@fabasoad/sarif-to-slack 0.2.0 → 0.2.2

package/test-data/sarif/snyk-gradle.sarif

@@ -0,0 +1,274 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Snyk Open Source",
+          "properties": {
+            "artifactsScanned": 1
+          },
+          "rules": [
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+              "shortDescription": {
+                "text": "High severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-7501) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gradle\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\r\n\r\n**Note:** the scope of CVE-2015-7501 is limited to the Red Hat JBoss products.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n# References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "gradle"
+                ],
+                "cvssv3_baseScore": 9.8,
+                "security-severity": "9.8"
+              }
+            },
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+              "shortDescription": {
+                "text": "Medium severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-6420) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gradle\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will  throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n# PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n  \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n  \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n  \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n  \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n  \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n# Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n# References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "gradle"
+                ],
+                "cvssv3_baseScore": 5.6,
+                "security-severity": "5.6"
+              }
+            },
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+              "shortDescription": {
+                "text": "High severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-4852) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gradle\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\r\n\r\n**Note:** the scope of CVE-2015-4852 is limited to the WebLogic Server product.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n# References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "gradle"
+                ],
+                "cvssv3_baseScore": 9.8,
+                "security-severity": "9.8"
+              }
+            },
+            {
+              "id": "snyk:lic:maven:commons-collections:commons-collections:Apache-2.0",
+              "shortDescription": {
+                "text": "High severity - Apache-2.0 license vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: gradle\n* Module: commons-collections:commons-collections\n* Introduced through: demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\nApache-2.0 license"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "gradle"
+                ],
+                "security-severity": "undefined"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "build.gradle"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "build.gradle"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "build.gradle"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "build.gradle"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "build.gradle"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "build.gradle"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "snyk:lic:maven:commons-collections:commons-collections:Apache-2.0",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "build.gradle"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

package/test-data/sarif/snyk-hex.sarif

@@ -0,0 +1,66 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Snyk Open Source",
+          "properties": {
+            "artifactsScanned": 6
+          },
+          "rules": [
+            {
+              "id": "SNYK-HEX-PAGINATOR-1086684",
+              "shortDescription": {
+                "text": "Critical severity - Remote Code Execution (RCE) vulnerability in paginator"
+              },
+              "fullDescription": {
+                "text": "(CVE-2020-15150) paginator@0.6.0"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: hex\n* Vulnerable module: paginator\n* Introduced through: carafe@0.1.0 and paginator@0.6.0\n### Detailed paths\n* _Introduced through_: carafe@0.1.0 › paginator@0.6.0\n# Overview\n[paginator](https://hex.pm/packages/paginator) is a package that enables cursor-based pagination for Elixir Ecto.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) via `paginate()` function when untrusted input is passed from a remote user.\r\n\r\n# PoC\r\n```\r\ndefp rce_start_xcalc() do\r\n    exploit = fn _, _ ->  System.cmd(\"xcalc\", []); {:cont, []} end\r\n    payload =\r\n    exploit\r\n    |> :erlang.term_to_binary()\r\n    |> Base.url_encode64()\r\nend\r\n```\n# Remediation\nUpgrade `paginator` to version 1.0.0 or higher.\n# References\n- [GitHub PR](https://github.com/duffelhq/paginator/commit/bf45e92602e517c75aea0465efc35cd661d9ebf8)\n- [Research Blog Post](https://www.alphabot.com/security/blog/2020/elixir/Remote-code-execution-vulnerability-in-Elixir-based-Paginator-project.html)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-94",
+                  "hex"
+                ],
+                "cvssv3_baseScore": 9.8,
+                "security-severity": "9.8"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "SNYK-HEX-PAGINATOR-1086684",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable paginator package with a critical severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "mix.exs"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "paginator@0.6.0"
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

package/test-data/sarif/snyk-maven.sarif

@@ -0,0 +1,274 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Snyk Open Source",
+          "properties": {
+            "artifactsScanned": 1
+          },
+          "rules": [
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+              "shortDescription": {
+                "text": "High severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-7501) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: maven\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: com.example:demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: com.example:demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\r\n\r\n**Note:** the scope of CVE-2015-7501 is limited to the Red Hat JBoss products.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n# References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "maven"
+                ],
+                "cvssv3_baseScore": 9.8,
+                "security-severity": "9.8"
+              }
+            },
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+              "shortDescription": {
+                "text": "Medium severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-6420) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: maven\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: com.example:demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: com.example:demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will  throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n# PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n  \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n  \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n  \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n  \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n  \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n# Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n# References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "maven"
+                ],
+                "cvssv3_baseScore": 5.6,
+                "security-severity": "5.6"
+              }
+            },
+            {
+              "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+              "shortDescription": {
+                "text": "High severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "(CVE-2015-4852) commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: maven\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: com.example:demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: com.example:demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\n# Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\r\n\r\n**Note:** the scope of CVE-2015-4852 is limited to the WebLogic Server product.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n# References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "CWE-502",
+                  "maven"
+                ],
+                "cvssv3_baseScore": 9.8,
+                "security-severity": "9.8"
+              }
+            },
+            {
+              "id": "snyk:lic:maven:commons-collections:commons-collections:Apache-2.0",
+              "shortDescription": {
+                "text": "High severity - Apache-2.0 license vulnerability in commons-collections:commons-collections"
+              },
+              "fullDescription": {
+                "text": "commons-collections:commons-collections@3.2.1"
+              },
+              "help": {
+                "text": "",
+                "markdown": "* Package Manager: maven\n* Module: commons-collections:commons-collections\n* Introduced through: com.example:demo@0.0.1-SNAPSHOT and commons-collections:commons-collections@3.2.1\n### Detailed paths\n* _Introduced through_: com.example:demo@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.2.1\nApache-2.0 license"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "maven"
+                ],
+                "security-severity": "undefined"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "pom.xml"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "pom.xml"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a medium severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "pom.xml"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "pom.xml"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "pom.xml"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ],
+          "fixes": [
+            {
+              "description": {
+                "text": "Upgrade to commons-collections:commons-collections@3.2.2"
+              },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "pom.xml"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "commons-collections:commons-collections@3.2.2"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "snyk:lic:maven:commons-collections:commons-collections:Apache-2.0",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable commons-collections:commons-collections package with a high severity vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "pom.xml"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "commons-collections:commons-collections@3.2.1"
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}