Closed dependabot[bot] closed 4 days ago
Test for Composer's installed.json
% ./vuls scan -config integration/int-config.toml composer-vendor
[Jul 4 19:03:01] INFO [localhost] vuls-v0.26.0-build-20240704_183504_85f96e5
[Jul 4 19:03:01] INFO [localhost] Start scanning
[Jul 4 19:03:01] INFO [localhost] config: integration/int-config.toml
[Jul 4 19:03:01] INFO [localhost] Validating config...
[Jul 4 19:03:01] INFO [localhost] Detecting Server/Container OS...
[Jul 4 19:03:01] INFO [localhost] Detecting OS of servers...
[Jul 4 19:03:01] INFO [localhost] (1/1) Detected: composer-vendor: pseudo
[Jul 4 19:03:01] INFO [localhost] Detecting OS of containers...
[Jul 4 19:03:01] INFO [localhost] Checking Scan Modes...
[Jul 4 19:03:01] INFO [localhost] Detecting Platforms...
[Jul 4 19:03:01] INFO [localhost] (1/1) composer-vendor is running on other
[Jul 4 19:03:01] INFO [composer-vendor] Scanning listen port...
[Jul 4 19:03:01] INFO [composer-vendor] Using Port Scanner: Vuls built-in Scanner
[Jul 4 19:03:01] INFO [composer-vendor] Scanning Language-specific Packages...
Scan Summary
================
composer-vendor pseudo 0 installed, 0 updatable 3 libs
To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
% ./vuls report -config integration/int-config.toml
[Jul 4 19:03:21] INFO [localhost] vuls-v0.26.0-build-20240704_183504_85f96e5
[Jul 4 19:03:21] INFO [localhost] Validating config...
[Jul 4 19:03:21] INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Jul 4 19:03:21] INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Jul 4 19:03:21] INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Jul 4 19:03:21] INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Jul 4 19:03:21] INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Jul 4 19:03:21] INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Jul 4 19:03:21] INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Jul 4 19:03:21] INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-07-04T19-03-01+0900
[Jul 4 19:03:21] INFO [localhost] Updating library db...
[Jul 4 19:03:21] INFO [localhost] composer-vendor: 2 CVEs are detected with Library
[Jul 4 19:03:21] INFO [localhost] pseudo type. Skip OVAL and gost detection
[Jul 4 19:03:21] INFO [localhost] composer-vendor: 0 CVEs are detected with CPE
[Jul 4 19:03:21] INFO [localhost] composer-vendor: 0 PoC are detected
[Jul 4 19:03:21] INFO [localhost] composer-vendor: 0 exploits are detected
[Jul 4 19:03:21] INFO [localhost] composer-vendor: Known Exploited Vulnerabilities are detected for 0 CVEs
[Jul 4 19:03:21] INFO [localhost] composer-vendor: Cyber Threat Intelligences are detected for 0 CVEs
[Jul 4 19:03:21] INFO [localhost] composer-vendor: total 2 CVEs detected
[Jul 4 19:03:21] INFO [localhost] composer-vendor: 0 CVEs filtered by --confidence-over=80
composer-vendor (pseudo)
========================
Total: 2 (Critical:0 High:2 Medium:0 Low:0 ?:0)
2/2 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 3 libs
+----------------+------+--------+-----+-----------+---------+-----------------+
| CVE-ID | CVSS | ATTACK | POC | ALERT | FIXED | PACKAGES |
+----------------+------+--------+-----+-----------+---------+-----------------+
| CVE-2022-24775 | 8.9 | AV:N | | | fixed | guzzlehttp/psr7 |
+----------------+------+--------+-----+-----------+---------+-----------------+
| CVE-2023-29197 | 8.9 | AV:N | | | fixed | guzzlehttp/psr7 |
+----------------+------+--------+-----+-----------+---------+-----------------+
Binary size is still getting larger...
% ll vuls
-rwxr-xr-x 1 shino shino 146M Jul 4 18:36 vuls*
2024-07-05 Postscript (shino)
Bumps github.com/aquasecurity/trivy from 0.52.2 to 0.53.0.
Release notes
Sourced from github.com/aquasecurity/trivy's releases.
... (truncated)
Changelog
Sourced from github.com/aquasecurity/trivy's changelog.
... (truncated)
Commits
c55b0e6
release: v0.53.0 [main] (#6855)654217a
feat(conda): add licenses support forenvironment.yml
files (#6953)3d4ae8b
fix(sbom): fix panic when scanning SBOM file without root component into SBOM...55ccd06
feat: add memory cache backend (#7048)14d71ba
fix(sbom): use package UIDs for uniqueness (#7042)edc556b
feat(php): add installed.json file support (#4865)4f8b399
docs: ✨ Updated ecosystem docs with reference to new community app (#7041)137c916
fix: use embedded when command path not found (#7037)9e4927e
chore(deps): bump trivy-kubernetes version (#7012)4be02ba
refactor: use google/wire for cache (#7024)Most Recent Ignore Conditions Applied to This Pull Request
| Dependency Name | Ignore Conditions | | --- | --- | | github.com/aquasecurity/trivy | [>= 0.50.2.a, < 0.50.3] | | github.com/aquasecurity/trivy | [< 0.51, > 0.50.1] |Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show