@fabasoad/sarif-to-slack 0.2.0 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (86) hide show
  1. package/.github/workflows/release.yml +3 -1
  2. package/.github/workflows/send-sarif-to-slack.yml +214 -0
  3. package/.pre-commit-config.yaml +3 -3
  4. package/.tool-versions +1 -1
  5. package/Makefile +9 -2
  6. package/README.md +1 -1
  7. package/dist/Logger.js +15 -6
  8. package/dist/Processors.js +2 -32
  9. package/dist/SarifToSlackService.d.ts.map +1 -1
  10. package/dist/SarifToSlackService.js +13 -6
  11. package/dist/SlackMessageBuilder.js +46 -52
  12. package/dist/index.d.ts +7 -2
  13. package/dist/index.d.ts.map +1 -1
  14. package/dist/index.js +7 -3
  15. package/dist/model/SarifModelPerRun.d.ts +2 -0
  16. package/dist/model/SarifModelPerRun.d.ts.map +1 -0
  17. package/dist/model/SarifModelPerRun.js +90 -0
  18. package/dist/model/SarifModelPerSarif.d.ts +2 -0
  19. package/dist/model/SarifModelPerSarif.d.ts.map +1 -0
  20. package/dist/model/SarifModelPerSarif.js +102 -0
  21. package/dist/model/types.d.ts +2 -0
  22. package/dist/model/types.d.ts.map +1 -0
  23. package/dist/model/types.js +49 -0
  24. package/dist/sarif-to-slack.d.ts +96 -12
  25. package/dist/tsdoc-metadata.json +1 -1
  26. package/dist/types.d.ts +87 -11
  27. package/dist/types.d.ts.map +1 -1
  28. package/dist/types.js +66 -9
  29. package/dist/utils/SarifUtils.d.ts +2 -0
  30. package/dist/utils/SarifUtils.d.ts.map +1 -0
  31. package/dist/utils/SarifUtils.js +46 -0
  32. package/dist/utils/SortUtils.d.ts +2 -0
  33. package/dist/utils/SortUtils.d.ts.map +1 -0
  34. package/dist/utils/SortUtils.js +20 -0
  35. package/dist/version.d.ts +1 -1
  36. package/dist/version.d.ts.map +1 -1
  37. package/dist/version.js +11 -4
  38. package/etc/sarif-to-slack.api.md +32 -7
  39. package/jest.config.json +4 -4
  40. package/package.json +9 -7
  41. package/scripts/save-version.sh +9 -2
  42. package/src/Logger.ts +20 -17
  43. package/src/Processors.ts +1 -33
  44. package/src/SarifToSlackService.ts +13 -6
  45. package/src/SlackMessageBuilder.ts +78 -63
  46. package/src/index.ts +16 -6
  47. package/src/model/SarifModelPerRun.ts +120 -0
  48. package/src/model/SarifModelPerSarif.ts +126 -0
  49. package/src/model/types.ts +50 -0
  50. package/src/types.ts +91 -11
  51. package/src/utils/SarifUtils.ts +62 -0
  52. package/src/utils/SortUtils.ts +33 -0
  53. package/src/version.ts +10 -3
  54. package/test-data/sarif/codeql-csharp.sarif +1 -0
  55. package/test-data/sarif/codeql-go.sarif +1 -0
  56. package/test-data/sarif/codeql-python.sarif +1 -0
  57. package/test-data/sarif/codeql-ruby.sarif +1 -0
  58. package/test-data/sarif/codeql-typescript.sarif +1 -0
  59. package/test-data/sarif/grype-container.sarif +1774 -0
  60. package/test-data/sarif/runs-1-tools-1-results-0.sarif +18 -0
  61. package/test-data/sarif/runs-2-tools-1-results-0.sarif +30 -0
  62. package/test-data/sarif/runs-2-tools-1.sarif +656 -0
  63. package/test-data/sarif/runs-2-tools-2-results-0.sarif +44 -0
  64. package/test-data/sarif/runs-2-tools-2.sarif +686 -0
  65. package/test-data/sarif/runs-3-tools-2-results-0.sarif +48 -0
  66. package/test-data/sarif/runs-3-tools-2.sarif +278 -0
  67. package/test-data/sarif/snyk-composer.sarif +934 -0
  68. package/test-data/sarif/snyk-container.sarif +313 -0
  69. package/test-data/sarif/snyk-gomodules.sarif +388 -0
  70. package/test-data/sarif/snyk-gradle.sarif +274 -0
  71. package/test-data/sarif/snyk-hex.sarif +66 -0
  72. package/test-data/sarif/snyk-maven.sarif +274 -0
  73. package/test-data/sarif/snyk-npm.sarif +896 -0
  74. package/test-data/sarif/snyk-nuget.sarif +90 -0
  75. package/test-data/sarif/snyk-pip.sarif +66 -0
  76. package/test-data/sarif/snyk-pnpm.sarif +90 -0
  77. package/test-data/sarif/snyk-poetry.sarif +1952 -0
  78. package/test-data/sarif/snyk-rubygems.sarif +440 -0
  79. package/test-data/sarif/snyk-sbt.sarif +178 -0
  80. package/test-data/sarif/snyk-swift.sarif +112 -0
  81. package/test-data/sarif/snyk-yarn.sarif +2900 -0
  82. package/test-data/sarif/trivy-iac.sarif +134 -0
  83. package/test-data/sarif/wiz-container.sarif +30916 -0
  84. package/test-data/sarif/wiz-iac.sarif +558 -0
  85. package/tests/Processors.spec.ts +3 -42
  86. package/tests/integration/SendSarifToSlack.spec.ts +80 -0
package/test-data/sarif/grype-container.sarif ADDED
@@ -0,0 +1,1774 @@
1
+ {
2
+ "version": "2.1.0",
3
+ "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json",
4
+ "runs": [
5
+ {
6
+ "tool": {
7
+ "driver": {
8
+ "name": "grype",
9
+ "version": "0.91.2",
10
+ "informationUri": "https://github.com/anchore/grype",
11
+ "rules": [
12
+ {
13
+ "id": "CVE-2024-9410-ada-libs",
14
+ "name": "ApkMatcherCpeMatch",
15
+ "shortDescription": {
16
+ "text": "CVE-2024-9410 medium vulnerability for ada-libs package"
17
+ },
18
+ "fullDescription": {
19
+ "text": "Ada.cx's Sentry configuration allowed for blind server-side request forgeries (SSRF) through the use of a data scraping endpoint."
20
+ },
21
+ "helpUri": "https://github.com/anchore/grype",
22
+ "help": {
23
+ "text": "Vulnerability CVE-2024-9410\nSeverity: medium\nPackage: ada-libs\nVersion: 2.9.2-r1\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2024-9410](https://nvd.nist.gov/vuln/detail/CVE-2024-9410)",
24
+ "markdown": "**Vulnerability CVE-2024-9410**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | ada-libs | 2.9.2-r1 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2024-9410](https://nvd.nist.gov/vuln/detail/CVE-2024-9410) |\n"
25
+ },
26
+ "properties": {
27
+ "purls": [
28
+ "pkg:apk/alpine/ada-libs@2.9.2-r1?arch=aarch64\u0026distro=alpine-3.21.3\u0026upstream=ada"
29
+ ],
30
+ "security-severity": "5.3"
31
+ }
32
+ },
33
+ {
34
+ "id": "CVE-2024-58251-busybox",
35
+ "name": "ApkMatcherCpeMatch",
36
+ "shortDescription": {
37
+ "text": "CVE-2024-58251 low vulnerability for busybox package"
38
+ },
39
+ "fullDescription": {
40
+ "text": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim."
41
+ },
42
+ "helpUri": "https://github.com/anchore/grype",
43
+ "help": {
44
+ "text": "Vulnerability CVE-2024-58251\nSeverity: low\nPackage: busybox\nVersion: 1.37.0-r12\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2024-58251](https://nvd.nist.gov/vuln/detail/CVE-2024-58251)",
45
+ "markdown": "**Vulnerability CVE-2024-58251**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | busybox | 1.37.0-r12 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2024-58251](https://nvd.nist.gov/vuln/detail/CVE-2024-58251) |\n"
46
+ },
47
+ "properties": {
48
+ "purls": [
49
+ "pkg:apk/alpine/busybox@1.37.0-r12?arch=aarch64\u0026distro=alpine-3.21.3"
50
+ ],
51
+ "security-severity": "2.5"
52
+ }
53
+ },
54
+ {
55
+ "id": "CVE-2025-46394-busybox",
56
+ "name": "ApkMatcherCpeMatch",
57
+ "shortDescription": {
58
+ "text": "CVE-2025-46394 low vulnerability for busybox package"
59
+ },
60
+ "fullDescription": {
61
+ "text": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences."
62
+ },
63
+ "helpUri": "https://github.com/anchore/grype",
64
+ "help": {
65
+ "text": "Vulnerability CVE-2025-46394\nSeverity: low\nPackage: busybox\nVersion: 1.37.0-r12\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2025-46394](https://nvd.nist.gov/vuln/detail/CVE-2025-46394)",
66
+ "markdown": "**Vulnerability CVE-2025-46394**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | busybox | 1.37.0-r12 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2025-46394](https://nvd.nist.gov/vuln/detail/CVE-2025-46394) |\n"
67
+ },
68
+ "properties": {
69
+ "purls": [
70
+ "pkg:apk/alpine/busybox@1.37.0-r12?arch=aarch64\u0026distro=alpine-3.21.3"
71
+ ],
72
+ "security-severity": "3.2"
73
+ }
74
+ },
75
+ {
76
+ "id": "CVE-2024-58251-busybox-binsh",
77
+ "name": "ApkMatcherCpeMatch",
78
+ "shortDescription": {
79
+ "text": "CVE-2024-58251 low vulnerability for busybox-binsh package"
80
+ },
81
+ "fullDescription": {
82
+ "text": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim."
83
+ },
84
+ "helpUri": "https://github.com/anchore/grype",
85
+ "help": {
86
+ "text": "Vulnerability CVE-2024-58251\nSeverity: low\nPackage: busybox-binsh\nVersion: 1.37.0-r12\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2024-58251](https://nvd.nist.gov/vuln/detail/CVE-2024-58251)",
87
+ "markdown": "**Vulnerability CVE-2024-58251**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | busybox-binsh | 1.37.0-r12 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2024-58251](https://nvd.nist.gov/vuln/detail/CVE-2024-58251) |\n"
88
+ },
89
+ "properties": {
90
+ "purls": [
91
+ "pkg:apk/alpine/busybox-binsh@1.37.0-r12?arch=aarch64\u0026distro=alpine-3.21.3\u0026upstream=busybox"
92
+ ],
93
+ "security-severity": "2.5"
94
+ }
95
+ },
96
+ {
97
+ "id": "CVE-2025-46394-busybox-binsh",
98
+ "name": "ApkMatcherCpeMatch",
99
+ "shortDescription": {
100
+ "text": "CVE-2025-46394 low vulnerability for busybox-binsh package"
101
+ },
102
+ "fullDescription": {
103
+ "text": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences."
104
+ },
105
+ "helpUri": "https://github.com/anchore/grype",
106
+ "help": {
107
+ "text": "Vulnerability CVE-2025-46394\nSeverity: low\nPackage: busybox-binsh\nVersion: 1.37.0-r12\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2025-46394](https://nvd.nist.gov/vuln/detail/CVE-2025-46394)",
108
+ "markdown": "**Vulnerability CVE-2025-46394**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | busybox-binsh | 1.37.0-r12 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2025-46394](https://nvd.nist.gov/vuln/detail/CVE-2025-46394) |\n"
109
+ },
110
+ "properties": {
111
+ "purls": [
112
+ "pkg:apk/alpine/busybox-binsh@1.37.0-r12?arch=aarch64\u0026distro=alpine-3.21.3\u0026upstream=busybox"
113
+ ],
114
+ "security-severity": "3.2"
115
+ }
116
+ },
117
+ {
118
+ "id": "CVE-2025-30204-github.com/golang-jwt/jwt/v4",
119
+ "name": "GoModuleMatcherExactDirectMatch",
120
+ "shortDescription": {
121
+ "text": "CVE-2025-30204 high vulnerability for github.com/golang-jwt/jwt/v4 package"
122
+ },
123
+ "fullDescription": {
124
+ "text": "jwt-go allows excessive memory allocation during header parsing"
125
+ },
126
+ "helpUri": "https://github.com/anchore/grype",
127
+ "help": {
128
+ "text": "Vulnerability CVE-2025-30204\nSeverity: high\nPackage: github.com/golang-jwt/jwt/v4\nVersion: v4.5.1\nFix Version: 4.5.2\nType: go-module\nLocation: /usr/local/bin/terraform\nData Namespace: github:language:go\nLink: [CVE-2025-30204](https://github.com/advisories/GHSA-mh63-6h87-95cp)",
129
+ "markdown": "**Vulnerability CVE-2025-30204**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | github.com/golang-jwt/jwt/v4 | v4.5.1 | 4.5.2 | go-module | /usr/local/bin/terraform | github:language:go | [CVE-2025-30204](https://github.com/advisories/GHSA-mh63-6h87-95cp) |\n"
130
+ },
131
+ "properties": {
132
+ "purls": [
133
+ "pkg:golang/github.com/golang-jwt/jwt@v4.5.1#v4"
134
+ ],
135
+ "security-severity": "7.5"
136
+ }
137
+ },
138
+ {
139
+ "id": "CVE-2024-6257-github.com/hashicorp/go-getter",
140
+ "name": "GoModuleMatcherExactDirectMatch",
141
+ "shortDescription": {
142
+ "text": "CVE-2024-6257 high vulnerability for github.com/hashicorp/go-getter package"
143
+ },
144
+ "fullDescription": {
145
+ "text": "HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation"
146
+ },
147
+ "helpUri": "https://github.com/anchore/grype",
148
+ "help": {
149
+ "text": "Vulnerability CVE-2024-6257\nSeverity: high\nPackage: github.com/hashicorp/go-getter\nVersion: v1.7.4\nFix Version: 1.7.5\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: github:language:go\nLink: [CVE-2024-6257](https://github.com/advisories/GHSA-xfhp-jf8p-mh5w)",
150
+ "markdown": "**Vulnerability CVE-2024-6257**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | github.com/hashicorp/go-getter | v1.7.4 | 1.7.5 | go-module | /usr/bin/tflint | github:language:go | [CVE-2024-6257](https://github.com/advisories/GHSA-xfhp-jf8p-mh5w) |\n"
151
+ },
152
+ "properties": {
153
+ "purls": [
154
+ "pkg:golang/github.com/hashicorp/go-getter@v1.7.4"
155
+ ],
156
+ "security-severity": "8.4"
157
+ }
158
+ },
159
+ {
160
+ "id": "CVE-2024-45337-golang.org/x/crypto",
161
+ "name": "GoModuleMatcherExactDirectMatch",
162
+ "shortDescription": {
163
+ "text": "CVE-2024-45337 critical vulnerability for golang.org/x/crypto package"
164
+ },
165
+ "fullDescription": {
166
+ "text": "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto"
167
+ },
168
+ "helpUri": "https://github.com/anchore/grype",
169
+ "help": {
170
+ "text": "Vulnerability CVE-2024-45337\nSeverity: critical\nPackage: golang.org/x/crypto\nVersion: v0.23.0\nFix Version: 0.31.0\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: github:language:go\nLink: [CVE-2024-45337](https://github.com/advisories/GHSA-v778-237x-gjrc)",
171
+ "markdown": "**Vulnerability CVE-2024-45337**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| critical | golang.org/x/crypto | v0.23.0 | 0.31.0 | go-module | /usr/bin/tflint | github:language:go | [CVE-2024-45337](https://github.com/advisories/GHSA-v778-237x-gjrc) |\n"
172
+ },
173
+ "properties": {
174
+ "purls": [
175
+ "pkg:golang/golang.org/x/crypto@v0.23.0"
176
+ ],
177
+ "security-severity": "9.1"
178
+ }
179
+ },
180
+ {
181
+ "id": "CVE-2025-22869-golang.org/x/crypto",
182
+ "name": "GoModuleMatcherExactDirectMatch",
183
+ "shortDescription": {
184
+ "text": "CVE-2025-22869 high vulnerability for golang.org/x/crypto package"
185
+ },
186
+ "fullDescription": {
187
+ "text": "golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange"
188
+ },
189
+ "helpUri": "https://github.com/anchore/grype",
190
+ "help": {
191
+ "text": "Vulnerability CVE-2025-22869\nSeverity: high\nPackage: golang.org/x/crypto\nVersion: v0.23.0\nFix Version: 0.35.0\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: github:language:go\nLink: [CVE-2025-22869](https://github.com/advisories/GHSA-hcg3-q754-cr77)",
192
+ "markdown": "**Vulnerability CVE-2025-22869**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | golang.org/x/crypto | v0.23.0 | 0.35.0 | go-module | /usr/bin/tflint | github:language:go | [CVE-2025-22869](https://github.com/advisories/GHSA-hcg3-q754-cr77) |\n"
193
+ },
194
+ "properties": {
195
+ "purls": [
196
+ "pkg:golang/golang.org/x/crypto@v0.23.0"
197
+ ],
198
+ "security-severity": "7.5"
199
+ }
200
+ },
201
+ {
202
+ "id": "CVE-2025-22870-golang.org/x/net",
203
+ "name": "GoModuleMatcherExactDirectMatch",
204
+ "shortDescription": {
205
+ "text": "CVE-2025-22870 medium vulnerability for golang.org/x/net package"
206
+ },
207
+ "fullDescription": {
208
+ "text": "HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"
209
+ },
210
+ "helpUri": "https://github.com/anchore/grype",
211
+ "help": {
212
+ "text": "Vulnerability CVE-2025-22870\nSeverity: medium\nPackage: golang.org/x/net\nVersion: v0.25.0\nFix Version: 0.36.0\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: github:language:go\nLink: [CVE-2025-22870](https://github.com/advisories/GHSA-qxp5-gwg8-xv66)",
213
+ "markdown": "**Vulnerability CVE-2025-22870**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | golang.org/x/net | v0.25.0 | 0.36.0 | go-module | /usr/bin/tflint | github:language:go | [CVE-2025-22870](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) |\n"
214
+ },
215
+ "properties": {
216
+ "purls": [
217
+ "pkg:golang/golang.org/x/net@v0.25.0"
218
+ ],
219
+ "security-severity": "4.4"
220
+ }
221
+ },
222
+ {
223
+ "id": "CVE-2025-22872-golang.org/x/net",
224
+ "name": "GoModuleMatcherExactDirectMatch",
225
+ "shortDescription": {
226
+ "text": "CVE-2025-22872 medium vulnerability for golang.org/x/net package"
227
+ },
228
+ "fullDescription": {
229
+ "text": "golang.org/x/net vulnerable to Cross-site Scripting"
230
+ },
231
+ "helpUri": "https://github.com/anchore/grype",
232
+ "help": {
233
+ "text": "Vulnerability CVE-2025-22872\nSeverity: medium\nPackage: golang.org/x/net\nVersion: v0.25.0\nFix Version: 0.38.0\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: github:language:go\nLink: [CVE-2025-22872](https://github.com/advisories/GHSA-vvgc-356p-c3xw)",
234
+ "markdown": "**Vulnerability CVE-2025-22872**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | golang.org/x/net | v0.25.0 | 0.38.0 | go-module | /usr/bin/tflint | github:language:go | [CVE-2025-22872](https://github.com/advisories/GHSA-vvgc-356p-c3xw) |\n"
235
+ },
236
+ "properties": {
237
+ "purls": [
238
+ "pkg:golang/golang.org/x/net@v0.25.0"
239
+ ],
240
+ "security-severity": "4.0"
241
+ }
242
+ },
243
+ {
244
+ "id": "CVE-2023-2976-guava",
245
+ "name": "JavaMatcherExactDirectMatch",
246
+ "shortDescription": {
247
+ "text": "CVE-2023-2976 medium vulnerability for guava package"
248
+ },
249
+ "fullDescription": {
250
+ "text": "Guava vulnerable to insecure use of temporary directory"
251
+ },
252
+ "helpUri": "https://github.com/anchore/grype",
253
+ "help": {
254
+ "text": "Vulnerability CVE-2023-2976\nSeverity: medium\nPackage: guava\nVersion: 30.1-jre\nFix Version: 32.0.0-android\nType: java-archive\nLocation: /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar\nData Namespace: github:language:java\nLink: [CVE-2023-2976](https://github.com/advisories/GHSA-7g45-4rm6-3mm3)",
255
+ "markdown": "**Vulnerability CVE-2023-2976**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | guava | 30.1-jre | 32.0.0-android | java-archive | /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar | github:language:java | [CVE-2023-2976](https://github.com/advisories/GHSA-7g45-4rm6-3mm3) |\n"
256
+ },
257
+ "properties": {
258
+ "purls": [
259
+ "pkg:maven/com.google.guava/guava@30.1-jre"
260
+ ],
261
+ "security-severity": "5.5"
262
+ }
263
+ },
264
+ {
265
+ "id": "CVE-2020-8908-guava",
266
+ "name": "JavaMatcherExactDirectMatch",
267
+ "shortDescription": {
268
+ "text": "CVE-2020-8908 low vulnerability for guava package"
269
+ },
270
+ "fullDescription": {
271
+ "text": "Information Disclosure in Guava"
272
+ },
273
+ "helpUri": "https://github.com/anchore/grype",
274
+ "help": {
275
+ "text": "Vulnerability CVE-2020-8908\nSeverity: low\nPackage: guava\nVersion: 30.1-jre\nFix Version: 32.0.0-android\nType: java-archive\nLocation: /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar\nData Namespace: github:language:java\nLink: [CVE-2020-8908](https://github.com/advisories/GHSA-5mg8-w23w-74h3)",
276
+ "markdown": "**Vulnerability CVE-2020-8908**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | guava | 30.1-jre | 32.0.0-android | java-archive | /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar | github:language:java | [CVE-2020-8908](https://github.com/advisories/GHSA-5mg8-w23w-74h3) |\n"
277
+ },
278
+ "properties": {
279
+ "purls": [
280
+ "pkg:maven/com.google.guava/guava@30.1-jre"
281
+ ],
282
+ "security-severity": "3.3"
283
+ }
284
+ },
285
+ {
286
+ "id": "CVE-2024-7254-protobuf-java",
287
+ "name": "JavaMatcherExactDirectMatch",
288
+ "shortDescription": {
289
+ "text": "CVE-2024-7254 high vulnerability for protobuf-java package"
290
+ },
291
+ "fullDescription": {
292
+ "text": "protobuf-java has potential Denial of Service issue"
293
+ },
294
+ "helpUri": "https://github.com/anchore/grype",
295
+ "help": {
296
+ "text": "Vulnerability CVE-2024-7254\nSeverity: high\nPackage: protobuf-java\nVersion: 3.19.6\nFix Version: 3.25.5\nType: java-archive\nLocation: /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar\nData Namespace: github:language:java\nLink: [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8)",
297
+ "markdown": "**Vulnerability CVE-2024-7254**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | protobuf-java | 3.19.6 | 3.25.5 | java-archive | /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar | github:language:java | [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8) |\n"
298
+ },
299
+ "properties": {
300
+ "purls": [
301
+ "pkg:maven/com.google.protobuf/protobuf-java@3.19.6"
302
+ ],
303
+ "security-severity": "7.5"
304
+ }
305
+ },
306
+ {
307
+ "id": "CVE-2025-4516-python3",
308
+ "name": "ApkMatcherCpeMatch",
309
+ "shortDescription": {
310
+ "text": "CVE-2025-4516 medium vulnerability for python3 package"
311
+ },
312
+ "fullDescription": {
313
+ "text": "There is an issue in CPython when using `bytes.decode(\"unicode_escape\", error=\"ignore|replace\")`. If you are not using the \"unicode_escape\" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError."
314
+ },
315
+ "helpUri": "https://github.com/anchore/grype",
316
+ "help": {
317
+ "text": "Vulnerability CVE-2025-4516\nSeverity: medium\nPackage: python3\nVersion: 3.12.10-r0\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2025-4516](https://nvd.nist.gov/vuln/detail/CVE-2025-4516)",
318
+ "markdown": "**Vulnerability CVE-2025-4516**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | python3 | 3.12.10-r0 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2025-4516](https://nvd.nist.gov/vuln/detail/CVE-2025-4516) |\n"
319
+ },
320
+ "properties": {
321
+ "purls": [
322
+ "pkg:apk/alpine/python3@3.12.10-r0?arch=aarch64\u0026distro=alpine-3.21.3"
323
+ ],
324
+ "security-severity": "5.9"
325
+ }
326
+ },
327
+ {
328
+ "id": "CVE-2024-3220-python3",
329
+ "name": "ApkMatcherCpeMatch",
330
+ "shortDescription": {
331
+ "text": "CVE-2024-3220 low vulnerability for python3 package"
332
+ },
333
+ "fullDescription": {
334
+ "text": "There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type.\n\nThis defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\\etc\\mime.types”).\n\nTo work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations."
335
+ },
336
+ "helpUri": "https://github.com/anchore/grype",
337
+ "help": {
338
+ "text": "Vulnerability CVE-2024-3220\nSeverity: low\nPackage: python3\nVersion: 3.12.10-r0\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2024-3220](https://nvd.nist.gov/vuln/detail/CVE-2024-3220)",
339
+ "markdown": "**Vulnerability CVE-2024-3220**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | python3 | 3.12.10-r0 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2024-3220](https://nvd.nist.gov/vuln/detail/CVE-2024-3220) |\n"
340
+ },
341
+ "properties": {
342
+ "purls": [
343
+ "pkg:apk/alpine/python3@3.12.10-r0?arch=aarch64\u0026distro=alpine-3.21.3"
344
+ ],
345
+ "security-severity": "2.3"
346
+ }
347
+ },
348
+ {
349
+ "id": "CVE-2025-3277-sqlite-libs",
350
+ "name": "ApkMatcherCpeMatch",
351
+ "shortDescription": {
352
+ "text": "CVE-2025-3277 medium vulnerability for sqlite-libs package"
353
+ },
354
+ "fullDescription": {
355
+ "text": "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution."
356
+ },
357
+ "helpUri": "https://github.com/anchore/grype",
358
+ "help": {
359
+ "text": "Vulnerability CVE-2025-3277\nSeverity: medium\nPackage: sqlite-libs\nVersion: 3.48.0-r2\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2025-3277](https://nvd.nist.gov/vuln/detail/CVE-2025-3277)",
360
+ "markdown": "**Vulnerability CVE-2025-3277**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | sqlite-libs | 3.48.0-r2 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2025-3277](https://nvd.nist.gov/vuln/detail/CVE-2025-3277) |\n"
361
+ },
362
+ "properties": {
363
+ "purls": [
364
+ "pkg:apk/alpine/sqlite-libs@3.48.0-r2?arch=aarch64\u0026distro=alpine-3.21.3\u0026upstream=sqlite"
365
+ ],
366
+ "security-severity": "6.9"
367
+ }
368
+ },
369
+ {
370
+ "id": "CVE-2024-58251-ssl_client",
371
+ "name": "ApkMatcherCpeMatch",
372
+ "shortDescription": {
373
+ "text": "CVE-2024-58251 low vulnerability for ssl_client package"
374
+ },
375
+ "fullDescription": {
376
+ "text": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim."
377
+ },
378
+ "helpUri": "https://github.com/anchore/grype",
379
+ "help": {
380
+ "text": "Vulnerability CVE-2024-58251\nSeverity: low\nPackage: ssl_client\nVersion: 1.37.0-r12\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2024-58251](https://nvd.nist.gov/vuln/detail/CVE-2024-58251)",
381
+ "markdown": "**Vulnerability CVE-2024-58251**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | ssl_client | 1.37.0-r12 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2024-58251](https://nvd.nist.gov/vuln/detail/CVE-2024-58251) |\n"
382
+ },
383
+ "properties": {
384
+ "purls": [
385
+ "pkg:apk/alpine/ssl_client@1.37.0-r12?arch=aarch64\u0026distro=alpine-3.21.3\u0026upstream=busybox"
386
+ ],
387
+ "security-severity": "2.5"
388
+ }
389
+ },
390
+ {
391
+ "id": "CVE-2025-46394-ssl_client",
392
+ "name": "ApkMatcherCpeMatch",
393
+ "shortDescription": {
394
+ "text": "CVE-2025-46394 low vulnerability for ssl_client package"
395
+ },
396
+ "fullDescription": {
397
+ "text": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences."
398
+ },
399
+ "helpUri": "https://github.com/anchore/grype",
400
+ "help": {
401
+ "text": "Vulnerability CVE-2025-46394\nSeverity: low\nPackage: ssl_client\nVersion: 1.37.0-r12\nFix Version: \nType: apk\nLocation: /lib/apk/db/installed\nData Namespace: nvd:cpe\nLink: [CVE-2025-46394](https://nvd.nist.gov/vuln/detail/CVE-2025-46394)",
402
+ "markdown": "**Vulnerability CVE-2025-46394**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | ssl_client | 1.37.0-r12 | | apk | /lib/apk/db/installed | nvd:cpe | [CVE-2025-46394](https://nvd.nist.gov/vuln/detail/CVE-2025-46394) |\n"
403
+ },
404
+ "properties": {
405
+ "purls": [
406
+ "pkg:apk/alpine/ssl_client@1.37.0-r12?arch=aarch64\u0026distro=alpine-3.21.3\u0026upstream=busybox"
407
+ ],
408
+ "security-severity": "3.2"
409
+ }
410
+ },
411
+ {
412
+ "id": "CVE-2025-22871-stdlib",
413
+ "name": "GoModuleMatcherCpeMatch",
414
+ "shortDescription": {
415
+ "text": "CVE-2025-22871 critical vulnerability for stdlib package"
416
+ },
417
+ "fullDescription": {
418
+ "text": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext."
419
+ },
420
+ "helpUri": "https://github.com/anchore/grype",
421
+ "help": {
422
+ "text": "Vulnerability CVE-2025-22871\nSeverity: critical\nPackage: stdlib\nVersion: go1.22.5\nFix Version: 1.23.8,1.24.2\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: nvd:cpe\nLink: [CVE-2025-22871](https://nvd.nist.gov/vuln/detail/CVE-2025-22871)",
423
+ "markdown": "**Vulnerability CVE-2025-22871**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| critical | stdlib | go1.22.5 | 1.23.8,1.24.2 | go-module | /usr/bin/tflint | nvd:cpe | [CVE-2025-22871](https://nvd.nist.gov/vuln/detail/CVE-2025-22871) |\n"
424
+ },
425
+ "properties": {
426
+ "purls": [
427
+ "pkg:golang/stdlib@1.22.5"
428
+ ],
429
+ "security-severity": "9.1"
430
+ }
431
+ },
432
+ {
433
+ "id": "CVE-2024-34156-stdlib",
434
+ "name": "GoModuleMatcherCpeMatch",
435
+ "shortDescription": {
436
+ "text": "CVE-2024-34156 high vulnerability for stdlib package"
437
+ },
438
+ "fullDescription": {
439
+ "text": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
440
+ },
441
+ "helpUri": "https://github.com/anchore/grype",
442
+ "help": {
443
+ "text": "Vulnerability CVE-2024-34156\nSeverity: high\nPackage: stdlib\nVersion: go1.22.5\nFix Version: 1.22.7,1.23.1\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: nvd:cpe\nLink: [CVE-2024-34156](https://nvd.nist.gov/vuln/detail/CVE-2024-34156)",
444
+ "markdown": "**Vulnerability CVE-2024-34156**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.22.5 | 1.22.7,1.23.1 | go-module | /usr/bin/tflint | nvd:cpe | [CVE-2024-34156](https://nvd.nist.gov/vuln/detail/CVE-2024-34156) |\n"
445
+ },
446
+ "properties": {
447
+ "purls": [
448
+ "pkg:golang/stdlib@1.22.5"
449
+ ],
450
+ "security-severity": "7.5"
451
+ }
452
+ },
453
+ {
454
+ "id": "CVE-2024-34158-stdlib",
455
+ "name": "GoModuleMatcherCpeMatch",
456
+ "shortDescription": {
457
+ "text": "CVE-2024-34158 high vulnerability for stdlib package"
458
+ },
459
+ "fullDescription": {
460
+ "text": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion."
461
+ },
462
+ "helpUri": "https://github.com/anchore/grype",
463
+ "help": {
464
+ "text": "Vulnerability CVE-2024-34158\nSeverity: high\nPackage: stdlib\nVersion: go1.22.5\nFix Version: 1.22.7,1.23.1\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: nvd:cpe\nLink: [CVE-2024-34158](https://nvd.nist.gov/vuln/detail/CVE-2024-34158)",
465
+ "markdown": "**Vulnerability CVE-2024-34158**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.22.5 | 1.22.7,1.23.1 | go-module | /usr/bin/tflint | nvd:cpe | [CVE-2024-34158](https://nvd.nist.gov/vuln/detail/CVE-2024-34158) |\n"
466
+ },
467
+ "properties": {
468
+ "purls": [
469
+ "pkg:golang/stdlib@1.22.5"
470
+ ],
471
+ "security-severity": "7.5"
472
+ }
473
+ },
474
+ {
475
+ "id": "CVE-2024-34155-stdlib",
476
+ "name": "GoModuleMatcherCpeMatch",
477
+ "shortDescription": {
478
+ "text": "CVE-2024-34155 medium vulnerability for stdlib package"
479
+ },
480
+ "fullDescription": {
481
+ "text": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."
482
+ },
483
+ "helpUri": "https://github.com/anchore/grype",
484
+ "help": {
485
+ "text": "Vulnerability CVE-2024-34155\nSeverity: medium\nPackage: stdlib\nVersion: go1.22.5\nFix Version: 1.22.7,1.23.1\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: nvd:cpe\nLink: [CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155)",
486
+ "markdown": "**Vulnerability CVE-2024-34155**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | stdlib | go1.22.5 | 1.22.7,1.23.1 | go-module | /usr/bin/tflint | nvd:cpe | [CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) |\n"
487
+ },
488
+ "properties": {
489
+ "purls": [
490
+ "pkg:golang/stdlib@1.22.5"
491
+ ],
492
+ "security-severity": "4.3"
493
+ }
494
+ },
495
+ {
496
+ "id": "CVE-2024-45336-stdlib",
497
+ "name": "GoModuleMatcherCpeMatch",
498
+ "shortDescription": {
499
+ "text": "CVE-2024-45336 medium vulnerability for stdlib package"
500
+ },
501
+ "fullDescription": {
502
+ "text": "The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2."
503
+ },
504
+ "helpUri": "https://github.com/anchore/grype",
505
+ "help": {
506
+ "text": "Vulnerability CVE-2024-45336\nSeverity: medium\nPackage: stdlib\nVersion: go1.22.5\nFix Version: 1.22.11,1.23.5,1.24.0-rc.2\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: nvd:cpe\nLink: [CVE-2024-45336](https://nvd.nist.gov/vuln/detail/CVE-2024-45336)",
507
+ "markdown": "**Vulnerability CVE-2024-45336**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | stdlib | go1.22.5 | 1.22.11,1.23.5,1.24.0-rc.2 | go-module | /usr/bin/tflint | nvd:cpe | [CVE-2024-45336](https://nvd.nist.gov/vuln/detail/CVE-2024-45336) |\n"
508
+ },
509
+ "properties": {
510
+ "purls": [
511
+ "pkg:golang/stdlib@1.22.5"
512
+ ],
513
+ "security-severity": "6.1"
514
+ }
515
+ },
516
+ {
517
+ "id": "CVE-2024-45341-stdlib",
518
+ "name": "GoModuleMatcherCpeMatch",
519
+ "shortDescription": {
520
+ "text": "CVE-2024-45341 medium vulnerability for stdlib package"
521
+ },
522
+ "fullDescription": {
523
+ "text": "A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs."
524
+ },
525
+ "helpUri": "https://github.com/anchore/grype",
526
+ "help": {
527
+ "text": "Vulnerability CVE-2024-45341\nSeverity: medium\nPackage: stdlib\nVersion: go1.22.5\nFix Version: 1.22.11,1.23.5,1.24.0-rc.2\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: nvd:cpe\nLink: [CVE-2024-45341](https://nvd.nist.gov/vuln/detail/CVE-2024-45341)",
528
+ "markdown": "**Vulnerability CVE-2024-45341**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | stdlib | go1.22.5 | 1.22.11,1.23.5,1.24.0-rc.2 | go-module | /usr/bin/tflint | nvd:cpe | [CVE-2024-45341](https://nvd.nist.gov/vuln/detail/CVE-2024-45341) |\n"
529
+ },
530
+ "properties": {
531
+ "purls": [
532
+ "pkg:golang/stdlib@1.22.5"
533
+ ],
534
+ "security-severity": "6.1"
535
+ }
536
+ },
537
+ {
538
+ "id": "CVE-2025-22866-stdlib",
539
+ "name": "GoModuleMatcherCpeMatch",
540
+ "shortDescription": {
541
+ "text": "CVE-2025-22866 medium vulnerability for stdlib package"
542
+ },
543
+ "fullDescription": {
544
+ "text": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols."
545
+ },
546
+ "helpUri": "https://github.com/anchore/grype",
547
+ "help": {
548
+ "text": "Vulnerability CVE-2025-22866\nSeverity: medium\nPackage: stdlib\nVersion: go1.22.5\nFix Version: 1.22.12,1.23.6,1.24.0-rc.3\nType: go-module\nLocation: /usr/bin/tflint\nData Namespace: nvd:cpe\nLink: [CVE-2025-22866](https://nvd.nist.gov/vuln/detail/CVE-2025-22866)",
549
+ "markdown": "**Vulnerability CVE-2025-22866**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | stdlib | go1.22.5 | 1.22.12,1.23.6,1.24.0-rc.3 | go-module | /usr/bin/tflint | nvd:cpe | [CVE-2025-22866](https://nvd.nist.gov/vuln/detail/CVE-2025-22866) |\n"
550
+ },
551
+ "properties": {
552
+ "purls": [
553
+ "pkg:golang/stdlib@1.22.5"
554
+ ],
555
+ "security-severity": "4.0"
556
+ }
557
+ }
558
+ ]
559
+ }
560
+ },
561
+ "results": [
562
+ {
563
+ "ruleId": "CVE-2024-9410-ada-libs",
564
+ "level": "warning",
565
+ "message": {
566
+ "text": "A medium vulnerability in apk package: ada-libs, version 2.9.2-r1 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
567
+ },
568
+ "locations": [
569
+ {
570
+ "physicalLocation": {
571
+ "artifactLocation": {
572
+ "uri": "pre-commit-container//lib/apk/db/installed"
573
+ },
574
+ "region": {
575
+ "startLine": 1,
576
+ "startColumn": 1,
577
+ "endLine": 1,
578
+ "endColumn": 1
579
+ }
580
+ },
581
+ "logicalLocations": [
582
+ {
583
+ "name": "/lib/apk/db/installed",
584
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
585
+ }
586
+ ]
587
+ }
588
+ ],
589
+ "partialFingerprints": {
590
+ "primaryLocationLineHash": "dacd19d5f90c2001209a8ea8cd1bf33ec916efdeb844460fb243a344a77b24f5:1"
591
+ }
592
+ },
593
+ {
594
+ "ruleId": "CVE-2024-58251-busybox",
595
+ "level": "note",
596
+ "message": {
597
+ "text": "A low vulnerability in apk package: busybox, version 1.37.0-r12 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
598
+ },
599
+ "locations": [
600
+ {
601
+ "physicalLocation": {
602
+ "artifactLocation": {
603
+ "uri": "pre-commit-container//lib/apk/db/installed"
604
+ },
605
+ "region": {
606
+ "startLine": 1,
607
+ "startColumn": 1,
608
+ "endLine": 1,
609
+ "endColumn": 1
610
+ }
611
+ },
612
+ "logicalLocations": [
613
+ {
614
+ "name": "/lib/apk/db/installed",
615
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
616
+ }
617
+ ]
618
+ }
619
+ ],
620
+ "partialFingerprints": {
621
+ "primaryLocationLineHash": "6bd4cba81f5ce02baec755eeb33f364ae5361316964e3bc078eee22155c6755f:1"
622
+ }
623
+ },
624
+ {
625
+ "ruleId": "CVE-2025-46394-busybox",
626
+ "level": "note",
627
+ "message": {
628
+ "text": "A low vulnerability in apk package: busybox, version 1.37.0-r12 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
629
+ },
630
+ "locations": [
631
+ {
632
+ "physicalLocation": {
633
+ "artifactLocation": {
634
+ "uri": "pre-commit-container//lib/apk/db/installed"
635
+ },
636
+ "region": {
637
+ "startLine": 1,
638
+ "startColumn": 1,
639
+ "endLine": 1,
640
+ "endColumn": 1
641
+ }
642
+ },
643
+ "logicalLocations": [
644
+ {
645
+ "name": "/lib/apk/db/installed",
646
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
647
+ }
648
+ ]
649
+ }
650
+ ],
651
+ "partialFingerprints": {
652
+ "primaryLocationLineHash": "6bd4cba81f5ce02baec755eeb33f364ae5361316964e3bc078eee22155c6755f:1"
653
+ }
654
+ },
655
+ {
656
+ "ruleId": "CVE-2024-58251-busybox-binsh",
657
+ "level": "note",
658
+ "message": {
659
+ "text": "A low vulnerability in apk package: busybox-binsh, version 1.37.0-r12 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
660
+ },
661
+ "locations": [
662
+ {
663
+ "physicalLocation": {
664
+ "artifactLocation": {
665
+ "uri": "pre-commit-container//lib/apk/db/installed"
666
+ },
667
+ "region": {
668
+ "startLine": 1,
669
+ "startColumn": 1,
670
+ "endLine": 1,
671
+ "endColumn": 1
672
+ }
673
+ },
674
+ "logicalLocations": [
675
+ {
676
+ "name": "/lib/apk/db/installed",
677
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
678
+ }
679
+ ]
680
+ }
681
+ ],
682
+ "partialFingerprints": {
683
+ "primaryLocationLineHash": "43fb898e4d18f31afb60ab8be546425afa5b5221aa45608402980b92c64c43fe:1"
684
+ }
685
+ },
686
+ {
687
+ "ruleId": "CVE-2025-46394-busybox-binsh",
688
+ "level": "note",
689
+ "message": {
690
+ "text": "A low vulnerability in apk package: busybox-binsh, version 1.37.0-r12 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
691
+ },
692
+ "locations": [
693
+ {
694
+ "physicalLocation": {
695
+ "artifactLocation": {
696
+ "uri": "pre-commit-container//lib/apk/db/installed"
697
+ },
698
+ "region": {
699
+ "startLine": 1,
700
+ "startColumn": 1,
701
+ "endLine": 1,
702
+ "endColumn": 1
703
+ }
704
+ },
705
+ "logicalLocations": [
706
+ {
707
+ "name": "/lib/apk/db/installed",
708
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
709
+ }
710
+ ]
711
+ }
712
+ ],
713
+ "partialFingerprints": {
714
+ "primaryLocationLineHash": "43fb898e4d18f31afb60ab8be546425afa5b5221aa45608402980b92c64c43fe:1"
715
+ }
716
+ },
717
+ {
718
+ "ruleId": "CVE-2025-30204-github.com/golang-jwt/jwt/v4",
719
+ "level": "error",
720
+ "message": {
721
+ "text": "A high vulnerability in go-module package: github.com/golang-jwt/jwt/v4, version v4.5.1 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/terraform"
722
+ },
723
+ "locations": [
724
+ {
725
+ "physicalLocation": {
726
+ "artifactLocation": {
727
+ "uri": "pre-commit-container//usr/local/bin/terraform"
728
+ },
729
+ "region": {
730
+ "startLine": 1,
731
+ "startColumn": 1,
732
+ "endLine": 1,
733
+ "endColumn": 1
734
+ }
735
+ },
736
+ "logicalLocations": [
737
+ {
738
+ "name": "/usr/local/bin/terraform",
739
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:f45e221f59a5bdf46afdc75747eb596b884d3dbf285b11cd7855cbc491013996:/usr/local/bin/terraform"
740
+ }
741
+ ]
742
+ }
743
+ ],
744
+ "partialFingerprints": {
745
+ "primaryLocationLineHash": "ae44edd9e52af97334967c1a8dec6b9de008df538dc185a6136a0643cd50aec5:1"
746
+ }
747
+ },
748
+ {
749
+ "ruleId": "CVE-2024-6257-github.com/hashicorp/go-getter",
750
+ "level": "error",
751
+ "message": {
752
+ "text": "A high vulnerability in go-module package: github.com/hashicorp/go-getter, version v1.7.4 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
753
+ },
754
+ "locations": [
755
+ {
756
+ "physicalLocation": {
757
+ "artifactLocation": {
758
+ "uri": "pre-commit-container//usr/bin/tflint"
759
+ },
760
+ "region": {
761
+ "startLine": 1,
762
+ "startColumn": 1,
763
+ "endLine": 1,
764
+ "endColumn": 1
765
+ }
766
+ },
767
+ "logicalLocations": [
768
+ {
769
+ "name": "/usr/bin/tflint",
770
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
771
+ }
772
+ ]
773
+ }
774
+ ],
775
+ "partialFingerprints": {
776
+ "primaryLocationLineHash": "e49d6048254f345008d6c3d2fa94a769c25db46f916509df0cd3f2c7575dfba7:1"
777
+ }
778
+ },
779
+ {
780
+ "ruleId": "CVE-2024-45337-golang.org/x/crypto",
781
+ "level": "error",
782
+ "message": {
783
+ "text": "A critical vulnerability in go-module package: golang.org/x/crypto, version v0.23.0 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
784
+ },
785
+ "locations": [
786
+ {
787
+ "physicalLocation": {
788
+ "artifactLocation": {
789
+ "uri": "pre-commit-container//usr/bin/tflint"
790
+ },
791
+ "region": {
792
+ "startLine": 1,
793
+ "startColumn": 1,
794
+ "endLine": 1,
795
+ "endColumn": 1
796
+ }
797
+ },
798
+ "logicalLocations": [
799
+ {
800
+ "name": "/usr/bin/tflint",
801
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
802
+ }
803
+ ]
804
+ }
805
+ ],
806
+ "partialFingerprints": {
807
+ "primaryLocationLineHash": "6956a49b025d2f92fc802e958e216ba5c5730e61fbeb6837bcacf8193dc8218b:1"
808
+ }
809
+ },
810
+ {
811
+ "ruleId": "CVE-2025-22869-golang.org/x/crypto",
812
+ "level": "error",
813
+ "message": {
814
+ "text": "A high vulnerability in go-module package: golang.org/x/crypto, version v0.23.0 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
815
+ },
816
+ "locations": [
817
+ {
818
+ "physicalLocation": {
819
+ "artifactLocation": {
820
+ "uri": "pre-commit-container//usr/bin/tflint"
821
+ },
822
+ "region": {
823
+ "startLine": 1,
824
+ "startColumn": 1,
825
+ "endLine": 1,
826
+ "endColumn": 1
827
+ }
828
+ },
829
+ "logicalLocations": [
830
+ {
831
+ "name": "/usr/bin/tflint",
832
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
833
+ }
834
+ ]
835
+ }
836
+ ],
837
+ "partialFingerprints": {
838
+ "primaryLocationLineHash": "6956a49b025d2f92fc802e958e216ba5c5730e61fbeb6837bcacf8193dc8218b:1"
839
+ }
840
+ },
841
+ {
842
+ "ruleId": "CVE-2025-22870-golang.org/x/net",
843
+ "level": "warning",
844
+ "message": {
845
+ "text": "A medium vulnerability in go-module package: golang.org/x/net, version v0.25.0 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
846
+ },
847
+ "locations": [
848
+ {
849
+ "physicalLocation": {
850
+ "artifactLocation": {
851
+ "uri": "pre-commit-container//usr/bin/tflint"
852
+ },
853
+ "region": {
854
+ "startLine": 1,
855
+ "startColumn": 1,
856
+ "endLine": 1,
857
+ "endColumn": 1
858
+ }
859
+ },
860
+ "logicalLocations": [
861
+ {
862
+ "name": "/usr/bin/tflint",
863
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
864
+ }
865
+ ]
866
+ }
867
+ ],
868
+ "partialFingerprints": {
869
+ "primaryLocationLineHash": "f06d422ba1cad448bfe519698c2c3b1f6a80804683e6faa0cab82bc1e02fc6dd:1"
870
+ }
871
+ },
872
+ {
873
+ "ruleId": "CVE-2025-22872-golang.org/x/net",
874
+ "level": "warning",
875
+ "message": {
876
+ "text": "A medium vulnerability in go-module package: golang.org/x/net, version v0.25.0 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
877
+ },
878
+ "locations": [
879
+ {
880
+ "physicalLocation": {
881
+ "artifactLocation": {
882
+ "uri": "pre-commit-container//usr/bin/tflint"
883
+ },
884
+ "region": {
885
+ "startLine": 1,
886
+ "startColumn": 1,
887
+ "endLine": 1,
888
+ "endColumn": 1
889
+ }
890
+ },
891
+ "logicalLocations": [
892
+ {
893
+ "name": "/usr/bin/tflint",
894
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
895
+ }
896
+ ]
897
+ }
898
+ ],
899
+ "partialFingerprints": {
900
+ "primaryLocationLineHash": "f06d422ba1cad448bfe519698c2c3b1f6a80804683e6faa0cab82bc1e02fc6dd:1"
901
+ }
902
+ },
903
+ {
904
+ "ruleId": "CVE-2025-22870-golang.org/x/net",
905
+ "level": "warning",
906
+ "message": {
907
+ "text": "A medium vulnerability in go-module package: golang.org/x/net, version v0.31.0 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/yq"
908
+ },
909
+ "locations": [
910
+ {
911
+ "physicalLocation": {
912
+ "artifactLocation": {
913
+ "uri": "pre-commit-container//usr/bin/yq"
914
+ },
915
+ "region": {
916
+ "startLine": 1,
917
+ "startColumn": 1,
918
+ "endLine": 1,
919
+ "endColumn": 1
920
+ }
921
+ },
922
+ "logicalLocations": [
923
+ {
924
+ "name": "/usr/bin/yq",
925
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:e39cdc67e1ad7c5fdedcff81cb670fe00f474b79e098bb239db8f00bca127cce:/usr/bin/yq"
926
+ }
927
+ ]
928
+ }
929
+ ],
930
+ "partialFingerprints": {
931
+ "primaryLocationLineHash": "6fed058812c4d8ed8b28fb11565af97162dddd177ac668b2d8478977d9e48b76:1"
932
+ }
933
+ },
934
+ {
935
+ "ruleId": "CVE-2025-22872-golang.org/x/net",
936
+ "level": "warning",
937
+ "message": {
938
+ "text": "A medium vulnerability in go-module package: golang.org/x/net, version v0.31.0 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/yq"
939
+ },
940
+ "locations": [
941
+ {
942
+ "physicalLocation": {
943
+ "artifactLocation": {
944
+ "uri": "pre-commit-container//usr/bin/yq"
945
+ },
946
+ "region": {
947
+ "startLine": 1,
948
+ "startColumn": 1,
949
+ "endLine": 1,
950
+ "endColumn": 1
951
+ }
952
+ },
953
+ "logicalLocations": [
954
+ {
955
+ "name": "/usr/bin/yq",
956
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:e39cdc67e1ad7c5fdedcff81cb670fe00f474b79e098bb239db8f00bca127cce:/usr/bin/yq"
957
+ }
958
+ ]
959
+ }
960
+ ],
961
+ "partialFingerprints": {
962
+ "primaryLocationLineHash": "6fed058812c4d8ed8b28fb11565af97162dddd177ac668b2d8478977d9e48b76:1"
963
+ }
964
+ },
965
+ {
966
+ "ruleId": "CVE-2025-22872-golang.org/x/net",
967
+ "level": "warning",
968
+ "message": {
969
+ "text": "A medium vulnerability in go-module package: golang.org/x/net, version v0.36.0 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/terraform"
970
+ },
971
+ "locations": [
972
+ {
973
+ "physicalLocation": {
974
+ "artifactLocation": {
975
+ "uri": "pre-commit-container//usr/local/bin/terraform"
976
+ },
977
+ "region": {
978
+ "startLine": 1,
979
+ "startColumn": 1,
980
+ "endLine": 1,
981
+ "endColumn": 1
982
+ }
983
+ },
984
+ "logicalLocations": [
985
+ {
986
+ "name": "/usr/local/bin/terraform",
987
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:f45e221f59a5bdf46afdc75747eb596b884d3dbf285b11cd7855cbc491013996:/usr/local/bin/terraform"
988
+ }
989
+ ]
990
+ }
991
+ ],
992
+ "partialFingerprints": {
993
+ "primaryLocationLineHash": "9b044ae0c9bdc448e5f20f4c753ba5cb6d12d12f02ce2566edc0b0d747552c46:1"
994
+ }
995
+ },
996
+ {
997
+ "ruleId": "CVE-2023-2976-guava",
998
+ "level": "warning",
999
+ "message": {
1000
+ "text": "A medium vulnerability in java-archive package: guava, version 30.1-jre was found in image localhost/pre-commit-container:1747457987 at: /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
1001
+ },
1002
+ "locations": [
1003
+ {
1004
+ "physicalLocation": {
1005
+ "artifactLocation": {
1006
+ "uri": "pre-commit-container//root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
1007
+ },
1008
+ "region": {
1009
+ "startLine": 1,
1010
+ "startColumn": 1,
1011
+ "endLine": 1,
1012
+ "endColumn": 1
1013
+ }
1014
+ },
1015
+ "logicalLocations": [
1016
+ {
1017
+ "name": "/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar",
1018
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:e01fafb63716149fe7030a2f53c5d3f27f7681debf41b58fe6860bdb8438d42a:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
1019
+ }
1020
+ ]
1021
+ }
1022
+ ],
1023
+ "partialFingerprints": {
1024
+ "primaryLocationLineHash": "cdfab17ebac116a4245cb7eb15c8873231e9d093770f65b1aef5ba3fe6aa72b8:1"
1025
+ }
1026
+ },
1027
+ {
1028
+ "ruleId": "CVE-2023-2976-guava",
1029
+ "level": "warning",
1030
+ "message": {
1031
+ "text": "A medium vulnerability in java-archive package: guava, version 30.1-jre was found in image localhost/pre-commit-container:1747457987 at: /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
1032
+ },
1033
+ "locations": [
1034
+ {
1035
+ "physicalLocation": {
1036
+ "artifactLocation": {
1037
+ "uri": "pre-commit-container//root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
1038
+ },
1039
+ "region": {
1040
+ "startLine": 1,
1041
+ "startColumn": 1,
1042
+ "endLine": 1,
1043
+ "endColumn": 1
1044
+ }
1045
+ },
1046
+ "logicalLocations": [
1047
+ {
1048
+ "name": "/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar",
1049
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:e01fafb63716149fe7030a2f53c5d3f27f7681debf41b58fe6860bdb8438d42a:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
1050
+ }
1051
+ ]
1052
+ }
1053
+ ],
1054
+ "partialFingerprints": {
1055
+ "primaryLocationLineHash": "137ed462eae9acd5434c1737e9de25e0f8b368bc78ed934120f90f935e4acd08:1"
1056
+ }
1057
+ },
1058
+ {
1059
+ "ruleId": "CVE-2020-8908-guava",
1060
+ "level": "note",
1061
+ "message": {
1062
+ "text": "A low vulnerability in java-archive package: guava, version 30.1-jre was found in image localhost/pre-commit-container:1747457987 at: /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
1063
+ },
1064
+ "locations": [
1065
+ {
1066
+ "physicalLocation": {
1067
+ "artifactLocation": {
1068
+ "uri": "pre-commit-container//root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
1069
+ },
1070
+ "region": {
1071
+ "startLine": 1,
1072
+ "startColumn": 1,
1073
+ "endLine": 1,
1074
+ "endColumn": 1
1075
+ }
1076
+ },
1077
+ "logicalLocations": [
1078
+ {
1079
+ "name": "/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar",
1080
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:e01fafb63716149fe7030a2f53c5d3f27f7681debf41b58fe6860bdb8438d42a:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
1081
+ }
1082
+ ]
1083
+ }
1084
+ ],
1085
+ "partialFingerprints": {
1086
+ "primaryLocationLineHash": "cdfab17ebac116a4245cb7eb15c8873231e9d093770f65b1aef5ba3fe6aa72b8:1"
1087
+ }
1088
+ },
1089
+ {
1090
+ "ruleId": "CVE-2020-8908-guava",
1091
+ "level": "note",
1092
+ "message": {
1093
+ "text": "A low vulnerability in java-archive package: guava, version 30.1-jre was found in image localhost/pre-commit-container:1747457987 at: /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
1094
+ },
1095
+ "locations": [
1096
+ {
1097
+ "physicalLocation": {
1098
+ "artifactLocation": {
1099
+ "uri": "pre-commit-container//root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
1100
+ },
1101
+ "region": {
1102
+ "startLine": 1,
1103
+ "startColumn": 1,
1104
+ "endLine": 1,
1105
+ "endColumn": 1
1106
+ }
1107
+ },
1108
+ "logicalLocations": [
1109
+ {
1110
+ "name": "/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar",
1111
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:e01fafb63716149fe7030a2f53c5d3f27f7681debf41b58fe6860bdb8438d42a:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
1112
+ }
1113
+ ]
1114
+ }
1115
+ ],
1116
+ "partialFingerprints": {
1117
+ "primaryLocationLineHash": "137ed462eae9acd5434c1737e9de25e0f8b368bc78ed934120f90f935e4acd08:1"
1118
+ }
1119
+ },
1120
+ {
1121
+ "ruleId": "CVE-2024-7254-protobuf-java",
1122
+ "level": "error",
1123
+ "message": {
1124
+ "text": "A high vulnerability in java-archive package: protobuf-java, version 3.19.6 was found in image localhost/pre-commit-container:1747457987 at: /root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar"
1125
+ },
1126
+ "locations": [
1127
+ {
1128
+ "physicalLocation": {
1129
+ "artifactLocation": {
1130
+ "uri": "pre-commit-container//root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar"
1131
+ },
1132
+ "region": {
1133
+ "startLine": 1,
1134
+ "startColumn": 1,
1135
+ "endLine": 1,
1136
+ "endColumn": 1
1137
+ }
1138
+ },
1139
+ "logicalLocations": [
1140
+ {
1141
+ "name": "/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar",
1142
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:e01fafb63716149fe7030a2f53c5d3f27f7681debf41b58fe6860bdb8438d42a:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar"
1143
+ }
1144
+ ]
1145
+ }
1146
+ ],
1147
+ "partialFingerprints": {
1148
+ "primaryLocationLineHash": "9d117e187d4fbfd6c5af341bb455b14ebcf84aa869546035b4d8aa473d7000dc:1"
1149
+ }
1150
+ },
1151
+ {
1152
+ "ruleId": "CVE-2025-4516-python3",
1153
+ "level": "warning",
1154
+ "message": {
1155
+ "text": "A medium vulnerability in apk package: python3, version 3.12.10-r0 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
1156
+ },
1157
+ "locations": [
1158
+ {
1159
+ "physicalLocation": {
1160
+ "artifactLocation": {
1161
+ "uri": "pre-commit-container//lib/apk/db/installed"
1162
+ },
1163
+ "region": {
1164
+ "startLine": 1,
1165
+ "startColumn": 1,
1166
+ "endLine": 1,
1167
+ "endColumn": 1
1168
+ }
1169
+ },
1170
+ "logicalLocations": [
1171
+ {
1172
+ "name": "/lib/apk/db/installed",
1173
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
1174
+ }
1175
+ ]
1176
+ }
1177
+ ],
1178
+ "partialFingerprints": {
1179
+ "primaryLocationLineHash": "f84b58449707ad1c76c2761728d912b71c799096a1a487d29f46d1d8e3549002:1"
1180
+ }
1181
+ },
1182
+ {
1183
+ "ruleId": "CVE-2024-3220-python3",
1184
+ "level": "note",
1185
+ "message": {
1186
+ "text": "A low vulnerability in apk package: python3, version 3.12.10-r0 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
1187
+ },
1188
+ "locations": [
1189
+ {
1190
+ "physicalLocation": {
1191
+ "artifactLocation": {
1192
+ "uri": "pre-commit-container//lib/apk/db/installed"
1193
+ },
1194
+ "region": {
1195
+ "startLine": 1,
1196
+ "startColumn": 1,
1197
+ "endLine": 1,
1198
+ "endColumn": 1
1199
+ }
1200
+ },
1201
+ "logicalLocations": [
1202
+ {
1203
+ "name": "/lib/apk/db/installed",
1204
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
1205
+ }
1206
+ ]
1207
+ }
1208
+ ],
1209
+ "partialFingerprints": {
1210
+ "primaryLocationLineHash": "f84b58449707ad1c76c2761728d912b71c799096a1a487d29f46d1d8e3549002:1"
1211
+ }
1212
+ },
1213
+ {
1214
+ "ruleId": "CVE-2025-3277-sqlite-libs",
1215
+ "level": "warning",
1216
+ "message": {
1217
+ "text": "A medium vulnerability in apk package: sqlite-libs, version 3.48.0-r2 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
1218
+ },
1219
+ "locations": [
1220
+ {
1221
+ "physicalLocation": {
1222
+ "artifactLocation": {
1223
+ "uri": "pre-commit-container//lib/apk/db/installed"
1224
+ },
1225
+ "region": {
1226
+ "startLine": 1,
1227
+ "startColumn": 1,
1228
+ "endLine": 1,
1229
+ "endColumn": 1
1230
+ }
1231
+ },
1232
+ "logicalLocations": [
1233
+ {
1234
+ "name": "/lib/apk/db/installed",
1235
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
1236
+ }
1237
+ ]
1238
+ }
1239
+ ],
1240
+ "partialFingerprints": {
1241
+ "primaryLocationLineHash": "be478221453c03f1259ad584f054b67d866e2d1ca55d88c10666405512175e59:1"
1242
+ }
1243
+ },
1244
+ {
1245
+ "ruleId": "CVE-2024-58251-ssl_client",
1246
+ "level": "note",
1247
+ "message": {
1248
+ "text": "A low vulnerability in apk package: ssl_client, version 1.37.0-r12 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
1249
+ },
1250
+ "locations": [
1251
+ {
1252
+ "physicalLocation": {
1253
+ "artifactLocation": {
1254
+ "uri": "pre-commit-container//lib/apk/db/installed"
1255
+ },
1256
+ "region": {
1257
+ "startLine": 1,
1258
+ "startColumn": 1,
1259
+ "endLine": 1,
1260
+ "endColumn": 1
1261
+ }
1262
+ },
1263
+ "logicalLocations": [
1264
+ {
1265
+ "name": "/lib/apk/db/installed",
1266
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
1267
+ }
1268
+ ]
1269
+ }
1270
+ ],
1271
+ "partialFingerprints": {
1272
+ "primaryLocationLineHash": "5d5c72e3f45f965448ac39a420f18c46a510457d71f7f5782246b8808bdd1f90:1"
1273
+ }
1274
+ },
1275
+ {
1276
+ "ruleId": "CVE-2025-46394-ssl_client",
1277
+ "level": "note",
1278
+ "message": {
1279
+ "text": "A low vulnerability in apk package: ssl_client, version 1.37.0-r12 was found in image localhost/pre-commit-container:1747457987 at: /lib/apk/db/installed"
1280
+ },
1281
+ "locations": [
1282
+ {
1283
+ "physicalLocation": {
1284
+ "artifactLocation": {
1285
+ "uri": "pre-commit-container//lib/apk/db/installed"
1286
+ },
1287
+ "region": {
1288
+ "startLine": 1,
1289
+ "startColumn": 1,
1290
+ "endLine": 1,
1291
+ "endColumn": 1
1292
+ }
1293
+ },
1294
+ "logicalLocations": [
1295
+ {
1296
+ "name": "/lib/apk/db/installed",
1297
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/lib/apk/db/installed"
1298
+ }
1299
+ ]
1300
+ }
1301
+ ],
1302
+ "partialFingerprints": {
1303
+ "primaryLocationLineHash": "5d5c72e3f45f965448ac39a420f18c46a510457d71f7f5782246b8808bdd1f90:1"
1304
+ }
1305
+ },
1306
+ {
1307
+ "ruleId": "CVE-2025-22871-stdlib",
1308
+ "level": "error",
1309
+ "message": {
1310
+ "text": "A critical vulnerability in go-module package: stdlib, version go1.22.5 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
1311
+ },
1312
+ "locations": [
1313
+ {
1314
+ "physicalLocation": {
1315
+ "artifactLocation": {
1316
+ "uri": "pre-commit-container//usr/bin/tflint"
1317
+ },
1318
+ "region": {
1319
+ "startLine": 1,
1320
+ "startColumn": 1,
1321
+ "endLine": 1,
1322
+ "endColumn": 1
1323
+ }
1324
+ },
1325
+ "logicalLocations": [
1326
+ {
1327
+ "name": "/usr/bin/tflint",
1328
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
1329
+ }
1330
+ ]
1331
+ }
1332
+ ],
1333
+ "partialFingerprints": {
1334
+ "primaryLocationLineHash": "e5887e9a688eca6be6182d048a76b0102c19b814d79464985ebe5b333c07bfdc:1"
1335
+ }
1336
+ },
1337
+ {
1338
+ "ruleId": "CVE-2024-34156-stdlib",
1339
+ "level": "error",
1340
+ "message": {
1341
+ "text": "A high vulnerability in go-module package: stdlib, version go1.22.5 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
1342
+ },
1343
+ "locations": [
1344
+ {
1345
+ "physicalLocation": {
1346
+ "artifactLocation": {
1347
+ "uri": "pre-commit-container//usr/bin/tflint"
1348
+ },
1349
+ "region": {
1350
+ "startLine": 1,
1351
+ "startColumn": 1,
1352
+ "endLine": 1,
1353
+ "endColumn": 1
1354
+ }
1355
+ },
1356
+ "logicalLocations": [
1357
+ {
1358
+ "name": "/usr/bin/tflint",
1359
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
1360
+ }
1361
+ ]
1362
+ }
1363
+ ],
1364
+ "partialFingerprints": {
1365
+ "primaryLocationLineHash": "e5887e9a688eca6be6182d048a76b0102c19b814d79464985ebe5b333c07bfdc:1"
1366
+ }
1367
+ },
1368
+ {
1369
+ "ruleId": "CVE-2024-34158-stdlib",
1370
+ "level": "error",
1371
+ "message": {
1372
+ "text": "A high vulnerability in go-module package: stdlib, version go1.22.5 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
1373
+ },
1374
+ "locations": [
1375
+ {
1376
+ "physicalLocation": {
1377
+ "artifactLocation": {
1378
+ "uri": "pre-commit-container//usr/bin/tflint"
1379
+ },
1380
+ "region": {
1381
+ "startLine": 1,
1382
+ "startColumn": 1,
1383
+ "endLine": 1,
1384
+ "endColumn": 1
1385
+ }
1386
+ },
1387
+ "logicalLocations": [
1388
+ {
1389
+ "name": "/usr/bin/tflint",
1390
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
1391
+ }
1392
+ ]
1393
+ }
1394
+ ],
1395
+ "partialFingerprints": {
1396
+ "primaryLocationLineHash": "e5887e9a688eca6be6182d048a76b0102c19b814d79464985ebe5b333c07bfdc:1"
1397
+ }
1398
+ },
1399
+ {
1400
+ "ruleId": "CVE-2024-34155-stdlib",
1401
+ "level": "warning",
1402
+ "message": {
1403
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.22.5 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
1404
+ },
1405
+ "locations": [
1406
+ {
1407
+ "physicalLocation": {
1408
+ "artifactLocation": {
1409
+ "uri": "pre-commit-container//usr/bin/tflint"
1410
+ },
1411
+ "region": {
1412
+ "startLine": 1,
1413
+ "startColumn": 1,
1414
+ "endLine": 1,
1415
+ "endColumn": 1
1416
+ }
1417
+ },
1418
+ "logicalLocations": [
1419
+ {
1420
+ "name": "/usr/bin/tflint",
1421
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
1422
+ }
1423
+ ]
1424
+ }
1425
+ ],
1426
+ "partialFingerprints": {
1427
+ "primaryLocationLineHash": "e5887e9a688eca6be6182d048a76b0102c19b814d79464985ebe5b333c07bfdc:1"
1428
+ }
1429
+ },
1430
+ {
1431
+ "ruleId": "CVE-2024-45336-stdlib",
1432
+ "level": "warning",
1433
+ "message": {
1434
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.22.5 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
1435
+ },
1436
+ "locations": [
1437
+ {
1438
+ "physicalLocation": {
1439
+ "artifactLocation": {
1440
+ "uri": "pre-commit-container//usr/bin/tflint"
1441
+ },
1442
+ "region": {
1443
+ "startLine": 1,
1444
+ "startColumn": 1,
1445
+ "endLine": 1,
1446
+ "endColumn": 1
1447
+ }
1448
+ },
1449
+ "logicalLocations": [
1450
+ {
1451
+ "name": "/usr/bin/tflint",
1452
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
1453
+ }
1454
+ ]
1455
+ }
1456
+ ],
1457
+ "partialFingerprints": {
1458
+ "primaryLocationLineHash": "e5887e9a688eca6be6182d048a76b0102c19b814d79464985ebe5b333c07bfdc:1"
1459
+ }
1460
+ },
1461
+ {
1462
+ "ruleId": "CVE-2024-45341-stdlib",
1463
+ "level": "warning",
1464
+ "message": {
1465
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.22.5 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
1466
+ },
1467
+ "locations": [
1468
+ {
1469
+ "physicalLocation": {
1470
+ "artifactLocation": {
1471
+ "uri": "pre-commit-container//usr/bin/tflint"
1472
+ },
1473
+ "region": {
1474
+ "startLine": 1,
1475
+ "startColumn": 1,
1476
+ "endLine": 1,
1477
+ "endColumn": 1
1478
+ }
1479
+ },
1480
+ "logicalLocations": [
1481
+ {
1482
+ "name": "/usr/bin/tflint",
1483
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
1484
+ }
1485
+ ]
1486
+ }
1487
+ ],
1488
+ "partialFingerprints": {
1489
+ "primaryLocationLineHash": "e5887e9a688eca6be6182d048a76b0102c19b814d79464985ebe5b333c07bfdc:1"
1490
+ }
1491
+ },
1492
+ {
1493
+ "ruleId": "CVE-2025-22866-stdlib",
1494
+ "level": "warning",
1495
+ "message": {
1496
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.22.5 was found in image localhost/pre-commit-container:1747457987 at: /usr/bin/tflint"
1497
+ },
1498
+ "locations": [
1499
+ {
1500
+ "physicalLocation": {
1501
+ "artifactLocation": {
1502
+ "uri": "pre-commit-container//usr/bin/tflint"
1503
+ },
1504
+ "region": {
1505
+ "startLine": 1,
1506
+ "startColumn": 1,
1507
+ "endLine": 1,
1508
+ "endColumn": 1
1509
+ }
1510
+ },
1511
+ "logicalLocations": [
1512
+ {
1513
+ "name": "/usr/bin/tflint",
1514
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:bf5d50c56774c36c6eae9c6cf2cf3e53cfb91d38940e9413fb7f98fdbad5a0e7:/usr/bin/tflint"
1515
+ }
1516
+ ]
1517
+ }
1518
+ ],
1519
+ "partialFingerprints": {
1520
+ "primaryLocationLineHash": "e5887e9a688eca6be6182d048a76b0102c19b814d79464985ebe5b333c07bfdc:1"
1521
+ }
1522
+ },
1523
+ {
1524
+ "ruleId": "CVE-2025-22871-stdlib",
1525
+ "level": "error",
1526
+ "message": {
1527
+ "text": "A critical vulnerability in go-module package: stdlib, version go1.23.3 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/terraform"
1528
+ },
1529
+ "locations": [
1530
+ {
1531
+ "physicalLocation": {
1532
+ "artifactLocation": {
1533
+ "uri": "pre-commit-container//usr/local/bin/terraform"
1534
+ },
1535
+ "region": {
1536
+ "startLine": 1,
1537
+ "startColumn": 1,
1538
+ "endLine": 1,
1539
+ "endColumn": 1
1540
+ }
1541
+ },
1542
+ "logicalLocations": [
1543
+ {
1544
+ "name": "/usr/local/bin/terraform",
1545
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:f45e221f59a5bdf46afdc75747eb596b884d3dbf285b11cd7855cbc491013996:/usr/local/bin/terraform"
1546
+ }
1547
+ ]
1548
+ }
1549
+ ],
1550
+ "partialFingerprints": {
1551
+ "primaryLocationLineHash": "c54423f489f89b4439229ece0252d9c80a57d06d4e4333ca62acca266dc7216b:1"
1552
+ }
1553
+ },
1554
+ {
1555
+ "ruleId": "CVE-2024-45336-stdlib",
1556
+ "level": "warning",
1557
+ "message": {
1558
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.23.3 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/terraform"
1559
+ },
1560
+ "locations": [
1561
+ {
1562
+ "physicalLocation": {
1563
+ "artifactLocation": {
1564
+ "uri": "pre-commit-container//usr/local/bin/terraform"
1565
+ },
1566
+ "region": {
1567
+ "startLine": 1,
1568
+ "startColumn": 1,
1569
+ "endLine": 1,
1570
+ "endColumn": 1
1571
+ }
1572
+ },
1573
+ "logicalLocations": [
1574
+ {
1575
+ "name": "/usr/local/bin/terraform",
1576
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:f45e221f59a5bdf46afdc75747eb596b884d3dbf285b11cd7855cbc491013996:/usr/local/bin/terraform"
1577
+ }
1578
+ ]
1579
+ }
1580
+ ],
1581
+ "partialFingerprints": {
1582
+ "primaryLocationLineHash": "c54423f489f89b4439229ece0252d9c80a57d06d4e4333ca62acca266dc7216b:1"
1583
+ }
1584
+ },
1585
+ {
1586
+ "ruleId": "CVE-2024-45341-stdlib",
1587
+ "level": "warning",
1588
+ "message": {
1589
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.23.3 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/terraform"
1590
+ },
1591
+ "locations": [
1592
+ {
1593
+ "physicalLocation": {
1594
+ "artifactLocation": {
1595
+ "uri": "pre-commit-container//usr/local/bin/terraform"
1596
+ },
1597
+ "region": {
1598
+ "startLine": 1,
1599
+ "startColumn": 1,
1600
+ "endLine": 1,
1601
+ "endColumn": 1
1602
+ }
1603
+ },
1604
+ "logicalLocations": [
1605
+ {
1606
+ "name": "/usr/local/bin/terraform",
1607
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:f45e221f59a5bdf46afdc75747eb596b884d3dbf285b11cd7855cbc491013996:/usr/local/bin/terraform"
1608
+ }
1609
+ ]
1610
+ }
1611
+ ],
1612
+ "partialFingerprints": {
1613
+ "primaryLocationLineHash": "c54423f489f89b4439229ece0252d9c80a57d06d4e4333ca62acca266dc7216b:1"
1614
+ }
1615
+ },
1616
+ {
1617
+ "ruleId": "CVE-2025-22866-stdlib",
1618
+ "level": "warning",
1619
+ "message": {
1620
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.23.3 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/terraform"
1621
+ },
1622
+ "locations": [
1623
+ {
1624
+ "physicalLocation": {
1625
+ "artifactLocation": {
1626
+ "uri": "pre-commit-container//usr/local/bin/terraform"
1627
+ },
1628
+ "region": {
1629
+ "startLine": 1,
1630
+ "startColumn": 1,
1631
+ "endLine": 1,
1632
+ "endColumn": 1
1633
+ }
1634
+ },
1635
+ "logicalLocations": [
1636
+ {
1637
+ "name": "/usr/local/bin/terraform",
1638
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:f45e221f59a5bdf46afdc75747eb596b884d3dbf285b11cd7855cbc491013996:/usr/local/bin/terraform"
1639
+ }
1640
+ ]
1641
+ }
1642
+ ],
1643
+ "partialFingerprints": {
1644
+ "primaryLocationLineHash": "c54423f489f89b4439229ece0252d9c80a57d06d4e4333ca62acca266dc7216b:1"
1645
+ }
1646
+ },
1647
+ {
1648
+ "ruleId": "CVE-2025-22871-stdlib",
1649
+ "level": "error",
1650
+ "message": {
1651
+ "text": "A critical vulnerability in go-module package: stdlib, version go1.23.4 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/actionlint"
1652
+ },
1653
+ "locations": [
1654
+ {
1655
+ "physicalLocation": {
1656
+ "artifactLocation": {
1657
+ "uri": "pre-commit-container//usr/local/bin/actionlint"
1658
+ },
1659
+ "region": {
1660
+ "startLine": 1,
1661
+ "startColumn": 1,
1662
+ "endLine": 1,
1663
+ "endColumn": 1
1664
+ }
1665
+ },
1666
+ "logicalLocations": [
1667
+ {
1668
+ "name": "/usr/local/bin/actionlint",
1669
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:1c2c2491c6634a369aaeafbb6a62bbae44594ad021f9aff6d43efea6c07393a3:/usr/local/bin/actionlint"
1670
+ }
1671
+ ]
1672
+ }
1673
+ ],
1674
+ "partialFingerprints": {
1675
+ "primaryLocationLineHash": "1d8434cd56ae6baa9b1e80989259954d5a28336d46e1d441d21a7e6f4f24d7e4:1"
1676
+ }
1677
+ },
1678
+ {
1679
+ "ruleId": "CVE-2024-45336-stdlib",
1680
+ "level": "warning",
1681
+ "message": {
1682
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.23.4 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/actionlint"
1683
+ },
1684
+ "locations": [
1685
+ {
1686
+ "physicalLocation": {
1687
+ "artifactLocation": {
1688
+ "uri": "pre-commit-container//usr/local/bin/actionlint"
1689
+ },
1690
+ "region": {
1691
+ "startLine": 1,
1692
+ "startColumn": 1,
1693
+ "endLine": 1,
1694
+ "endColumn": 1
1695
+ }
1696
+ },
1697
+ "logicalLocations": [
1698
+ {
1699
+ "name": "/usr/local/bin/actionlint",
1700
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:1c2c2491c6634a369aaeafbb6a62bbae44594ad021f9aff6d43efea6c07393a3:/usr/local/bin/actionlint"
1701
+ }
1702
+ ]
1703
+ }
1704
+ ],
1705
+ "partialFingerprints": {
1706
+ "primaryLocationLineHash": "1d8434cd56ae6baa9b1e80989259954d5a28336d46e1d441d21a7e6f4f24d7e4:1"
1707
+ }
1708
+ },
1709
+ {
1710
+ "ruleId": "CVE-2024-45341-stdlib",
1711
+ "level": "warning",
1712
+ "message": {
1713
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.23.4 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/actionlint"
1714
+ },
1715
+ "locations": [
1716
+ {
1717
+ "physicalLocation": {
1718
+ "artifactLocation": {
1719
+ "uri": "pre-commit-container//usr/local/bin/actionlint"
1720
+ },
1721
+ "region": {
1722
+ "startLine": 1,
1723
+ "startColumn": 1,
1724
+ "endLine": 1,
1725
+ "endColumn": 1
1726
+ }
1727
+ },
1728
+ "logicalLocations": [
1729
+ {
1730
+ "name": "/usr/local/bin/actionlint",
1731
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:1c2c2491c6634a369aaeafbb6a62bbae44594ad021f9aff6d43efea6c07393a3:/usr/local/bin/actionlint"
1732
+ }
1733
+ ]
1734
+ }
1735
+ ],
1736
+ "partialFingerprints": {
1737
+ "primaryLocationLineHash": "1d8434cd56ae6baa9b1e80989259954d5a28336d46e1d441d21a7e6f4f24d7e4:1"
1738
+ }
1739
+ },
1740
+ {
1741
+ "ruleId": "CVE-2025-22866-stdlib",
1742
+ "level": "warning",
1743
+ "message": {
1744
+ "text": "A medium vulnerability in go-module package: stdlib, version go1.23.4 was found in image localhost/pre-commit-container:1747457987 at: /usr/local/bin/actionlint"
1745
+ },
1746
+ "locations": [
1747
+ {
1748
+ "physicalLocation": {
1749
+ "artifactLocation": {
1750
+ "uri": "pre-commit-container//usr/local/bin/actionlint"
1751
+ },
1752
+ "region": {
1753
+ "startLine": 1,
1754
+ "startColumn": 1,
1755
+ "endLine": 1,
1756
+ "endColumn": 1
1757
+ }
1758
+ },
1759
+ "logicalLocations": [
1760
+ {
1761
+ "name": "/usr/local/bin/actionlint",
1762
+ "fullyQualifiedName": "localhost/pre-commit-container:1747457987@sha256:1c2c2491c6634a369aaeafbb6a62bbae44594ad021f9aff6d43efea6c07393a3:/usr/local/bin/actionlint"
1763
+ }
1764
+ ]
1765
+ }
1766
+ ],
1767
+ "partialFingerprints": {
1768
+ "primaryLocationLineHash": "1d8434cd56ae6baa9b1e80989259954d5a28336d46e1d441d21a7e6f4f24d7e4:1"
1769
+ }
1770
+ }
1771
+ ]
1772
+ }
1773
+ ]
1774
+ }