2 | import unittest 3 | from unittest import TestCase, mock 4 | from unittest.mock import MagicMock 5 | from ws_gitlab_integration import ws2gl_format_convertor 6 | 7 | debug = mock.patch.dict(os.environ, {"DEBUG": 'True'}) 8 | debug.start() 9 | 10 | 11 | class WsGitLabIntegrationTest(TestCase): 12 | user_key = os.environ['WS_USER_KEY'] 13 | ws_token = os.environ['WS_SCOPE_PROJ'] 14 | ws2gl_format_convertor.parse_args = MagicMock() 15 | ws2gl_format_convertor.parse_args.return_value.ws_user_key = user_key 16 | ws2gl_format_convertor.parse_args.return_value.ws_token = ws_token 17 | ws2gl_format_convertor.parse_args.return_value.ws_url = 'saas' 18 | ws2gl_format_convertor.parse_args.return_value.output_dir = '.' 19 | 20 | def setUp(self) -> None: 21 | self.maxDiff = 2147483648 22 | 23 | def test_dependency(self): 24 | ws2gl_format_convertor.parse_args.return_value.conv_type = ws2gl_format_convertor.DEPENDENCY 25 | ret = ws2gl_format_convertor.main() 26 | 27 | self.assertIsInstance(ret[0], dict) 28 | 29 | def test_dependency_alerts(self): 30 | ws2gl_format_convertor.parse_args.return_value.conv_type = ws2gl_format_convertor.DEPENDENCY_ALERTS_BASED 31 | ret = ws2gl_format_convertor.main() 32 | 33 | self.assertIsInstance(ret[0], dict) 34 | 35 | def test_license(self): 36 | ws2gl_format_convertor.parse_args.return_value.conv_type = ws2gl_format_convertor.LICENSE 37 | ret = ws2gl_format_convertor.main() 38 | 39 | self.assertIsInstance(ret[0], dict) 40 | 41 | 42 | if __name__ == '__main__': 43 | unittest.main() 44 | -------------------------------------------------------------------------------- /ws_gitlab_integration/ws2gl_format_convertor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import json 3 | import logging 4 | import os 5 | import sys 6 | from typing import Tuple 7 | 8 | from ws_sdk import WS, ws_constants, ws_utilities 9 | 10 | SCANNER_ID = "ws-gl-int" 11 | LICENSE_SCHEMA_V = "2.1" 12 | DEPENDENCY_SCHEMA_V = "14.0.2" 13 | DEPENDENCY = "dependency" 14 | DEPENDENCY_ALERTS_BASED = "dependency_alert_based" 15 | LICENSE = "license" 16 | VUL_DB_URL = "https://www.whitesourcesoftware.com/vulnerability-database" 17 | IS_DEBUG = True if os.environ.get("DEBUG") else False 18 | CONCAT_SCOPE_NAME = False 19 | LOG_LEVEL = logging.DEBUG if IS_DEBUG else logging.INFO 20 | 21 | logging.basicConfig(level=LOG_LEVEL, stream=sys.stdout) 22 | args = None 23 | 24 | 25 | def parse_args(): 26 | import argparse 27 | parser = argparse.ArgumentParser(description='WS to GitLab convertor') 28 | parser.add_argument('-u', '--userKey', help="WS User Key", dest='ws_user_key', required=True) 29 | parser.add_argument('-k', '--token', help="WS Project Token", dest='ws_token', required=True) 30 | parser.add_argument('-a', '--wsUrl', help="WS URL", dest='ws_url', default="saas") 31 | parser.add_argument('-t', '--conversionType', help="Conversion Type", choices=[LICENSE, DEPENDENCY, DEPENDENCY_ALERTS_BASED], dest='conv_type', required=True) 32 | parser.add_argument('-o', '--outputDir', help="Output Dir", dest='output_dir', default=".") 33 | 34 | return parser.parse_args() 35 | 36 | 37 | def validate_json(json_to_validate: dict) -> bool: 38 | from jsonschema import validate, exceptions as json_exceptions 39 | import requests 40 | import json 41 | 42 | if args.conv_type == LICENSE: 43 | url = 'https://gitlab.com/gitlab-org/security-products/analyzers/license-finder/-/raw/main/spec/fixtures/schema/v2.1.json' 44 | elif args.conv_type.startswith(DEPENDENCY): 45 | url = 'https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/dependency-scanning-report-format.json' 46 | 47 | resp = requests.get(url=url) 48 | json_schema = json.loads(resp.text) 49 | 50 | try: 51 | validate(instance=json_to_validate, schema=json_schema) 52 | except json_exceptions.SchemaError or json_exceptions.ValidationError: 53 | logging.exception("Validating failed JSON with schema") 54 | return False 55 | return True 56 | 57 | 58 | def convert_license(conn) -> dict: 59 | def get_lib_locations(library_location, library) -> str: 60 | locations = library_location.get('locations') 61 | if len(locations): 62 | if len(locations) > 1: 63 | logging.warning(f"Found {len(library_location['locations'])} locations for lib {library['name']}. Using the first one") 64 | loc_name = locations[0].get('path') 65 | else: 66 | logging.warning(f"No locations found for lib {library['name']} ") 67 | loc_name = None 68 | 69 | return loc_name 70 | 71 | def get_package_manager(language) -> str: 72 | pkg_man = ws_utilities.get_package_managers_by_language(language) 73 | return "unknown" if not pkg_man else pkg_man[0] 74 | 75 | licenses = {} 76 | dependencies = [] 77 | libs = conn.get_licenses(token=args.ws_token, full_spdx=True) 78 | libs_loc = ws_utilities.convert_dict_list_to_dict(conn.get_library_location(token=args.ws_token), 'keyUuid') 79 | 80 | for lib in libs: 81 | lib_loc = libs_loc[lib['keyUuid']] 82 | lics_lib = lib['licenses'] 83 | curr_licenses = [] 84 | for lic in lics_lib: 85 | if lic.get('spdx_license_dict'): 86 | gl_lic = {'id': lic['spdx_license_dict']['licenseId'], 87 | 'name': lic['spdx_license_dict']['name'], 88 | 'url': lic['url']} 89 | licenses[gl_lic['id']] = gl_lic 90 | curr_licenses.append(lic['spdx_license_dict']['licenseId']) 91 | else: 92 | logging.warning(f"SPDX data is missing on library {lib['name']} - license: {lic['name']}") 93 | 94 | dependencies.append({'name': lib['name'], 95 | 'version': lib.get('version'), # TODO: ADD METHOD in ws_utilities to break LIB-1.2.3.SFX to GAV 96 | 'package_manager': get_package_manager(lib['type']).capitalize(), 97 | 'path': get_lib_locations(lib_loc, lib), 98 | 'licenses': sorted(curr_licenses)}) 99 | 100 | return {'version': LICENSE_SCHEMA_V, 101 | 'licenses': sorted(list(licenses.values()), key=lambda k: k['id']), 102 | 'dependencies': dependencies} 103 | 104 | 105 | def convert_dependency(conn) -> dict: 106 | def convert_to_gl_vul(vulnerability, inventory) -> dict: 107 | def get_solution() -> str: 108 | top_fix = vulnerability.get('topFix') 109 | if top_fix: 110 | ret_fix = vulnerability.get('fixResolutionText', top_fix['fixResolution']) 111 | else: 112 | ret_fix = "Fix unknown" 113 | logging.info(f"No fix found for {vulnerability['name']}") 114 | logging.debug(f"Found fix to vulnerability: {vulnerability['name']} Fix: {ret_fix}") 115 | 116 | return ret_fix 117 | 118 | name = f"{vulnerability['name']}:{inventory['artifactId']}:{inventory['version']}" 119 | url = f"{VUL_DB_URL}/{vulnerability['name']}" 120 | gl_vul = {"category": "dependency_scanning", 121 | "name": name, 122 | "message": f"{vulnerability['name']} in {inventory['name']} - Detected by WhiteSource", 123 | "description": vulnerability['description'], 124 | "cve": vulnerability['name'], 125 | "severity": vulnerability['severity'].capitalize(), 126 | "confidence": "Confirmed", 127 | "solution": get_solution(), 128 | "scanner": {"id": SCANNER_ID, "name": "WhiteSource"}, 129 | "location": {"file": inventory['name'], 130 | "dependency": {"version": inventory['version'], 131 | "package": {"name": inventory['artifactId']}}}, 132 | "identifiers": [{"type": "whitesource", 133 | "name": name, 134 | "value": name, 135 | "url": url}], 136 | "links": [{"url": url}]} 137 | 138 | return gl_vul 139 | 140 | vulnerabilities = [] 141 | if args.conv_type == DEPENDENCY: 142 | vulnerabilities = conn.get_vulnerability(token=args.ws_token) 143 | elif args.conv_type == DEPENDENCY_ALERTS_BASED: 144 | security_alerts = conn.get_alerts(alert_type=ws_constants.AlertTypes.SECURITY_VULNERABILITY) 145 | 146 | for sec_alert in security_alerts: 147 | vul = sec_alert['vulnerability'] 148 | vul['library'] = sec_alert['library'] 149 | vulnerabilities.append(vul) 150 | 151 | inventory_dict = ws_utilities.convert_dict_list_to_dict(conn.get_inventory(token=args.ws_token), 'keyUuid') 152 | 153 | gl_vuls = [] 154 | for vul in vulnerabilities: 155 | lib_uuid = vul['library']['keyUuid'] 156 | gl_vul = convert_to_gl_vul(vul, inventory_dict[lib_uuid]) 157 | gl_vuls.append(gl_vul) 158 | 159 | return {'version': DEPENDENCY_SCHEMA_V, 160 | 'vulnerabilities': gl_vuls, 161 | 'remediations': [], 162 | 'dependency_files': []} 163 | 164 | 165 | def main() -> Tuple[list, str]: 166 | global args 167 | args = parse_args() 168 | ws_conn = WS(url=args.ws_url, user_key=args.ws_user_key, token=args.ws_token, token_type=ws_constants.PROJECT) 169 | 170 | logging.info(f"Generating {args.conv_type} report") 171 | if args.conv_type == LICENSE: 172 | ret = convert_license(ws_conn) 173 | filename = "gl-license-scanning-report.json" 174 | elif args.conv_type.startswith(DEPENDENCY): 175 | ret = convert_dependency(ws_conn) 176 | filename = "gl-dependency-scanning-report.json" 177 | 178 | if IS_DEBUG: 179 | validate_json(ret) 180 | 181 | if CONCAT_SCOPE_NAME: 182 | scope_name = ws_conn.get_scope_name_by_token(token=args.ws_token) 183 | 184 | for char in [':', '#', '*', '\\']: 185 | scope_name = scope_name.replace(char, '_') 186 | filename = f"{scope_name}-{filename}" 187 | 188 | full_path = os.path.join(args.output_dir, filename) 189 | logging.debug(f"Saving file to: {full_path}") 190 | with open(full_path, 'w') as fp: 191 | fp.write(json.dumps(ret)) 192 | 193 | return ret, filename 194 | 195 | 196 | if __name__ == '__main__': 197 | main() 198 | --------------------------------------------------------------------------------