zopen audit utility - Githubissues

ZOSOpenTools / meta

Meta repository to tie together the various underlying z/OS Open Source tools repositories here

https://zosopentools.github.io/meta/

Apache License 2.0

37 stars 25 forks source link

zopen audit utility #713

Closed IgorTodorovskiIBM closed 1 month ago

IgorTodorovskiIBM commented 4 months ago

Adding the zopen audit command. This tool leverages the zopen audit vulnerability database covered in https://github.com/ZOSOpenTools/meta/pull/704

Example output:

HIGH severity found for gitdummy:
CVE-2019-1387
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

Summary:
1 vulnerabilities (0 low, 0 moderate, 1 high, 0 critical)

v1gnesh commented 4 months ago

How much work is it to squash v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6 down to v2.14.6 -- v2.24.1

I can't find where the sample output is coming from.

IgorTodorovskiIBM commented 4 months ago

How much work is it to squash v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6 down to v2.14.6 -- v2.24.1

I can't find where the sample output is coming from.

The description is coming from the osv.dev api:

curl -d \
  '{"commit": "564d0252ca632e0264ed670534a51d18a689ef5d"}' \
  "https://api.osv.dev/v1/query" | jq . | less

The result is a false positive though. I opened an issue here: https://github.com/google/osv.dev/issues/1961

IgorTodorovskiIBM commented 4 months ago

/run tests

IgorTodorovskiIBM commented 1 month ago

I will close this as @KeplerBoyce will continue this effort