@conterra/vuln-scan 0.0.25 → 0.0.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +77 -0
- package/dist/add-project.js +1 -1
- package/dist/add-statement.js +1 -1
- package/dist/remove-project.js +5 -5
- package/dist/schema/conf-schema.json +10 -0
- package/dist/vuln-scan.js +10 -10
- package/package.json +3 -3
package/README.md
CHANGED
|
@@ -70,6 +70,75 @@ You might for example prepare a folder structure like this:
|
|
|
70
70
|
Running the command `ct-vuln-scan` from the root folder will scan all projects defined in the `vuln-scan-conf.json` file.
|
|
71
71
|
By default, output will created in the `output` folder per project.
|
|
72
72
|
|
|
73
|
+
In the output folder different files per project are generated, see below.
|
|
74
|
+
There are also tow summary files directly in the output folder:
|
|
75
|
+
|
|
76
|
+
- `scan-summary.txt`
|
|
77
|
+
- A text file with a summary of the scan results.
|
|
78
|
+
- It contains the console "scan summary" output, which is printed to the console during the scan.
|
|
79
|
+
|
|
80
|
+
- `scan-summary.json`
|
|
81
|
+
- A json file with a summary of the scan results.
|
|
82
|
+
- This can be used to post-process the scan results or to integrate them into other tools.
|
|
83
|
+
- Example:
|
|
84
|
+
|
|
85
|
+
```json
|
|
86
|
+
{
|
|
87
|
+
"errors": [{
|
|
88
|
+
"project": "mapapps@4.18.2",
|
|
89
|
+
"error": "Failed to fetch sbom file from maven repository: https://repository.conterra.de/repository/maven-mirror-ct/de/conterra/mapapps/ct-mapapps-rollout/4.18.2/ct-mapapps-rollout-4.18.2-sbom.cdx.json"
|
|
90
|
+
}],
|
|
91
|
+
"vulnerabilities": {
|
|
92
|
+
"CVE-2025-48988": {
|
|
93
|
+
"id": "CVE-2025-48988",
|
|
94
|
+
"severity": "HIGH",
|
|
95
|
+
"title": "tomcat: Apache Tomcat DoS in multipart upload",
|
|
96
|
+
"description": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.",
|
|
97
|
+
"components": [
|
|
98
|
+
"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.41"
|
|
99
|
+
],
|
|
100
|
+
"refs": [
|
|
101
|
+
"https://avd.aquasec.com/nvd/cve-2025-48988",
|
|
102
|
+
"https://github.com/advisories/GHSA-h3gc-qfqq-6h8f"
|
|
103
|
+
]
|
|
104
|
+
},
|
|
105
|
+
"CVE-2025-49125": {
|
|
106
|
+
"id": "CVE-2025-49125",
|
|
107
|
+
"severity": "MEDIUM",
|
|
108
|
+
"title": "tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources",
|
|
109
|
+
"description": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.",
|
|
110
|
+
"components": [
|
|
111
|
+
"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.41"
|
|
112
|
+
],
|
|
113
|
+
"refs": [
|
|
114
|
+
"https://avd.aquasec.com/nvd/cve-2025-49125",
|
|
115
|
+
"https://github.com/advisories/GHSA-wc4r-xq3c-5cf3"
|
|
116
|
+
]
|
|
117
|
+
}
|
|
118
|
+
},
|
|
119
|
+
"vulnerabilityToProject": {
|
|
120
|
+
"CVE-2025-48988": [
|
|
121
|
+
"smartfinder-sdi@2.7.1-SNAPSHOT"
|
|
122
|
+
],
|
|
123
|
+
"CVE-2025-49125": [
|
|
124
|
+
"smartfinder-sdi@2.7.1-SNAPSHOT"
|
|
125
|
+
]
|
|
126
|
+
},
|
|
127
|
+
"projectToVulnerability": {
|
|
128
|
+
"smartfinder-sdi@2.7.1-SNAPSHOT": [
|
|
129
|
+
"CVE-2025-48988",
|
|
130
|
+
"CVE-2025-49125"
|
|
131
|
+
]
|
|
132
|
+
},
|
|
133
|
+
"noLongerDetectedVulnerabilities": {
|
|
134
|
+
"CVE-2023-52070": [
|
|
135
|
+
"mapapps@4.19.3-SNAPSHOT",
|
|
136
|
+
"smartfinder-sdi@2.7.1-SNAPSHOT"
|
|
137
|
+
]
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
```
|
|
141
|
+
|
|
73
142
|
## Configuration
|
|
74
143
|
|
|
75
144
|
You need to create a `vuln-scan-conf.json` file in the root of your project.
|
|
@@ -128,6 +197,14 @@ The following sample lists all available options with their default values:
|
|
|
128
197
|
If false all files are directly stored in the output dir without a subfolder structure.
|
|
129
198
|
*/
|
|
130
199
|
"createSubDirsForProject": true,
|
|
200
|
+
/* (optional) Defines how the console output is reported.
|
|
201
|
+
Possible values are:
|
|
202
|
+
- "BY_PROJECT_DETAILED" (default): order by project and print cve details
|
|
203
|
+
- "BY_PROJECT" : order by project but do not print cve details
|
|
204
|
+
- "BY_CVE" : order by cve and print cve details
|
|
205
|
+
- "BY_CVE_DETAILED": order by cve but do not print cve details
|
|
206
|
+
*/
|
|
207
|
+
"consoleReport": "BY_PROJECT_DETAILED",
|
|
131
208
|
/* The list of projects to scan. */
|
|
132
209
|
"projects": [
|
|
133
210
|
{
|