npm - @fabasoad/sarif-to-slack - Versions diffs - 0.1.1 → 0.2.1 - Mend

@fabasoad/sarif-to-slack 0.1.1 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/.github/ISSUE_TEMPLATE/bug_report.md +1 -1
package/.github/pull_request_template.md +3 -3
package/.github/workflows/linting.yml +14 -0
package/.github/workflows/release.yml +5 -1
package/.github/workflows/send-sarif-to-slack.yml +214 -0
package/.github/workflows/unit-tests.yml +1 -0
package/.pre-commit-config.yaml +3 -3
package/.tool-versions +1 -1
package/CONTRIBUTING.md +1 -1
package/Makefile +10 -3
package/README.md +36 -5
package/biome.json +15 -12
package/dist/Logger.js +17 -6
package/dist/Processors.js +23 -22
package/dist/SarifToSlackService.d.ts.map +1 -1
package/dist/SarifToSlackService.js +6 -7
package/dist/SlackMessageBuilder.js +51 -55
package/dist/index.d.ts +9 -4
package/dist/index.d.ts.map +1 -1
package/dist/index.js +10 -5
package/dist/model/SarifModelPerRun.d.ts +17 -0
package/dist/model/SarifModelPerRun.d.ts.map +1 -0
package/dist/model/SarifModelPerRun.js +84 -0
package/dist/model/SarifModelPerSarif.d.ts +20 -0
package/dist/model/SarifModelPerSarif.d.ts.map +1 -0
package/dist/model/SarifModelPerSarif.js +97 -0
package/dist/model/types.d.ts +17 -0
package/dist/model/types.d.ts.map +1 -0
package/dist/model/types.js +31 -0
package/dist/sarif-to-slack.d.ts +121 -18
package/dist/tsdoc-metadata.json +1 -1
package/dist/types.d.ts +107 -15
package/dist/types.d.ts.map +1 -1
package/dist/types.js +73 -7
package/dist/utils/SarifUtils.d.ts +5 -0
package/dist/utils/SarifUtils.d.ts.map +1 -0
package/dist/utils/SarifUtils.js +32 -0
package/dist/utils/SortUtils.d.ts +5 -0
package/dist/utils/SortUtils.d.ts.map +1 -0
package/dist/utils/SortUtils.js +8 -0
package/dist/version.d.ts +2 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +4 -0
package/etc/sarif-to-slack.api.md +47 -9
package/jest.config.json +4 -4
package/package.json +14 -10
package/scripts/save-version.sh +6 -0
package/src/Logger.ts +22 -17
package/src/Processors.ts +22 -22
package/src/SarifToSlackService.ts +6 -7
package/src/SlackMessageBuilder.ts +85 -68
package/src/index.ts +17 -6
package/src/model/SarifModelPerRun.ts +114 -0
package/src/model/SarifModelPerSarif.ts +116 -0
package/src/model/types.ts +31 -0
package/src/types.ts +113 -15
package/src/utils/SarifUtils.ts +44 -0
package/src/utils/SortUtils.ts +21 -0
package/src/version.ts +3 -0
package/test-data/sarif/codeql-csharp.sarif +1 -0
package/test-data/sarif/codeql-go.sarif +1 -0
package/test-data/sarif/codeql-python.sarif +1 -0
package/test-data/sarif/codeql-ruby.sarif +1 -0
package/test-data/sarif/codeql-typescript.sarif +1 -0
package/test-data/sarif/grype-container.sarif +1774 -0
package/test-data/sarif/runs-1-tools-1-results-0.sarif +18 -0
package/test-data/sarif/runs-2-tools-1-results-0.sarif +30 -0
package/test-data/sarif/runs-2-tools-1.sarif +656 -0
package/test-data/sarif/runs-2-tools-2-results-0.sarif +44 -0
package/test-data/sarif/runs-2-tools-2.sarif +686 -0
package/test-data/sarif/runs-3-tools-2-results-0.sarif +48 -0
package/test-data/sarif/runs-3-tools-2.sarif +278 -0
package/test-data/sarif/snyk-composer.sarif +934 -0
package/test-data/sarif/snyk-container.sarif +313 -0
package/test-data/sarif/snyk-gomodules.sarif +388 -0
package/test-data/sarif/snyk-gradle.sarif +274 -0
package/test-data/sarif/snyk-hex.sarif +66 -0
package/test-data/sarif/snyk-maven.sarif +274 -0
package/test-data/sarif/snyk-npm.sarif +896 -0
package/test-data/sarif/snyk-nuget.sarif +90 -0
package/test-data/sarif/snyk-pip.sarif +66 -0
package/test-data/sarif/snyk-pnpm.sarif +90 -0
package/test-data/sarif/snyk-poetry.sarif +1952 -0
package/test-data/sarif/snyk-rubygems.sarif +440 -0
package/test-data/sarif/snyk-sbt.sarif +178 -0
package/test-data/sarif/snyk-swift.sarif +112 -0
package/test-data/sarif/snyk-yarn.sarif +2900 -0
package/test-data/sarif/trivy-iac.sarif +134 -0
package/test-data/sarif/wiz-container.sarif +30916 -0
package/test-data/sarif/wiz-iac.sarif +558 -0
package/tests/Processors.spec.ts +3 -3
package/tests/integration/SendSarifToSlack.spec.ts +56 -0
package/tsconfig.json +14 -14
package/dist/Logger.js.map +0 -1
package/dist/Processors.js.map +0 -1
package/dist/SarifToSlackService.js.map +0 -1
package/dist/SlackMessageBuilder.js.map +0 -1
package/dist/index.js.map +0 -1
package/dist/types.js.map +0 -1

package/test-data/sarif/runs-2-tools-1.sarif ADDED Viewed

@@ -0,0 +1,656 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Snyk Open Source",
+          "properties": {
+            "artifactsScanned": 10
+          },
+          "rules": [
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736",
+              "shortDescription": {
+                "text": "High severity - HTTP Response Splitting vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "(CVE-2020-28483) github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to HTTP Response Splitting. When `gin` is exposed directly to the internet, a client's IP can be spoofed by setting the `X-Forwarded-For` header.\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.7.7 or higher.\n# References\n- [GitHub Commit](https://github.com/gin-gonic/gin/commit/3b555a560534ca3114515c4b32737ba51b10392c)\n- [GitHub Issue](https://github.com/gin-gonic/gin/issues/2862)\n- [GitHub Release](https://github.com/gin-gonic/gin/releases/tag/v1.7.7)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-113",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 7.1,
+                "security-severity": "7.1"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-3121073",
+              "shortDescription": {
+                "text": "High severity - Improper Output Neutralization for Logs vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "(CVE-2020-36567) github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs such that the default Formatter for the Logger middleware (`LoggerConfig.Formatter`), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.6.0 or higher.\n# References\n- [GitHub Commit](https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d)\n- [GitHub PR](https://github.com/gin-gonic/gin/pull/2237)\n- [GitHub Release](https://github.com/gin-gonic/gin/releases/tag/v1.6.0)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-117",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 7.3,
+                "security-severity": "7.3"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285",
+              "shortDescription": {
+                "text": "Medium severity - Improper Input Validation vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "(CVE-2023-26125) github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the `X-Forwarded-Prefix` header, potentially leading to cache poisoning.\r\n\r\n**Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.\n# PoC\n```\r\npackage main\r\n\r\nimport (\r\n\t\"net/http\"\r\n\r\n\t\"github.com/gin-gonic/gin\"\r\n)\r\n\r\nfunc main() {\r\n\r\n\tr := gin.Default()\r\n\r\n\tr.GET(\"/bug\", func(c *gin.Context) {\r\n\t\tc.JSON(http.StatusBadRequest, gin.H{\"msg\": \"bug\"})\r\n\t})\r\n\r\n\tr.Run()\r\n}\r\n```\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.9.0 or higher.\n# References\n- [GitHub Commit](https://github.com/t0rchwo0d/gin/commit/fd9f98e70fb4107ee68c783482d231d35e60507b)\n- [GitHub PR](https://github.com/gin-gonic/gin/pull/3500)\n- [GitHub PR](https://github.com/gin-gonic/gin/pull/3503)\n- [GitHub Release](https://github.com/gin-gonic/gin/releases/tag/v1.9.0)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-20",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 5.6,
+                "security-severity": "5.6"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-5406508",
+              "shortDescription": {
+                "text": "High severity - Improper Input Validation vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "(CVE-2023-29401) github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to Improper Input Validation via the `FileAttachment` function, due to improper handling of the filename in the Content-Disposition response header.\r\n\r\nExploiting this vulnerability allows the extension/file name to be tampered with when downloading files.\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.9.1 or higher.\n# References\n- [GitHub Commit](https://github.com/gin-gonic/gin/commit/2d4bbec941551479b1fdf1e54ece03e6e82a7e72)\n- [GitHub Issue](https://github.com/gin-gonic/gin/issues/3555)\n- [GitHub PR](https://github.com/gin-gonic/gin/pull/3556)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-20",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 7.5,
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-550031",
+              "shortDescription": {
+                "text": "Medium severity - Log Injection vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to Log Injection due to improper sanitisation of user-controlled log output.\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.6.0 or higher.\n# References\n- [GitHub Fix PR](https://github.com/gin-gonic/gin/pull/2277)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-117",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 5.3,
+                "security-severity": "5.3"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GOPKGINYAMLV2-1083943",
+              "shortDescription": {
+                "text": "Medium severity - Denial of Service (DoS) vulnerability in gopkg.in/yaml.v2"
+              },
+              "fullDescription": {
+                "text": "(CVE-2019-11254) gopkg.in/yaml.v2@2.2.2"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: gopkg.in/yaml.v2\n* Introduced through: go-goof@0.0.0, github.com/gin-gonic/gin@1.4.0 and others\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/render@1.4.0 › gopkg.in/yaml.v2@2.2.2\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/binding@1.4.0 › gopkg.in/yaml.v2@2.2.2\n# Overview\n[gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) is a YAML support package for the Go language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It is possible for authorized users to send malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `gopkg.in/yaml.v2` to version 2.2.8 or higher.\n# References\n- [GitHub Commit](https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48)\n- [Kubernetes Issue](https://github.com/kubernetes/kubernetes/issues/89535)\n- [Kubernetes PR](https://github.com/kubernetes/kubernetes/pull/87467/commits/b86df2bec4f377afc0ca03482ffad2f0a49a83b8)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-1050",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 6.5,
+                "security-severity": "6.5"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GOPKGINYAMLV2-1533594",
+              "shortDescription": {
+                "text": "Medium severity - Denial of Service (DoS) vulnerability in gopkg.in/yaml.v2"
+              },
+              "fullDescription": {
+                "text": "(CVE-2021-4235) gopkg.in/yaml.v2@2.2.2"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: gopkg.in/yaml.v2\n* Introduced through: go-goof@0.0.0, github.com/gin-gonic/gin@1.4.0 and others\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/render@1.4.0 › gopkg.in/yaml.v2@2.2.2\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/binding@1.4.0 › gopkg.in/yaml.v2@2.2.2\n# Overview\n[gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) is a YAML support package for the Go language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `gopkg.in/yaml.v2` to version 2.2.3 or higher.\n# References\n- [GitHub Commit](https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241)\n- [GitHub Compare](https://github.com/go-yaml/yaml/compare/v2.2.2...v2.2.3)\n- [GitHub PR](https://github.com/go-yaml/yaml/pull/375)\n- [GitHub Releases](https://github.com/go-yaml/yaml/releases/tag/v2.2.3)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-400",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 6.5,
+                "security-severity": "6.5"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GOPKGINYAMLV2-3315326",
+              "shortDescription": {
+                "text": "High severity - Denial of Service (DoS) vulnerability in gopkg.in/yaml.v2"
+              },
+              "fullDescription": {
+                "text": "(CVE-2022-3064) gopkg.in/yaml.v2@2.2.2"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: gopkg.in/yaml.v2\n* Introduced through: go-goof@0.0.0, github.com/gin-gonic/gin@1.4.0 and others\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/render@1.4.0 › gopkg.in/yaml.v2@2.2.2\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/binding@1.4.0 › gopkg.in/yaml.v2@2.2.2\n# Overview\n[gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) is a YAML support package for the Go language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing malicious or large YAML documents, due to missing limitation for stack depth expansion\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `gopkg.in/yaml.v2` to version 2.2.4 or higher.\n# References\n- [GitHub Commit](https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5)\n- [GitHub PR](https://github.com/go-yaml/yaml/pull/515)\n- [GitHub Release](https://github.com/go-yaml/yaml/releases/tag/v2.2.4)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-400",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 7.5,
+                "security-severity": "7.5"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-3121073",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-5406508",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-550031",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GOPKGINYAMLV2-1083943",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable gopkg.in/yaml.v2 package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "gopkg.in/yaml.v2@2.2.2"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GOPKGINYAMLV2-1533594",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable gopkg.in/yaml.v2 package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "gopkg.in/yaml.v2@2.2.2"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GOPKGINYAMLV2-3315326",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable gopkg.in/yaml.v2 package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "gopkg.in/yaml.v2@2.2.2"
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "tool": {
+        "driver": {
+          "name": "Snyk Open Source",
+          "properties": {
+            "artifactsScanned": 1
+          },
+          "rules": [
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+              "shortDescription": {
+                "text": "High severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-7501) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gradle\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\r\n\r\n**Note:** the scope of CVE-2015-7501 is limited to the Red Hat JBoss products.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n# References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "gradle"
+                ],
+                "cvssv3_baseScore": 9.8,
+                "security-severity": "9.8"
+              }
+            },
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+              "shortDescription": {
+                "text": "Medium severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-6420) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gradle\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will  throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n# PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n  \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n  \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n  \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n  \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n  \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n# Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n# References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "gradle"
+                ],
+                "cvssv3_baseScore": 5.6,
+                "security-severity": "5.6"
+              }
+            },
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+              "shortDescription": {
+                "text": "High severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-4852) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gradle\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\r\n\r\n**Note:** the scope of CVE-2015-4852 is limited to the WebLogic Server product.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n# References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "gradle"
+                ],
+                "cvssv3_baseScore": 9.8,
+                "security-severity": "9.8"
+              }
+            },
+            {
+              "id": "snyk:lic:maven:commons-collections:commons-collections:Apache-2.0",
+              "shortDescription": {
+                "text": "High severity - Apache-2.0 license vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gradle\n* Module: commons-collections:commons-collections\n* Introduced through: demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\nApache-2.0 license"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "gradle"
+                ],
+                "security-severity": "undefined"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "build.gradle"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "build.gradle"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "build.gradle"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "build.gradle"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "build.gradle"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "build.gradle"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "snyk:lic:maven:commons-collections:commons-collections:Apache-2.0",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "build.gradle"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}