Support the latest version of trivy (v0.20.0+)

[yokawasa]

description

With trivy_version of v0.20.0+, grivy's Trivy scan function causes an exception like this: (With trivy_version of v0.19.2 or less, you don't get the exception)

  Failed vulnerability scan using Trivy.
         stdout: {
      "SchemaVersion": 2,
      "ArtifactName": "alpine:3.10",
      "ArtifactType": "container_image",
      "Metadata": {
        "OS": {
          "Family": "alpine",
          "Name": "3.10.3",
          "EOSL": true
        },
        "ImageID": "sha256:965ea09ff2ebd2b9eeec88cd822ce156f6674c7e99be082c7efac3c62f3ff652",
        "DiffIDs": [
          "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
        ],
        "RepoTags": [
          "alpine:3.10"
        ],
        "RepoDigests": [
          "alpine@sha256:c19173c5ada610a5989151111163d28a67368362762534d8a8121ce95cf2bd5a"
        ],
        "ImageConfig": {
          "architecture": "amd64",
          "container": "baae288169b1ae2f6bd82e7b605d8eb35a79e846385800e305eccc55b9bd5986",
          "created": "2019-10-21T17:21:42.387111039Z",
          "docker_version": "18.06.1-ce",
          "history": [
            {
              "created": "2019-10-21T17:21:42Z",
              "created_by": "/bin/sh -c #(nop) ADD file:fe1f09249227e2da2089afb4d07e16cbf832eeb804120074acd2b8192876cd28 in / "
            },
            {
              "created": "2019-10-21T17:21:42Z",
              "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
              "empty_layer": true
            }
          ],
          "os": "linux",
          "rootfs": {
            "type": "layers",
            "diff_ids": [
              "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
            ]
          },
          "config": {
            "Cmd": [
              "/bin/sh"
            ],
            "Env": [
              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Image": "sha256:e8bf85e28fac8a4cd1707985780af20622f0f5de7d6c912ea1dc82a626981cb0",
            "ArgsEscaped": true
          }
        }
      },
      "Results": [
        {
          "Target": "alpine:3.10 (alpine 3.10.3)",
          "Class": "os-pkgs",
          "Type": "alpine",
          "Vulnerabilities": [
            {
              "VulnerabilityID": "CVE-2021-36159",
              "PkgName": "apk-tools",
              "InstalledVersion": "2.10.4-r2",
              "FixedVersion": "2.10.7-r0",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
              "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
              "Severity": "CRITICAL",
              "CweIDs": [
                "CWE-125"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                  "V2Score": 6.4,
                  "V3Score": 9.1
                }
              },
              "References": [
                "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
              ],
              "PublishedDate": "2021-08-03T14:15:00Z",
              "LastModifiedDate": "2021-09-02T04:15:00Z"
            },
            {
              "VulnerabilityID": "CVE-2021-30139",
              "PkgName": "apk-tools",
              "InstalledVersion": "2.10.4-r2",
              "FixedVersion": "2.10.6-r0",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-30139",
              "Description": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-125"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V2Score": 5,
                  "V3Score": 7.5
                }
              },
              "References": [
                "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741",
                "https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606"
              ],
              "PublishedDate": "2021-04-21T16:15:00Z",
              "LastModifiedDate": "2021-04-22T18:21:00Z"
            },
            {
              "VulnerabilityID": "CVE-2021-28831",
              "PkgName": "busybox",
              "InstalledVersion": "1.30.1-r2",
              "FixedVersion": "1.30.1-r5",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831",
              "Title": "busybox: invalid free or segmentation fault via malformed gzip data",
              "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-755"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V2Score": 5,
                  "V3Score": 7.5
                },
                "redhat": {
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V3Score": 7.5
                }
              },
              "References": [
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
                "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd",
                "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/",
                "https://security.gentoo.org/glsa/202105-09"
              ],
              "PublishedDate": "2021-03-19T05:15:00Z",
              "LastModifiedDate": "2021-05-26T10:15:00Z"
            },
            {
              "VulnerabilityID": "CVE-2020-1967",
              "PkgName": "libcrypto1.1",
              "InstalledVersion": "1.1.1d-r0",
              "FixedVersion": "1.1.1g-r0",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1967",
              "Title": "openssl: Segmentation fault in SSL_check_chain causes denial of service",
              "Description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-476"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V2Score": 5,
                  "V3Score": 7.5
                },
                "redhat": {
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V3Score": 7.5
                }
              },
              "References": [
                "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html",
                "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html",
                "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html",
                "http://seclists.org/fulldisclosure/2020/May/5",
                "http://www.openwall.com/lists/oss-security/2020/04/22/2",
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967",
                "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1",
                "https://github.com/irsl/CVE-2020-1967",
                "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440",
                "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E",
                "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E",
                "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
                "https://nvd.nist.gov/vuln/detail/CVE-2020-1967",
                "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc",
                "https://security.gentoo.org/glsa/202004-10",
                "https://security.netapp.com/advisory/ntap-20200424-0003/",
                "https://security.netapp.com/advisory/ntap-20200717-0004/",
                "https://www.debian.org/security/2020/dsa-4661",
                "https://www.openssl.org/news/secadv/20200421.txt",
                "https://www.oracle.com/security-alerts/cpuApr2021.html",
                "https://www.oracle.com/security-alerts/cpujan2021.html",
                "https://www.oracle.com/security-alerts/cpujul2020.html",
                "https://www.oracle.com/security-alerts/cpuoct2020.html",
                "https://www.synology.com/security/advisory/Synology_SA_20_05",
                "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL",
                "https://www.tenable.com/security/tns-2020-03",
                "https://www.tenable.com/security/tns-2020-04",
                "https://www.tenable.com/security/tns-2020-11",
                "https://www.tenable.com/security/tns-2021-10"
              ],
              "PublishedDate": "2020-04-21T14:15:00Z",
              "LastModifiedDate": "2021-07-20T23:15:00Z"
            },
            {
              "VulnerabilityID": "CVE-2021-23840",
              "PkgName": "libcrypto1.1",
              "InstalledVersion": "1.1.1d-r0",
              "FixedVersion": "1.1.1j-r0",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23840",
              "Title": "openssl: integer overflow in CipherUpdate",
              "Description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-190"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V2Score": 5,
                  "V3Score": 7.5
                },
                "redhat": {
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V3Score": 7.5
                }
              },
              "References": [
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840",
                "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1",
                "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2",
                "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846",
                "https://linux.oracle.com/cve/CVE-2021-23840.html",
                "https://linux.oracle.com/errata/ELSA-2021-9478.html",
                "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E",
                "https://security.gentoo.org/glsa/202103-03",
                "https://security.netapp.com/advisory/ntap-20210219-0009/",
                "https://ubuntu.com/security/notices/USN-4738-1",
                "https://ubuntu.com/security/notices/USN-5088-1",
                "https://www.debian.org/security/2021/dsa-4855",
                "https://www.openssl.org/news/secadv/20210216.txt",
                "https://www.oracle.com//security-alerts/cpujul2021.html",
                "https://www.oracle.com/security-alerts/cpuApr2021.html",
                "https://www.tenable.com/security/tns-2021-03",
                "https://www.tenable.com/security/tns-2021-09",
                "https://www.tenable.com/security/tns-2021-10"
              ],
              "PublishedDate": "2021-02-16T17:15:00Z",
              "LastModifiedDate": "2021-09-13T19:45:00Z"
            },
            {
              "VulnerabilityID": "CVE-2021-3450",
              "PkgName": "libcrypto1.1",
              "InstalledVersion": "1.1.1d-r0",
              "FixedVersion": "1.1.1k-r0",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3450",
              "Title": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT",
              "Description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-295"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
                  "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "V2Score": 5.8,
                  "V3Score": 7.4
                },
                "redhat": {
                  "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "V3Score": 7.4
                }
              },
              "References": [
                "http://www.openwall.com/lists/oss-security/2021/03/27/1",
                "http://www.openwall.com/lists/oss-security/2021/03/27/2",
                "http://www.openwall.com/lists/oss-security/2021/03/28/3",
                "http://www.openwall.com/lists/oss-security/2021/03/28/4",
                "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b",
                "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845",
                "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356",
                "https://linux.oracle.com/cve/CVE-2021-3450.html",
                "https://linux.oracle.com/errata/ELSA-2021-9151.html",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/",
                "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html",
                "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013",
                "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc",
                "https://security.gentoo.org/glsa/202103-03",
                "https://security.netapp.com/advisory/ntap-20210326-0006/",
                "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd",
                "https://www.openssl.org/news/secadv/20210325.txt",
                "https://www.oracle.com/security-alerts/cpuApr2021.html",
                "https://www.tenable.com/security/tns-2021-05",
                "https://www.tenable.com/security/tns-2021-08",
                "https://www.tenable.com/security/tns-2021-09"
              ],
              "PublishedDate": "2021-03-25T15:15:00Z",
              "LastModifiedDate": "2021-07-20T23:15:00Z"
            },
            {
              "VulnerabilityID": "CVE-2020-1967",
              "PkgName": "libssl1.1",
              "InstalledVersion": "1.1.1d-r0",
              "FixedVersion": "1.1.1g-r0",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-1967",
              "Title": "openssl: Segmentation fault in SSL_check_chain causes denial of service",
              "Description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-476"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V2Score": 5,
                  "V3Score": 7.5
                },
                "redhat": {
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V3Score": 7.5
                }
              },
              "References": [
                "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html",
                "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html",
                "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html",
                "http://seclists.org/fulldisclosure/2020/May/5",
                "http://www.openwall.com/lists/oss-security/2020/04/22/2",
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967",
                "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1",
                "https://github.com/irsl/CVE-2020-1967",
                "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440",
                "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E",
                "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E",
                "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
                "https://nvd.nist.gov/vuln/detail/CVE-2020-1967",
                "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc",
                "https://security.gentoo.org/glsa/202004-10",
                "https://security.netapp.com/advisory/ntap-20200424-0003/",
                "https://security.netapp.com/advisory/ntap-20200717-0004/",
                "https://www.debian.org/security/2020/dsa-4661",
                "https://www.openssl.org/news/secadv/20200421.txt",
                "https://www.oracle.com/security-alerts/cpuApr2021.html",
                "https://www.oracle.com/security-alerts/cpujan2021.html",
                "https://www.oracle.com/security-alerts/cpujul2020.html",
                "https://www.oracle.com/security-alerts/cpuoct2020.html",
                "https://www.synology.com/security/advisory/Synology_SA_20_05",
                "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL",
                "https://www.tenable.com/security/tns-2020-03",
                "https://www.tenable.com/security/tns-2020-04",
                "https://www.tenable.com/security/tns-2020-11",
                "https://www.tenable.com/security/tns-2021-10"
              ],
              "PublishedDate": "2020-04-21T14:15:00Z",
              "LastModifiedDate": "2021-07-20T23:15:00Z"
            },
            {
              "VulnerabilityID": "CVE-2021-23840",
              "PkgName": "libssl1.1",
              "InstalledVersion": "1.1.1d-r0",
              "FixedVersion": "1.1.1j-r0",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23840",
              "Title": "openssl: integer overflow in CipherUpdate",
              "Description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-190"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V2Score": 5,
                  "V3Score": 7.5
                },
                "redhat": {
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V3Score": 7.5
                }
              },
              "References": [
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840",
                "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1",
                "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2",
                "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846",
                "https://linux.oracle.com/cve/CVE-2021-23840.html",
                "https://linux.oracle.com/errata/ELSA-2021-9478.html",
                "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E",
                "https://security.gentoo.org/glsa/202103-03",
                "https://security.netapp.com/advisory/ntap-20210219-0009/",
                "https://ubuntu.com/security/notices/USN-4738-1",
                "https://ubuntu.com/security/notices/USN-5088-1",
                "https://www.debian.org/security/2021/dsa-4855",
                "https://www.openssl.org/news/secadv/20210216.txt",
                "https://www.oracle.com//security-alerts/cpujul2021.html",
                "https://www.oracle.com/security-alerts/cpuApr2021.html",
                "https://www.tenable.com/security/tns-2021-03",
                "https://www.tenable.com/security/tns-2021-09",
                "https://www.tenable.com/security/tns-2021-10"
              ],
              "PublishedDate": "2021-02-16T17:15:00Z",
              "LastModifiedDate": "2021-09-13T19:45:00Z"
            },
            {
              "VulnerabilityID": "CVE-2021-3450",
              "PkgName": "libssl1.1",
              "InstalledVersion": "1.1.1d-r0",
              "FixedVersion": "1.1.1k-r0",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3450",
              "Title": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT",
              "Description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-295"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
                  "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "V2Score": 5.8,
                  "V3Score": 7.4
                },
                "redhat": {
                  "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "V3Score": 7.4
                }
              },
              "References": [
                "http://www.openwall.com/lists/oss-security/2021/03/27/1",
                "http://www.openwall.com/lists/oss-security/2021/03/27/2",
                "http://www.openwall.com/lists/oss-security/2021/03/28/3",
                "http://www.openwall.com/lists/oss-security/2021/03/28/4",
                "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b",
                "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845",
                "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356",
                "https://linux.oracle.com/cve/CVE-2021-3450.html",
                "https://linux.oracle.com/errata/ELSA-2021-9151.html",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/",
                "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html",
                "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013",
                "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc",
                "https://security.gentoo.org/glsa/202103-03",
                "https://security.netapp.com/advisory/ntap-20210326-0006/",
                "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd",
                "https://www.openssl.org/news/secadv/20210325.txt",
                "https://www.oracle.com/security-alerts/cpuApr2021.html",
                "https://www.tenable.com/security/tns-2021-05",
                "https://www.tenable.com/security/tns-2021-08",
                "https://www.tenable.com/security/tns-2021-09"
              ],
              "PublishedDate": "2021-03-25T15:15:00Z",
              "LastModifiedDate": "2021-07-20T23:15:00Z"
            },
            {
              "VulnerabilityID": "CVE-2021-28831",
              "PkgName": "ssl_client",
              "InstalledVersion": "1.30.1-r2",
              "FixedVersion": "1.30.1-r5",
              "Layer": {
                "DiffID": "sha256:77cae8ab23bf486355d1b3191259705374f4a11d483b24964d2f729dd8c076a0"
              },
              "SeveritySource": "nvd",
              "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831",
              "Title": "busybox: invalid free or segmentation fault via malformed gzip data",
              "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.",
              "Severity": "HIGH",
              "CweIDs": [
                "CWE-755"
              ],
              "CVSS": {
                "nvd": {
                  "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V2Score": 5,
                  "V3Score": 7.5
                },
                "redhat": {
                  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "V3Score": 7.5
                }
              },
              "References": [
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
                "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd",
                "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/",
                "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/",
                "https://security.gentoo.org/glsa/202105-09"
              ],
              "PublishedDate": "2021-03-19T05:15:00Z",
              "LastModifiedDate": "2021-05-26T10:15:00Z"
            }
          ]
        }
      ]
    }
          stderr:
          error: undefined

how to reporduce

By running tests, you'll come up with the error above in with valid option test

git clone git@github.com:yokawasa/gitrivy.git
npm install
npm test

[yokawasa]

@it-ito thanks for the contribution!