sonatype-nexus-community / ahab Goto Github PK
View Code? Open in Web Editor NEWahab is a tool to check for vulnerabilities in your apt, apk, or yum powered operating systems, powered by Sonatype OSS Index.
License: Apache License 2.0
ahab's People
Contributors
Stargazers
Watchers
Forkers
hokiegeek zendern avineshwar sealmindset deadlysyn rjd3 willoughbyrm jtmelton mdogg5555 syllogy adamjwsuch isabella232 bigspotteddog tekk kukamara kostto-ray askylyzahab's Issues
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ google.golang.org:api:0.13.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:firestore:1.1.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:pubsub:1.0.1
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.45.1
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:storage:1.0.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:pubsub:1.0.1
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.45.1
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.13.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190603091049-60506f45cf65
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190603091049-60506f45cf65 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20190603091049-60506f45cf65 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ cloud.google.com/go:firestore:1.1.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:pubsub:1.0.1
└─ cloud.google.com:go:0.45.1
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:storage:1.0.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:pubsub:1.0.1
└─ cloud.google.com:go:0.45.1
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ google.golang.org:api:0.13.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:firestore:1.1.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:pubsub:1.0.1
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.45.1
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:storage:1.0.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:pubsub:1.0.1
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.45.1
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.13.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
[BUG] Piping in alpine packages and getting debian results
Steps to reproduce
Pull latest alpine distribution of the ghost image:
docker pull ghost:alpine
Make sure that the image distro is alpine:
$ docker run -it ghost:alpine cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.11.6
PRETTY_NAME="Alpine Linux v3.11"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
Run the alpine package list command from the help docs:
$ docker run -it ghost:alpine apk info -vv | sort
WARNING: Ignoring APKINDEX.70f61090.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.ca2fea5b.tar.gz: No such file or directory
alpine-baselayout-3.2.0-r3 - Alpine base dir structure and init scripts
alpine-keys-2.1-r2 - Public keys for Alpine Linux packages
apk-tools-2.10.5-r0 - Alpine Package Keeper - package manager for alpine
bash-5.0.11-r1 - The GNU Bourne Again shell
busybox-1.31.1-r9 - Size optimized toolbox of many common UNIX utilities
ca-certificates-cacert-20191127-r1 - Mozilla bundled certificates
libc-utils-0.7.2-r0 - Meta package to pull in correct libc
libcrypto1.1-1.1.1g-r0 - Crypto library from openssl
libgcc-9.2.0-r4 - GNU C compiler runtime libraries
libssl1.1-1.1.1g-r0 - SSL shared libraries
libstdc++-9.2.0-r4 - GNU C++ standard runtime library
libtls-standalone-2.9.1-r0 - libtls extricated from libressl sources
musl-1.1.24-r2 - the musl c library (libc) implementation
musl-utils-1.1.24-r2 - the musl c library (libc) implementation
ncurses-libs-6.1_p20200118-r4 - Ncurses libraries
ncurses-terminfo-base-6.1_p20200118-r4 - Descriptions of common terminals
readline-8.0.1-r0 - GNU readline library
scanelf-1.2.4-r0 - Scan ELF binaries for stuff
ssl_client-1.31.1-r9 - EXternal ssl_client for busybox wget
su-exec-0.2-r1 - switch user and group id, setgroups and exec
zlib-1.2.11-r3 - A compression/decompression Library
Piping the above output does not work because of those two warning lines but the error message isn't the most helpful here:
$ docker run -it ghost:alpine apk info -vv | sort | ./ahab chase
Uh oh, an error occurred, if this persists try rerunning with -v, -vv, or -vvv to get more information in the logs
Error: An error occurred: [400 Bad Request] error accessing OSS Index
Check log file at /home/artie/.ossindex/ahab.combined.log for more information
artie@ArtieSonaDell:~/git_repos/ahab$ cat /home/artie/.ossindex/ahab.combined.log
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error accessing OSS Index","resp_status_code":"400 Bad Request","time":"2020-09-07T20:02:30-04:00"}
{"level":"error","msg":"An error occurred: [400 Bad Request] error accessing OSS Index","time":"2020-09-07T20:02:30-04:00"}
So I pipe it to a file and remove the two warnings at the top, then pipe that to ahab:
$ cat ghost.txt
alpine-baselayout-3.2.0-r3 - Alpine base dir structure and init scripts
alpine-keys-2.1-r2 - Public keys for Alpine Linux packages
apk-tools-2.10.5-r0 - Alpine Package Keeper - package manager for alpine
bash-5.0.11-r1 - The GNU Bourne Again shell
busybox-1.31.1-r9 - Size optimized toolbox of many common UNIX utilities
ca-certificates-cacert-20191127-r1 - Mozilla bundled certificates
libc-utils-0.7.2-r0 - Meta package to pull in correct libc
libcrypto1.1-1.1.1g-r0 - Crypto library from openssl
libgcc-9.2.0-r4 - GNU C compiler runtime libraries
libssl1.1-1.1.1g-r0 - SSL shared libraries
libstdc++-9.2.0-r4 - GNU C++ standard runtime library
libtls-standalone-2.9.1-r0 - libtls extricated from libressl sources
musl-1.1.24-r2 - the musl c library (libc) implementation
musl-utils-1.1.24-r2 - the musl c library (libc) implementation
ncurses-libs-6.1_p20200118-r4 - Ncurses libraries
ncurses-terminfo-base-6.1_p20200118-r4 - Descriptions of common terminals
readline-8.0.1-r0 - GNU readline library
scanelf-1.2.4-r0 - Scan ELF binaries for stuff
ssl_client-1.31.1-r9 - EXternal ssl_client for busybox wget
su-exec-0.2-r1 - switch user and group id, setgroups and exec
zlib-1.2.11-r3 - A compression/decompression Library
$ cat ghost.txt | ./ahab chase --loud
______ __ __
/\ _ \ /\ \ /\ \
\ \ \L\ \ \ \ \___ __ \ \ \____
\ \ __ \ \ \ _ `\ /'__`\ \ \ '__`\
\ \ \/\ \ \ \ \ \ \ /\ \L\.\_ \ \ \L\ \
\ \_\ \_\ \ \_\ \_\\ \__/.\_\ \ \_,__/
\/_/\/_/ \/_/\/_/ \/__/\/_/ \/___/
_ _ _ _
/_) /_` _ _ _ _/_ _ _ (/ /_` _ . _ _ _/ _
/_) /_/ ._/ /_// //_|/ /_/ /_//_' (_X / / / /_'/ //_/ _\
_/ _/ /
Ahab version: development
Non Vulnerable Packages
[1/21] pkg:deb/debian/alpine-baselayout-3.2.0-r3@-
[2/21] pkg:deb/debian/alpine-keys-2.1-r2@-
[3/21] pkg:deb/debian/apk-tools-2.10.5-r0@-
[4/21] pkg:deb/debian/bash-5.0.11-r1@-
[5/21] pkg:deb/debian/busybox-1.31.1-r9@-
[6/21] pkg:deb/debian/ca-certificates-cacert-20191127-r1@-
[7/21] pkg:deb/debian/libc-utils-0.7.2-r0@-
[8/21] pkg:deb/debian/libcrypto1.1-1.1.1g-r0@-
[9/21] pkg:deb/debian/libgcc-9.2.0-r4@-
[10/21] pkg:deb/debian/libssl1.1-1.1.1g-r0@-
[11/21] pkg:deb/debian/libtls-standalone-2.9.1-r0@-
[12/21] pkg:deb/debian/musl-1.1.24-r2@-
[13/21] pkg:deb/debian/musl-utils-1.1.24-r2@-
[14/21] pkg:deb/debian/ncurses-libs-6.1_p20200118-r4@-
[15/21] pkg:deb/debian/ncurses-terminfo-base-6.1_p20200118-r4@-
[16/21] pkg:deb/debian/readline-8.0.1-r0@-
[17/21] pkg:deb/debian/scanelf-1.2.4-r0@-
[18/21] pkg:deb/debian/ssl_client-1.31.1-r9@-
[19/21] pkg:deb/debian/su-exec-0.2-r1@-
[20/21] pkg:deb/debian/zlib-1.2.11-r3@-
[21/21] pkg:deb/debian/libstdc%20%20-9.2.0-r4@-
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies ┃ 21 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛
And the alpine packages are reported as debian packages, and formatted all funky.
Here's what the IQ report looks like for the same input:
cc @bhamail / @DarthHater / @ken-duck / @zendern
confusing error message when wrong password in IQ mode
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
-
What are you trying to do?
it has been hard to me to run ahab because of strange error:
Error: An error occurred: Unable to communicate with Nexus IQ Server, err: Unable to communicate with Nexus IQ Server, status code returned is: 500
I finally discovered that it was just the password CLI argument that was wrong -
What feature or behavior is this required for?
UX when bad password...
- How could we solve this issue? (Not knowing is okay!)
have an explicit message "bad credentials" or something like that
- Anything else?
cc @bhamail / @DarthHater / @ken-duck
Detect OS automatically
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
-
What are you trying to do?
Use Ahab without explicitly passing in an OS argument -
What feature or behavior is this required for?
To allow me to be lazy -
How could we solve this issue? (Not knowing is okay!)
Detect ifapt/yumbinaries exist? -
Anything else?
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20181114220301-adae6a3d119a
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20181114220301-adae6a3d119a results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20181114220301-adae6a3d119a is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.4.0
└─ golang.org/x:net:0.0.0-20181114220301-adae6a3d119a
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Total count of vulnerabilities incorrect when excluded vulnerabilities.
During a live demo ;) we learned the total count of vulnerabilities does not appear to decrease when vulnerabilities are excluded via CLI.
cc @bhamail / @DarthHater / @ken-duck
Auto Detect v2
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
-
What are you trying to do?
So we added auto detect of your os/package manager in #24 but it currently has a dependency onwhichbeing installed. This is fine for now but with plans to maybe support windows images in #32 thats not going to work. It would also be nice to not have people installwhichin there image if they dont really need to. -
What feature or behavior is this required for?
Less dependencies in the auto detect process. -
How could we solve this issue? (Not knowing is okay!)
Maybe regex?? Maybe it looks something more like this https://unix.stackexchange.com/a/46086
cc @bhamail / @DarthHater / @ken-duck
Update install instructions
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
- What are you trying to do?
Remove this TBD section here with something useful.
https://github.com/sonatype-nexus-community/ahab#installation
-
What feature or behavior is this required for?
Better usage so you dont have to have golang in you docker image -
How could we solve this issue? (Not knowing is okay!)
We use goreleaser now so maybe just add some instructions on how to download a version and use it and have an example. -
Anything else?
Nah dawg
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.7) Vulnerability due to usage of github.com/coreos:etcd:3.3.13
Vulnerabilities
DepShield reports that this application's usage of github.com/coreos:etcd:3.3.13 results in the following vulnerability(s):
- (CVSS 7.7) [CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...
- (CVSS 6.5) [CVE-2020-15136] In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only ap...
- (CVSS 5.8) [CVE-2020-15115] etcd before versions 3.3.23 and 3.4.10 does not perform any password length vali...
Occurrences
github.com/coreos:etcd:3.3.13 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/coreos:etcd:3.3.13
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Scan a pre-existing docker image
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
- What are you trying to do?
So as part of the #2 issue this conversation came up on why not allow me to do something like so
ahab chase --i <docker image:tag>
ahab iq --i <docker image:tag>
And it would just do the magic for me.
Lets explore that and figure out how we might do it.
-
What feature or behavior is this required for?
Using ahab scan of existing docker image instead of being embedded in the build process. -
How could we solve this issue? (Not knowing is okay!)
So golang has a docker sdk/client that could be used to do this magic. I fiddled with it some here
https://github.com/zendern/testing-docker-sdk/blob/master/main.go
But that program does the following :
- Pulls the image
- Executes the package manager command to list all installed
- Logs the output (this would be where we pass this into ahab
- Removes the container b/c if not docker gets mad if you try to run it again
- Anything else?
cc @bhamail / @DarthHater / @ken-duck / @ButterB0wl
Native linux installers
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
- What are you trying to do?
In nancy the ability to producedeb, rpm, apk, etcwas added. See here sonatype-nexus-community/nancy#175
We should do the same for ahab. And also get it into its corresponding repos like in sonatype-nexus-community/nancy#177
If those get completed first they can probably be a blueprint on how to do them here or vice versa.
-
What feature or behavior is this required for?
Making it even easier to install and use ahab -
How could we solve this issue? (Not knowing is okay!)
goreleaser does lots of magic so maybe that and there is probably some work to do to be able to publish something to said yum/apk/apt repos.
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/hashicorp/consul:api:1.1.0
└─ github.com/hashicorp:serf:0.8.2
└─ github.com/hashicorp:mdns:1.0.0
└─ golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519
└─ github.com/hashicorp:memberlist:0.1.3
└─ golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Add windows docker support when using Chocolatey
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
- What are you trying to do?
Make ahab support windows docker containers. We are building it today for windows but honestly if you were to use it well its not going to be useful since all the package managers we are using today are linux based.
OSSIndex supports Chocolatey so feels like a good fit to add in.
-
What feature or behavior is this required for?
Windows docker images that are building by managing packages with Chocolatey -
Anything else?
https://chocolatey.org/docs/commandslist
^^^ How to get a list of installed packages looks to be this command. We would of course have to take that output parse it and then send that over to ossi and iq.
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20181201002055-351d144fa1fc
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20181201002055-351d144fa1fc results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20181201002055-351d144fa1fc is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/hashicorp/consul:api:1.1.0
└─ github.com/hashicorp:serf:0.8.2
└─ golang.org/x:net:0.0.0-20181201002055-351d144fa1fc
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
[DepShield] (CVSS 5.9) Vulnerability due to usage of golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2 results in the following vulnerability(s):
Occurrences
golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2 is a transitive dependency introduced by the following direct dependency(s):
• golang.org/x:net:0.0.0-20190827160401-ba9fcec4b297
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Scan binaries located on the path
Trying to capture some of @DarthHater 's ideas for future Ahab enhancements.
It is great that Ahab scans OS packages (.rpm, .deb, .apk, etc), but there are also many cases where someone will curl or wget some binary file down and install it directly into the /usr/bin folder (or somewhere on the PATH).
To detect these, Ahab could:
- enumerate all the directories on the OS PATH.
- in each directory, look for binaries and try to determine if the binary has a hashcode of a file known to be from an .rpm/.deb. Could also try to detect vulns for binaries that do not appear to be from a .rpm/.deb.
cc @bhamail / @DarthHater / @ken-duck / @ButterB0wl
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20200226121028-0de0cce0169b results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20200226121028-0de0cce0169b is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:tsdb:0.7.1
└─ github.com/gogo:protobuf:1.1.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
└─ github.com/prometheus:common:0.4.0
└─ github.com/gogo:protobuf:1.1.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
└─ github.com/gogo:protobuf:1.2.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
• github.com/spf13:viper:1.7.1
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:tsdb:0.7.1
└─ github.com/gogo:protobuf:1.1.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
└─ github.com/prometheus:common:0.4.0
└─ github.com/gogo:protobuf:1.1.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
└─ github.com/gogo:protobuf:1.2.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Centos 7 fails due to plugins output
- What are you trying to do?
Running yum list installed | ./ahab chase -vv --os fedora or yum list installed | ./ahab chase -vv --os centos should run perfectly fine, this is being called in a docker build file but fails. The reason it fails is due to the fact on centos it has a plugin's line which makes Ahab fail.
Example output
Loaded plugins: fastestmirror, ovl
Installed Packages
acl.x86_64 2.2.51-15.el7 @CentOS
audit-libs.x86_64 2.8.5-4.el7 @CentOS
basesystem.noarch 10.0-7.el7.centos @CentOS
bash.x86_64 4.2.46-34.el7 @CentOS
bind-license.noarch 32:9.11.4-16.P2.el7_8.6 @updates
binutils.x86_64 2.27-43.base.el7_8.1 @updates
bzip2-libs.x86_64 1.0.6-13.el7 @CentOS
ca-certificates.noarch 2020.2.41-70.0.el7_8 @updates
centos-release.x86_64 7-8.2003.0.el7.centos @CentOS
chkconfig.x86_64 1.7.4-1.el7 @CentOS
coreutils.x86_64 8.22-24.el7 @CentOS
cpio.x86_64 2.11-27.el7 @CentOS
cracklib.x86_64 2.9.0-11.el7 @CentOS
cracklib-dicts.x86_64 2.9.0-11.el7 @CentOS
cryptsetup-libs.x86_64 2.0.3-6.el7 @CentOS
curl.x86_64 7.29.0-57.el7 @CentOS
cyrus-sasl-lib.x86_64 2.1.26-23.el7 @CentOS
dbus.x86_64 1:1.10.24-13.el7_6 @CentOS
dbus-glib.x86_64 0.100-7.el7 @CentOS
dbus-libs.x86_64 1:1.10.24-13.el7_6 @CentOS
dbus-python.x86_64 1.1.1-9.el7 @CentOS
device-mapper.x86_64 7:1.02.164-7.el7_8.2 @updates
device-mapper-libs.x86_64 7:1.02.164-7.el7_8.2 @updates
diffutils.x86_64 3.3-5.el7 @CentOS
dracut.x86_64 033-568.el7 @CentOS
elfutils-default-yama-scope.noarch 0.176-4.el7 @CentOS
elfutils-libelf.x86_64 0.176-4.el7 @CentOS
elfutils-libs.x86_64 0.176-4.el7 @CentOS
expat.x86_64 2.1.0-11.el7 @CentOS
file-libs.x86_64 5.11-36.el7 @CentOS
filesystem.x86_64 3.2-25.el7 @CentOS
findutils.x86_64 1:4.5.11-6.el7 @CentOS
fipscheck.x86_64 1.4.1-6.el7 @base
fipscheck-lib.x86_64 1.4.1-6.el7 @base
gawk.x86_64 4.0.2-4.el7_3.1 @CentOS
gdbm.x86_64 1.10-8.el7 @CentOS
geoipupdate.x86_64 2.5.0-1.el7 @CentOS
git.x86_64 1.8.3.1-23.el7_8 @updates
glib2.x86_64 2.56.1-5.el7 @CentOS
glibc.x86_64 2.17-307.el7.1 @CentOS
glibc-common.x86_64 2.17-307.el7.1 @CentOS
gmp.x86_64 1:6.0.0-15.el7 @CentOS
gnupg2.x86_64 2.0.22-5.el7_5 @CentOS
gobject-introspection.x86_64 1.56.1-1.el7 @CentOS
gpgme.x86_64 1.3.2-5.el7 @CentOS
grep.x86_64 2.20-3.el7 @CentOS
groff-base.x86_64 1.22.2-8.el7 @base
gzip.x86_64 1.5-10.el7 @CentOS
hardlink.x86_64 1:1.0-19.el7 @CentOS
hostname.x86_64 3.13-3.el7_7.1 @CentOS
info.x86_64 5.1-5.el7 @CentOS
iputils.x86_64 20160308-10.el7 @CentOS
json-c.x86_64 0.11-4.el7_0 @CentOS
keyutils-libs.x86_64 1.5.8-3.el7 @CentOS
kmod.x86_64 20-28.el7 @CentOS
kmod-libs.x86_64 20-28.el7 @CentOS
kpartx.x86_64 0.4.9-131.el7 @CentOS
krb5-libs.x86_64 1.15.1-46.el7 @CentOS
less.x86_64 458-9.el7 @base
libacl.x86_64 2.2.51-15.el7 @CentOS
libassuan.x86_64 2.1.0-3.el7 @CentOS
libattr.x86_64 2.4.46-13.el7 @CentOS
libblkid.x86_64 2.23.2-63.el7 @CentOS
libcap.x86_64 2.22-11.el7 @CentOS
libcap-ng.x86_64 0.7.5-4.el7 @CentOS
libcom_err.x86_64 1.42.9-17.el7 @CentOS
libcurl.x86_64 7.29.0-57.el7 @CentOS
libdb.x86_64 5.3.21-25.el7 @CentOS
libdb-utils.x86_64 5.3.21-25.el7 @CentOS
libedit.x86_64 3.0-12.20121213cvs.el7 @base
libffi.x86_64 3.0.13-19.el7 @CentOS
libgcc.x86_64 4.8.5-39.el7 @CentOS
libgcrypt.x86_64 1.5.3-14.el7 @CentOS
libgpg-error.x86_64 1.12-3.el7 @CentOS
libidn.x86_64 1.28-4.el7 @CentOS
libmount.x86_64 2.23.2-63.el7 @CentOS
libpwquality.x86_64 1.2.3-5.el7 @CentOS
libselinux.x86_64 2.5-15.el7 @CentOS
libsemanage.x86_64 2.5-14.el7 @CentOS
libsepol.x86_64 2.5-10.el7 @CentOS
libsmartcols.x86_64 2.23.2-63.el7 @CentOS
libssh2.x86_64 1.8.0-3.el7 @CentOS
libstdc++.x86_64 4.8.5-39.el7 @CentOS
libtasn1.x86_64 4.10-1.el7 @CentOS
libuser.x86_64 0.60-9.el7 @CentOS
libutempter.x86_64 1.1.6-4.el7 @CentOS
libuuid.x86_64 2.23.2-63.el7 @CentOS
libverto.x86_64 0.2.5-4.el7 @CentOS
libxml2.x86_64 2.9.1-6.el7.4 @CentOS
libxml2-python.x86_64 2.9.1-6.el7.4 @CentOS
lua.x86_64 5.1.4-15.el7 @CentOS
lz4.x86_64 1.7.5-3.el7 @CentOS
ncurses.x86_64 5.9-14.20130511.el7_4 @CentOS
ncurses-base.noarch 5.9-14.20130511.el7_4 @CentOS
ncurses-libs.x86_64 5.9-14.20130511.el7_4 @CentOS
nspr.x86_64 4.21.0-1.el7 @CentOS
nss.x86_64 3.44.0-7.el7_7 @CentOS
nss-pem.x86_64 1.0.3-7.el7 @CentOS
nss-softokn.x86_64 3.44.0-8.el7_7 @CentOS
nss-softokn-freebl.x86_64 3.44.0-8.el7_7 @CentOS
nss-sysinit.x86_64 3.44.0-7.el7_7 @CentOS
nss-tools.x86_64 3.44.0-7.el7_7 @CentOS
nss-util.x86_64 3.44.0-4.el7_7 @CentOS
openldap.x86_64 2.4.44-21.el7_6 @CentOS
openssh.x86_64 7.4p1-21.el7 @base
openssh-clients.x86_64 7.4p1-21.el7 @base
openssl-libs.x86_64 1:1.0.2k-19.el7 @CentOS
p11-kit.x86_64 0.23.5-3.el7 @CentOS
p11-kit-trust.x86_64 0.23.5-3.el7 @CentOS
pam.x86_64 1.1.8-23.el7 @CentOS
passwd.x86_64 0.79-6.el7 @CentOS
pcre.x86_64 8.32-17.el7 @CentOS
perl.x86_64 4:5.16.3-295.el7 @base
perl-Carp.noarch 1.26-244.el7 @base
perl-Encode.x86_64 2.51-7.el7 @base
perl-Error.noarch 1:0.17020-2.el7 @base
perl-Exporter.noarch 5.68-3.el7 @base
perl-File-Path.noarch 2.09-2.el7 @base
perl-File-Temp.noarch 0.23.01-3.el7 @base
perl-Filter.x86_64 1.49-3.el7 @base
perl-Getopt-Long.noarch 2.40-3.el7 @base
perl-Git.noarch 1.8.3.1-23.el7_8 @updates
perl-HTTP-Tiny.noarch 0.033-3.el7 @base
perl-PathTools.x86_64 3.40-5.el7 @base
perl-Pod-Escapes.noarch 1:1.04-295.el7 @base
perl-Pod-Perldoc.noarch 3.20-4.el7 @base
perl-Pod-Simple.noarch 1:3.28-4.el7 @base
perl-Pod-Usage.noarch 1.63-3.el7 @base
perl-Scalar-List-Utils.x86_64 1.27-248.el7 @base
perl-Socket.x86_64 2.010-5.el7 @base
perl-Storable.x86_64 2.45-3.el7 @base
perl-TermReadKey.x86_64 2.30-20.el7 @base
perl-Text-ParseWords.noarch 3.29-4.el7 @base
perl-Time-HiRes.x86_64 4:1.9725-3.el7 @base
perl-Time-Local.noarch 1.2300-2.el7 @base
perl-constant.noarch 1.27-2.el7 @base
perl-libs.x86_64 4:5.16.3-295.el7 @base
perl-macros.x86_64 4:5.16.3-295.el7 @base
perl-parent.noarch 1:0.225-244.el7 @base
perl-podlators.noarch 2.5.1-3.el7 @base
perl-threads.x86_64 1.87-4.el7 @base
perl-threads-shared.x86_64 1.43-6.el7 @base
pinentry.x86_64 0.8.1-17.el7 @CentOS
pkgconfig.x86_64 1:0.27.1-4.el7 @CentOS
popt.x86_64 1.13-16.el7 @CentOS
procps-ng.x86_64 3.3.10-27.el7 @CentOS
pth.x86_64 2.0.7-23.el7 @CentOS
pygpgme.x86_64 0.3-9.el7 @CentOS
pyliblzma.x86_64 0.5.3-11.el7 @CentOS
python.x86_64 2.7.5-88.el7 @CentOS
python-chardet.noarch 2.2.1-3.el7 @CentOS
python-gobject-base.x86_64 3.22.0-1.el7_4.1 @CentOS
python-iniparse.noarch 0.4-9.el7 @CentOS
python-kitchen.noarch 1.1.1-5.el7 @CentOS
python-libs.x86_64 2.7.5-88.el7 @CentOS
python-pycurl.x86_64 7.19.0-19.el7 @CentOS
python-urlgrabber.noarch 3.10-10.el7 @CentOS
pyxattr.x86_64 0.5.1-5.el7 @CentOS
qrencode-libs.x86_64 3.4.1-3.el7 @CentOS
readline.x86_64 6.2-11.el7 @CentOS
rootfiles.noarch 8.1-11.el7 @CentOS
rpm.x86_64 4.11.3-43.el7 @CentOS
rpm-build-libs.x86_64 4.11.3-43.el7 @CentOS
rpm-libs.x86_64 4.11.3-43.el7 @CentOS
rpm-python.x86_64 4.11.3-43.el7 @CentOS
rsync.x86_64 3.1.2-10.el7 @base
sed.x86_64 4.2.2-6.el7 @CentOS
setup.noarch 2.8.71-11.el7 @CentOS
shadow-utils.x86_64 2:4.6-5.el7 @CentOS
shared-mime-info.x86_64 1.8-5.el7 @CentOS
sqlite.x86_64 3.7.17-8.el7_7.1 @CentOS
systemd.x86_64 219-73.el7_8.6 @updates
systemd-libs.x86_64 219-73.el7_8.6 @updates
tar.x86_64 2:1.26-35.el7 @CentOS
tzdata.noarch 2020a-1.el7 @Updates
unzip.x86_64 6.0-21.el7 @base
ustr.x86_64 1.0.4-16.el7 @CentOS
util-linux.x86_64 2.23.2-63.el7 @CentOS
vim-minimal.x86_64 2:7.4.629-6.el7 @CentOS
wget.x86_64 1.14-18.el7_6.1 @base
xz.x86_64 5.2.2-1.el7 @CentOS
xz-libs.x86_64 5.2.2-1.el7 @CentOS
yum.noarch 3.4.3-167.el7.centos @CentOS
yum-metadata-parser.x86_64 1.1.4-10.el7 @CentOS
yum-plugin-fastestmirror.noarch 1.1.31-54.el7_8 @updates
yum-plugin-ovl.noarch 1.1.31-54.el7_8 @updates
yum-utils.noarch 1.1.31-54.el7_8 @updates
zlib.x86_64 1.2.7-18.el7 @CentOS
- What feature or behaviour is this required for?
Use Ahab to parse yum install packages on Centos 7
- How could we solve this issue? (Not knowing is okay!)
Update the code to ignore lines above Installed Packages or update the read me for Centos to include a second pipe that only pipes in the lines after plugins. Like so yum list installed | sed '0,/^Installed Packages$/d' | ./ahab chase -vv --os centos
I think updating the code would be nice but there is a quick fix at-least ;-)
- Anything else?
Keep up the good work, nice little tool.
cc @bhamail / @DarthHater / @ken-duck
CircleCi?
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
- What are you trying to do?
Consistency...pretty sure most other projects undersonatype-nexus-communityare no using CircleCi to do their builds. Probably time to move this one over ya???
-
What feature or behavior is this required for?
Nothing really just consistency -
How could we solve this issue? (Not knowing is okay!)
Use CircleCi :) -
Anything else?
I mean you CCCOOOUUULLLDDD use CircleCi :)
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 5.9) Vulnerability due to usage of golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3 results in the following vulnerability(s):
Occurrences
golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/hashicorp/consul:api:1.1.0
└─ github.com/hashicorp:serf:0.8.2
└─ github.com/hashicorp:mdns:1.0.0
└─ golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3
└─ github.com/hashicorp:memberlist:0.1.3
└─ golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Remove mac binaries from goreleaser
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
-
What are you trying to do?
So ahab scan docker containers at build time, yah?? well macosx running in docker isn't really a thing so producing binaries for mac (aka darwin) i a little confusing at best. -
What feature or behavior is this required for?
Just clean things up a little -
How could we solve this issue? (Not knowing is okay!)
Should be able to fiddle the goreleaser configs so that these are no longer output. Windows (even though not yet supported but after #32 it will be) and linux binaries must remain. -
Anything else?
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.5) Vulnerability due to usage of github.com/hashicorp/consul:api:1.1.0
Vulnerabilities
DepShield reports that this application's usage of github.com/hashicorp/consul:api:1.1.0 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2020-7219] HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unb...
- (CVSS 5.9) [CVE-2018-19653] Cryptographic Issues
Occurrences
github.com/hashicorp/consul:api:1.1.0 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/hashicorp/consul:api:1.1.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Make Ahab list installed packages
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
-
What are you trying to do?
Instead of passing in a list of packages, have Ahab figure them out for me -
What feature or behavior is this required for?
To allow me to be lazy -
How could we solve this issue? (Not knowing is okay!)
Have Ahab call the appropriateapt/yumcommands itself -
Anything else?
nah
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20200625001655-4c5254603344
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20200625001655-4c5254603344 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20200625001655-4c5254603344 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.26.0
└─ golang.org/x:net:0.0.0-20200625001655-4c5254603344
• github.com/spf13:viper:1.7.1
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.26.0
└─ golang.org/x:net:0.0.0-20200625001655-4c5254603344
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Add a description to the repo
- What are you trying to do?
Make it so that the project is a little more discoverable. Right now you have to navigate into the project to know what it is exactly.
^^^ View from sonatype-nexus-community listing
^^^ View from search
- How could we solve this issue? (Not knowing is okay!)
Add a description :)
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.5) Vulnerability due to usage of github.com/gorilla:websocket:1.4.0
Vulnerabilities
DepShield reports that this application's usage of github.com/gorilla:websocket:1.4.0 results in the following vulnerability(s):
- (CVSS 7.5) CWE-190: Integer Overflow or Wraparound
Occurrences
github.com/gorilla:websocket:1.4.0 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/gorilla:websocket:1.4.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190620200207-3b0461eec859
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190620200207-3b0461eec859 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20190620200207-3b0461eec859 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ cloud.google.com/go:firestore:1.1.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:pubsub:1.0.1
└─ cloud.google.com:go:0.45.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:exp:0.0.0-20190829153037-c13cbed26979
└─ golang.org/x:tools:0.0.0-20190816200558-6889da9d5479
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:tools:0.0.0-20190911174233-4f2ddba30aff
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:storage:1.0.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:pubsub:1.0.1
└─ cloud.google.com:go:0.45.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:exp:0.0.0-20190829153037-c13cbed26979
└─ golang.org/x:tools:0.0.0-20190816200558-6889da9d5479
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:tools:0.0.0-20190911174233-4f2ddba30aff
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:exp:0.0.0-20191030013958-a1ab85dbe136
└─ golang.org/x:tools:0.0.0-20191012152004-8de300cfc20a
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:tools:0.0.0-20191112195655-aa38f8e97acc
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Read same nested yaml config as nancy
See: https://github.com/sonatype-nexus-community/nancy/blob/prepare-1.0.0/internal/configuration/set.go#L60 for an example of wrapping a config struct that gets "marshalled" to yaml.
Also, move path/file names for config files into go-sona-types library.
cc @bhamail / @DarthHater / @ken-duck
Dogfood Nancy
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
-
What are you trying to do?
I mean we should really be using nancy on this project since well its golang project :) -
What feature or behavior is this required for?
DOOOOGGGGFOOOODDINNNGGG IT :) -
How could we solve this issue? (Not knowing is okay!)
Add nancy to the build process of the project
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.7) Vulnerability due to usage of github.com/coreos:etcd:3.3.10
Vulnerabilities
DepShield reports that this application's usage of github.com/coreos:etcd:3.3.10 results in the following vulnerability(s):
- (CVSS 7.7) [CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...
- (CVSS 6.5) [CVE-2020-15136] In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only ap...
- (CVSS 5.8) [CVE-2020-15115] etcd before versions 3.3.23 and 3.4.10 does not perform any password length vali...
Occurrences
github.com/coreos:etcd:3.3.10 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/coreos:etcd:3.3.10
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Add ability to exclude vulnerabilities by command line or via file
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
- What are you trying to do?
Similar to what we did in nancy, add the ability to exclude vulnerabilities from failing a build!
sonatype-nexus-community/nancy#30
sonatype-nexus-community/nancy#28
sonatype-nexus-community/nancy#35
sonatype-nexus-community/nancy#29
- What feature or behavior is this required for?
This will allow someone to review what vulnerabilities they are affected by, and then exclude the ones they don't find a risk to their project.
- How could we solve this issue? (Not knowing is okay!)
I would imagine the best way is to take the functionality we wrote in Nancy, and make it so that Ahab can just leverage it, that way if other projects want to implement this in the future, they can easily do so!
- Anything else?
FUN!
cc @bhamail / @DarthHater / @ken-duck
Fix installed package parsing on fedora-based distros
- What are you trying to do?
While working on #45 it was discovered that both dnf and yum can output lines which do not always meet the format expected by parse/yum.go. Full details in the PR, but tl;dr parsing is index based and can panic when name/version info gets split across lines (observed on both fedora:latest and centos:latest).
- What feature or behavior is this required for?
Reliably reading package lists on fedora-based distros.
- How could we solve this issue? (Not knowing is okay!)
I initially started to make parsing more defensive. Depending how paranoid you get, this can be pretty ugly.
It dawned on me this may be a case of GIGO. We could reduce defensive boilerplate + simplify the OS detection bits if we used rpm vs dnf/yum to read package lists on fedora distros. This would be similar to using dpkg vs apt on Debian distros. Then we could be more certain of the data received (probably still sanity check a bit more and add more tests as part of this):
# rpm -qa --queryformat "%{NAME}.%{ARCH} %{VERSION}\n" | grep elf
elfutils-libelf.x86_64 0.178
elfutils-libs.x86_64 0.178
elfutils-default-yama-scope.noarch 0.178
- Anything else?
Not really, the prior PR comments have lots of detail including how to repro (surfaced while trying to add more test coverage):
cc @bhamail / @DarthHater / @ken-duck / @zendern
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.4.0
└─ github.com/sirupsen:logrus:1.2.0
└─ golang.org/x:crypto:0.0.0-20180904163835-0709b304e793
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:net:0.0.0-20190522155817-f3200d17e092
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ google.golang.org:grpc:1.21.0
└─ golang.org/x:lint:0.0.0-20190313153728-d0100b6bd8b3
└─ golang.org/x:tools:0.0.0-20190311212946-11955173bddd
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:tools:0.0.0-20190311212946-11955173bddd
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190522155817-f3200d17e092
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190522155817-f3200d17e092 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20190522155817-f3200d17e092 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ golang.org/x:net:0.0.0-20190522155817-f3200d17e092
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190311183353-d8887717615a
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190311183353-d8887717615a results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20190311183353-d8887717615a is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ google.golang.org:grpc:1.21.0
└─ golang.org/x:lint:0.0.0-20190313153728-d0100b6bd8b3
└─ golang.org/x:tools:0.0.0-20190311212946-11955173bddd
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:tools:0.0.0-20190311212946-11955173bddd
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Cleanup references to os
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
- What are you trying to do?
So today we do--osto be able to pass in the operating system you want to target. Realistically the OS is not important but the package manager is more important.
This is much less important now that auto detection is a thing but I would like to possibly do the following things.
- deprecate the
-osoption - add a new
-pm--package-manageroption that allows for you to pass inyum,dkpg,apt,dnf, etc etc. - update all code paths that refer to os to no longer do that
- What feature or behavior is this required for?
Nothing really ... the OS flag has always bothered me a little :)
See these comments here
Line 40 in 4279556
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20180826012351-8a410e7b638d
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20180826012351-8a410e7b638d results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20180826012351-8a410e7b638d is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/grpc-ecosystem:grpc-gateway:1.9.0
└─ google.golang.org:grpc:1.19.0
└─ golang.org/x:net:0.0.0-20180826012351-8a410e7b638d
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Exception when there is no minor version
I was running ahab against a list of packages, and it threw an exception whenever there was a package without a minor version. For example:
ca-certificates/now 20170717~16.04.2 all [installed,local]
libkmod2/now 22-1ubuntu5.2 amd64 [installed,local]
libsystemd0/now 229-4ubuntu21.22 amd64 [installed,local]
libudev1/now 229-4ubuntu21.22 amd64 [installed,local]
systemd/now 229-4ubuntu21.22 amd64 [installed,local]
systemd-sysv/now 229-4ubuntu21.22 amd64 [installed,local]
tzdata/now 2019b-0ubuntu0.16.04 all [installed,local]
usbutils/now 1:007-4 amd64 [installed,local]
cc @bhamail / @DarthHater / @ken-duck
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20181220203305-927f97764cc3
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20181220203305-927f97764cc3 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20181220203305-927f97764cc3 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/grpc-ecosystem:grpc-gateway:1.9.0
└─ golang.org/x:net:0.0.0-20181220203305-927f97764cc3
└─ gopkg.in:resty.v1:1.12.0
└─ golang.org/x:net:0.0.0-20181220203305-927f97764cc3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Purl format updates
When building purls to be sent over we currently use different formats for debian, alpine, fedora, etc.
From the docs here
https://ossindex.sonatype.org/doc/coordinates
It appears we should be passing like we do in the debian case but for the others.
The goal of this issue is
- Make sure that is how we should do it?? Maybe do a little code spelunking to determine if we did it for a reason or not.
- Make all the things more consistent.
To help move this forward, I've decoupled the purl format updates. Maybe we can tackle that as a separate PR. Since we're not passing os anymore, apt.go has to hard code Debian while both Alpine and Fedora don't include OS at all. It feels like we should be consistent one way or the other, but that doesn't need decided here.
To avoid strewing os references all over, I just updated the switch to support either --os or --package-manager strings. Seems to work locally, and also updated tests to cover both until the deprecated bits can be fully removed.
Originally posted by @deadlysyn in #42 (comment)
[DepShield] (CVSS 5.9) Vulnerability due to usage of golang.org/x:crypto:0.0.0-20180904163835-0709b304e793
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20180904163835-0709b304e793 results in the following vulnerability(s):
Occurrences
golang.org/x:crypto:0.0.0-20180904163835-0709b304e793 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.4.0
└─ github.com/sirupsen:logrus:1.2.0
└─ golang.org/x:crypto:0.0.0-20180904163835-0709b304e793
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
publish MacOS binaries
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
-
What are you trying to do?
I'm trying to run ahab on my Mac -
What feature or behavior is this required for?
I'm extracting package list from a Docker container, but it's easier to avoid installing ahab inside the container by running it directly from the host OS (a Mac in my case):
docker run --rm my-docker-image dpkg-query --show --showformat='${Package} ${Version}\n' | ahab --package-manager dpkg -
How could we solve this issue? (Not knowing is okay!)
I tested by building ahab myself, it works
now it's just about providing a binary to users instead of letting them build ahab -
Anything else?
cc @bhamail / @DarthHater / @ken-duck
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.