madpah
commented
2 years ago Hi @damiencarol - thanks for the report.
Can you please confirm a few things:
- Python Version
- Jake Version
- Full command invoked
Thanks
Closed damiencarol closed 2 years ago
madpah
commented
2 years ago Hi @damiencarol - thanks for the report.
Can you please confirm a few things:
Thanks
damiencarol
commented
2 years ago added some details in the description
madpah
commented
2 years ago @damiencarol - 1.4.1 has been released - can you test with that please and let us know?
damiencarol
commented
2 years ago @madpah needed to clear the cache but it works now, I'm cheking the report:
(.venv2) [damien@damien vulnerabilities]$ python3 -m pip install jake==1.4.1
Collecting jake==1.4.1
Using cached jake-1.4.1-py3-none-any.whl (28 kB)
Requirement already satisfied: polling2>=0.5.0 in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (0.5.0)
Collecting cyclonedx-bom<3.0.0,>=2.0.1
Using cached cyclonedx_bom-2.0.1-py3-none-any.whl (25 kB)
Requirement already satisfied: pyfiglet>=0.8.post1 in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (0.8.post1)
Requirement already satisfied: ossindex-lib>=0.2.1 in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (0.2.1)
Requirement already satisfied: rich>=10.15.2 in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (11.0.0)
Requirement already satisfied: requests in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (2.27.1)
Collecting cyclonedx-python-lib<2.0.0,>=1.3.0
Using cached cyclonedx_python_lib-1.3.0-py3-none-any.whl (168 kB)
Requirement already satisfied: types-setuptools>=57.0.0 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (57.4.4)
Requirement already satisfied: packageurl-python>=0.9 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (0.9.6)
Requirement already satisfied: types-toml<0.11.0,>=0.10.0 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (0.10.1)
Requirement already satisfied: toml<0.11.0,>=0.10.0 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (0.10.2)
Requirement already satisfied: setuptools>=47.0.0 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (58.1.0)
Requirement already satisfied: tinydb<5.0.0,>=4.5.1 in ./.venv2/lib/python3.10/site-packages (from ossindex-lib>=0.2.1->jake==1.4.1) (4.6.1)
Requirement already satisfied: certifi>=2017.4.17 in ./.venv2/lib/python3.10/site-packages (from requests->jake==1.4.1) (2021.10.8)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in ./.venv2/lib/python3.10/site-packages (from requests->jake==1.4.1) (1.26.8)
Requirement already satisfied: idna<4,>=2.5 in ./.venv2/lib/python3.10/site-packages (from requests->jake==1.4.1) (3.3)
Requirement already satisfied: charset-normalizer~=2.0.0 in ./.venv2/lib/python3.10/site-packages (from requests->jake==1.4.1) (2.0.10)
Requirement already satisfied: commonmark<0.10.0,>=0.9.0 in ./.venv2/lib/python3.10/site-packages (from rich>=10.15.2->jake==1.4.1) (0.9.1)
Requirement already satisfied: colorama<0.5.0,>=0.4.0 in ./.venv2/lib/python3.10/site-packages (from rich>=10.15.2->jake==1.4.1) (0.4.4)
Requirement already satisfied: pygments<3.0.0,>=2.6.0 in ./.venv2/lib/python3.10/site-packages (from rich>=10.15.2->jake==1.4.1) (2.11.2)
Installing collected packages: cyclonedx-python-lib, cyclonedx-bom, jake
Attempting uninstall: cyclonedx-python-lib
Found existing installation: cyclonedx-python-lib 1.1.1
Uninstalling cyclonedx-python-lib-1.1.1:
Successfully uninstalled cyclonedx-python-lib-1.1.1
Attempting uninstall: cyclonedx-bom
Found existing installation: cyclonedx-bom 2.0.0
Uninstalling cyclonedx-bom-2.0.0:
Successfully uninstalled cyclonedx-bom-2.0.0
Attempting uninstall: jake
Found existing installation: jake 1.4.0
Uninstalling jake-1.4.0:
Successfully uninstalled jake-1.4.0
Successfully installed cyclonedx-bom-2.0.1 cyclonedx-python-lib-1.3.0 jake-1.4.1
(.venv2) [damien@damien vulnerabilities]$ jake ddt -o ~/dd2/unittests/scans/cyclonedx/jake2.json --output-format json --schema-version 1.4 --clear-cache
___ ___ ___
___ / /\ / /\ / /\
/__/\ / /::\ / /:/ / /::\
\__\:\ / /:/\:\ / /:/ / /:/\:\
___ / /::\ / /::\ \:\ / /::\____ / /::\ \:\
/__/\ /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
\ \:\/:/~~ \__\/ \:\/:/ \__\/~|:|~~~~ \ \:\ \:\_\/
\ \::/ \__\::/ | |:| \ \:\ \:\
\__\/ / /:/ | |:| \ \:\_\/
/__/:/ |__|:| \ \:\
\__\/ \__\| \__\/
/) /)
_/_(/ _ _ __ _ (/_ _
o o (__/ )__(/_ /_)_/ (_(_(_/(___(/_ o o
Jake Version: 1.4.1
Put your Python dependencies in a chokehold
๐ Collected 28 packages from your environment โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 100% 0:00:00
๐ Successfully queried OSS Index for package and vulnerability info โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 100% 0:00:00
๐ Sane number of results from OSS Index โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 100% 0:00:00
๐ Munching & crunching data... โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 100% 0:00:00
[22/28] - Django@2.0.1 [VULNERABLE]
Vulnerability Details for Django@2.0.1
โโโ โ ID: CVE-2021-33203
โ โโโ โญโ CVE-2021-33203 โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ โ
โ โ [CVE-2021-33203] Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential ... โ
โ โ Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the โ
โ โ TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application โ
โ โ developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal โ
โ โ outside of the template root directories. โ
โ โ โ
โ โ Ratings: โ
โ โ - 7.5 HIGH: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, CWEs: Not Recorded โ
โ โ โ
โ โ References: โ
โ โ - [Ref: None] URL: https://nvd.nist.gov/vuln/detail/CVE-2021-33203 โ
โ โ โ
โ โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โโโ โ ID: CVE-2018-7536
โ โโโ โญโ CVE-2018-7536 โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ โ
โ โ [CVE-2018-7536] Incorrect Regular Expression โ
โ โ An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate โ
โ โ certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is โ
โ โ used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. โ
โ โ โ
โ โ Ratings: โ
โ โ - 5.29999999999999982236431605997495353221893310546875 MEDIUM: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, CWEs: Not Recorded โ
โ โ โ
โ โ References: โ
โ โ - [Ref: None] URL: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/ โ
โ โ - [Ref: None] URL: https://nvd.nist.gov/vuln/detail/CVE-2018-7536 โ
โ โ โ
โ โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โโโ โ ID: CVE-2018-7537
โ โโโ โญโ CVE-2018-7537 โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ โ
โ โ [CVE-2018-7537] Incorrect Regular Expression โ
โ โ An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were โ
โ โ passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The โ
โ โ chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. โ
โ โ โ
โ โ Ratings: โ
โ โ - 5.29999999999999982236431605997495353221893310546875 MEDIUM: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, CWEs: Not Recorded โ
โ โ โ
โ โ References: โ
โ โ - [Ref: None] URL: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/ โ
โ โ - [Ref: None] URL: https://nvd.nist.gov/vuln/detail/CVE-2018-7537 โ
โ โ โ
โ โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โโโ โ ID: CVE-2018-14574
โ โโโ โญโ CVE-2018-14574 โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ โ
โ โ [CVE-2018-14574] URL Redirection to Untrusted Site ("Open Redirect") โ
โ โ django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. โ
โ โ โ
โ โ Ratings: โ
โ โ - 6.0999999999999996447286321199499070644378662109375 MEDIUM: Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, CWEs: Not Recorded โ
โ โ โ
โ โ References: โ
โ โ - [Ref: None] URL: https://www.djangoproject.com/weblog/2018/aug/01/security-releases/ โ
โ โ - [Ref: None] URL: https://nvd.nist.gov/vuln/detail/CVE-2018-14574 โ
โ โ โ
โ โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โโโ โ ID: CVE-2019-3498
โ โโโ โญโ CVE-2019-3498 โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ โ
โ โ [CVE-2019-3498] Improper Input Validation โ
โ โ In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component โ
โ โ issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has โ
โ โ malicious content. โ
โ โ โ
โ โ Ratings: โ
โ โ - 6.5 MEDIUM: Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, CWEs: Not Recorded โ
โ โ โ
โ โ References: โ
โ โ - [Ref: None] URL: https://nvd.nist.gov/vuln/detail/CVE-2019-3498 โ
โ โ โ
โ โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โโโ โ ID: CVE-2019-6975
โ โโโ โญโ CVE-2019-6975 โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ โ
โ โ [CVE-2019-6975] Uncontrolled Resource Consumption ("Resource Exhaustion") โ
โ โ Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the โ
โ โ django.utils.numberformat.format() function. โ
โ โ โ
โ โ Ratings: โ
โ โ - 7.5 HIGH: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, CWEs: Not Recorded โ
โ โ โ
โ โ References: โ
โ โ - [Ref: None] URL: https://nvd.nist.gov/vuln/detail/CVE-2019-6975 โ
โ โ โ
โ โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โโโ โ ID: CVE-2018-6188
โโโ โญโ CVE-2018-6188 โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ [CVE-2018-6188] Information Exposure โ
โ django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by โ
โ leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive. โ
โ โ
โ Ratings: โ
โ - 7.5 HIGH: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, CWEs: Not Recorded โ
โ โ
โ References: โ
โ - [Ref: None] URL: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/ โ
โ - [Ref: None] URL: https://nvd.nist.gov/vuln/detail/CVE-2018-6188 โ
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Summary
โโโโโโโโโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโ
โ Audited Dependencies โ Vulnerabilities Found โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ 28 โ 7 โ
โโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโ
CycloneDX has been written to /home/damien/dd2/unittests/scans/cyclonedx/jake2.json
@madpah The link between the vulnerability and the component is good now. :+1: But I just found a new bug, creating a new issue => #93 .
When generating report in version 1.4 in JSON format, an attribute is missing in the components data.
According to the specification of CycloneDX a vulnerability reference a component by his bom-ref. So the components should have bom-ref.
My advice is to use the PURL string as a bom-ref
Renamed with txt because github jake.json.txt
Version
jake ddt --output-format cyclonedx-json --schema-version 1.4 -o ~/dd2/jake.json