@fabasoad/sarif-to-slack 0.1.1 → 0.2.1

package/test-data/sarif/snyk-gomodules.sarif

@@ -0,0 +1,388 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Snyk Open Source",
+          "properties": {
+            "artifactsScanned": 10
+          },
+          "rules": [
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736",
+              "shortDescription": {
+                "text": "High severity - HTTP Response Splitting vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "(CVE-2020-28483) github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to HTTP Response Splitting. When `gin` is exposed directly to the internet, a client's IP can be spoofed by setting the `X-Forwarded-For` header.\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.7.7 or higher.\n# References\n- [GitHub Commit](https://github.com/gin-gonic/gin/commit/3b555a560534ca3114515c4b32737ba51b10392c)\n- [GitHub Issue](https://github.com/gin-gonic/gin/issues/2862)\n- [GitHub Release](https://github.com/gin-gonic/gin/releases/tag/v1.7.7)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-113",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 7.1,
+                "security-severity": "7.1"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-3121073",
+              "shortDescription": {
+                "text": "High severity - Improper Output Neutralization for Logs vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "(CVE-2020-36567) github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs such that the default Formatter for the Logger middleware (`LoggerConfig.Formatter`), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.6.0 or higher.\n# References\n- [GitHub Commit](https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d)\n- [GitHub PR](https://github.com/gin-gonic/gin/pull/2237)\n- [GitHub Release](https://github.com/gin-gonic/gin/releases/tag/v1.6.0)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-117",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 7.3,
+                "security-severity": "7.3"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285",
+              "shortDescription": {
+                "text": "Medium severity - Improper Input Validation vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "(CVE-2023-26125) github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the `X-Forwarded-Prefix` header, potentially leading to cache poisoning.\r\n\r\n**Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.\n# PoC\n```\r\npackage main\r\n\r\nimport (\r\n\t\"net/http\"\r\n\r\n\t\"github.com/gin-gonic/gin\"\r\n)\r\n\r\nfunc main() {\r\n\r\n\tr := gin.Default()\r\n\r\n\tr.GET(\"/bug\", func(c *gin.Context) {\r\n\t\tc.JSON(http.StatusBadRequest, gin.H{\"msg\": \"bug\"})\r\n\t})\r\n\r\n\tr.Run()\r\n}\r\n```\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.9.0 or higher.\n# References\n- [GitHub Commit](https://github.com/t0rchwo0d/gin/commit/fd9f98e70fb4107ee68c783482d231d35e60507b)\n- [GitHub PR](https://github.com/gin-gonic/gin/pull/3500)\n- [GitHub PR](https://github.com/gin-gonic/gin/pull/3503)\n- [GitHub Release](https://github.com/gin-gonic/gin/releases/tag/v1.9.0)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-20",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 5.6,
+                "security-severity": "5.6"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-5406508",
+              "shortDescription": {
+                "text": "High severity - Improper Input Validation vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "(CVE-2023-29401) github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to Improper Input Validation via the `FileAttachment` function, due to improper handling of the filename in the Content-Disposition response header.\r\n\r\nExploiting this vulnerability allows the extension/file name to be tampered with when downloading files.\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.9.1 or higher.\n# References\n- [GitHub Commit](https://github.com/gin-gonic/gin/commit/2d4bbec941551479b1fdf1e54ece03e6e82a7e72)\n- [GitHub Issue](https://github.com/gin-gonic/gin/issues/3555)\n- [GitHub PR](https://github.com/gin-gonic/gin/pull/3556)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-20",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 7.5,
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-550031",
+              "shortDescription": {
+                "text": "Medium severity - Log Injection vulnerability in github.com/gin-gonic/gin"
+              },
+              "fullDescription": {
+                "text": "github.com/gin-gonic/gin@1.4.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: github.com/gin-gonic/gin\n* Introduced through: go-goof@0.0.0 and github.com/gin-gonic/gin@1.4.0\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0\n# Overview\n[github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) is a package that implements a HTTP web framework called gin.\n\nAffected versions of this package are vulnerable to Log Injection due to improper sanitisation of user-controlled log output.\n# Remediation\nUpgrade `github.com/gin-gonic/gin` to version 1.6.0 or higher.\n# References\n- [GitHub Fix PR](https://github.com/gin-gonic/gin/pull/2277)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-117",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 5.3,
+                "security-severity": "5.3"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GOPKGINYAMLV2-1083943",
+              "shortDescription": {
+                "text": "Medium severity - Denial of Service (DoS) vulnerability in gopkg.in/yaml.v2"
+              },
+              "fullDescription": {
+                "text": "(CVE-2019-11254) gopkg.in/yaml.v2@2.2.2"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: gopkg.in/yaml.v2\n* Introduced through: go-goof@0.0.0, github.com/gin-gonic/gin@1.4.0 and others\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/render@1.4.0 › gopkg.in/yaml.v2@2.2.2\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/binding@1.4.0 › gopkg.in/yaml.v2@2.2.2\n# Overview\n[gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) is a YAML support package for the Go language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It is possible for authorized users to send malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `gopkg.in/yaml.v2` to version 2.2.8 or higher.\n# References\n- [GitHub Commit](https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48)\n- [Kubernetes Issue](https://github.com/kubernetes/kubernetes/issues/89535)\n- [Kubernetes PR](https://github.com/kubernetes/kubernetes/pull/87467/commits/b86df2bec4f377afc0ca03482ffad2f0a49a83b8)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-1050",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 6.5,
+                "security-severity": "6.5"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GOPKGINYAMLV2-1533594",
+              "shortDescription": {
+                "text": "Medium severity - Denial of Service (DoS) vulnerability in gopkg.in/yaml.v2"
+              },
+              "fullDescription": {
+                "text": "(CVE-2021-4235) gopkg.in/yaml.v2@2.2.2"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: gopkg.in/yaml.v2\n* Introduced through: go-goof@0.0.0, github.com/gin-gonic/gin@1.4.0 and others\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/render@1.4.0 › gopkg.in/yaml.v2@2.2.2\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/binding@1.4.0 › gopkg.in/yaml.v2@2.2.2\n# Overview\n[gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) is a YAML support package for the Go language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `gopkg.in/yaml.v2` to version 2.2.3 or higher.\n# References\n- [GitHub Commit](https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241)\n- [GitHub Compare](https://github.com/go-yaml/yaml/compare/v2.2.2...v2.2.3)\n- [GitHub PR](https://github.com/go-yaml/yaml/pull/375)\n- [GitHub Releases](https://github.com/go-yaml/yaml/releases/tag/v2.2.3)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-400",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 6.5,
+                "security-severity": "6.5"
+              }
+            },
+            {
+              "id": "SNYK-GOLANG-GOPKGINYAMLV2-3315326",
+              "shortDescription": {
+                "text": "High severity - Denial of Service (DoS) vulnerability in gopkg.in/yaml.v2"
+              },
+              "fullDescription": {
+                "text": "(CVE-2022-3064) gopkg.in/yaml.v2@2.2.2"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gomodules\n* Vulnerable module: gopkg.in/yaml.v2\n* Introduced through: go-goof@0.0.0, github.com/gin-gonic/gin@1.4.0 and others\n### Detailed paths\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/render@1.4.0 › gopkg.in/yaml.v2@2.2.2\n* _Introduced through_: go-goof@0.0.0 › github.com/gin-gonic/gin@1.4.0 › github.com/gin-gonic/gin/binding@1.4.0 › gopkg.in/yaml.v2@2.2.2\n# Overview\n[gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) is a YAML support package for the Go language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when parsing malicious or large YAML documents, due to missing limitation for stack depth expansion\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `gopkg.in/yaml.v2` to version 2.2.4 or higher.\n# References\n- [GitHub Commit](https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5)\n- [GitHub PR](https://github.com/go-yaml/yaml/pull/515)\n- [GitHub Release](https://github.com/go-yaml/yaml/releases/tag/v2.2.4)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-400",
+                  "gomodules"
+                ],
+                "cvssv3_baseScore": 7.5,
+                "security-severity": "7.5"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-3121073",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-5406508",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GITHUBCOMGINGONICGIN-550031",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable github.com/gin-gonic/gin package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "github.com/gin-gonic/gin@1.4.0"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GOPKGINYAMLV2-1083943",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable gopkg.in/yaml.v2 package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "gopkg.in/yaml.v2@2.2.2"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GOPKGINYAMLV2-1533594",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable gopkg.in/yaml.v2 package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "gopkg.in/yaml.v2@2.2.2"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-GOLANG-GOPKGINYAMLV2-3315326",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable gopkg.in/yaml.v2 package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "go.mod"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "gopkg.in/yaml.v2@2.2.2"
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}