@fabasoad/sarif-to-slack 0.2.4 → 1.0.0

package/test-data/sarif/osv-scanner-gomodules.sarif

@@ -0,0 +1,813 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "addresses": [],
+      "artifacts": [
+        {
+          "length": -1,
+          "location": {
+            "index": -1,
+            "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+          },
+          "parentIndex": -1,
+          "roles": []
+        }
+      ],
+      "graphs": [],
+      "invocations": [],
+      "language": "en-US",
+      "logicalLocations": [],
+      "newlineSequences": [
+        "\r\n",
+        "\n"
+      ],
+      "policies": [],
+      "redactionTokens": [],
+      "results": [
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'github.com/gin-gonic/gin@1.4.0' is vulnerable to 'CVE-2023-29401' (also known as 'GO-2023-1737', 'GHSA-2c4m-59x9-fr2g')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2023-29401",
+          "ruleIndex": 0,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'github.com/gin-gonic/gin@1.4.0' is vulnerable to 'CVE-2023-26125' (also known as 'GHSA-3vp4-m3rf-835h')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2023-26125",
+          "ruleIndex": 1,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'gopkg.in/yaml.v2@2.2.2' is vulnerable to 'CVE-2022-3064' (also known as 'GO-2022-0956', 'GHSA-6q6q-88xp-6f2r')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2022-3064",
+          "ruleIndex": 2,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'github.com/gin-gonic/gin@1.4.0' is vulnerable to 'CVE-2020-36567' (also known as 'GO-2020-0001', 'GHSA-6vm3-jj99-7229')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2020-36567",
+          "ruleIndex": 3,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'github.com/gin-gonic/gin@1.4.0' is vulnerable to 'CVE-2019-25211' (also known as 'GO-2024-2955', 'GHSA-869c-j7wc-8jqv')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2019-25211",
+          "ruleIndex": 4,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'github.com/gin-gonic/gin@1.4.0' is vulnerable to 'CVE-2020-28483' (also known as 'GO-2021-0052', 'GHSA-h395-qcrw-5vmq')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2020-28483",
+          "ruleIndex": 5,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'golang.org/x/sys@0.0.0-20190222072716-a9d3bda3a223' is vulnerable to 'CVE-2022-29526' (also known as 'BIT-golang-2022-29526', 'GO-2022-0493', 'GHSA-p782-xgp4-8hr8')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2022-29526",
+          "ruleIndex": 6,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'gopkg.in/yaml.v2@2.2.2' is vulnerable to 'CVE-2021-4235' (also known as 'GO-2021-0061', 'GHSA-r88r-gmrh-7j83')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2021-4235",
+          "ruleIndex": 7,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'gopkg.in/yaml.v2@2.2.2' is vulnerable to 'CVE-2019-11254' (also known as 'GO-2020-0036', 'GHSA-wxc4-f4m6-wwqv')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2019-11254",
+          "ruleIndex": 8,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'github.com/gin-gonic/gin@1.4.0' is vulnerable to 'CVE-2020-36567' (also known as 'GO-2020-0001', 'GHSA-6vm3-jj99-7229')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2020-36567",
+          "ruleIndex": 3,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'gopkg.in/yaml.v2@2.2.2' is vulnerable to 'CVE-2019-11254' (also known as 'GO-2020-0036', 'GHSA-wxc4-f4m6-wwqv')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2019-11254",
+          "ruleIndex": 8,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'github.com/gin-gonic/gin@1.4.0' is vulnerable to 'CVE-2020-28483' (also known as 'GO-2021-0052', 'GHSA-h395-qcrw-5vmq')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2020-28483",
+          "ruleIndex": 5,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'gopkg.in/yaml.v2@2.2.2' is vulnerable to 'CVE-2021-4235' (also known as 'GO-2021-0061', 'GHSA-r88r-gmrh-7j83')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2021-4235",
+          "ruleIndex": 7,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'golang.org/x/sys@0.0.0-20190222072716-a9d3bda3a223' is vulnerable to 'CVE-2022-29526' (also known as 'BIT-golang-2022-29526', 'GO-2022-0493', 'GHSA-p782-xgp4-8hr8')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2022-29526",
+          "ruleIndex": 6,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'gopkg.in/yaml.v2@2.2.2' is vulnerable to 'CVE-2022-3064' (also known as 'GO-2022-0956', 'GHSA-6q6q-88xp-6f2r')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2022-3064",
+          "ruleIndex": 2,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/go/gomodules/go.mod"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'github.com/gin-gonic/gin@1.4.0' is vulnerable to 'CVE-2023-29401' (also known as 'GO-2023-1737', 'GHSA-2c4m-59x9-fr2g')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2023-29401",
+          "ruleIndex": 0,
+          "stacks": [],
+          "taxa": []
+        }
+      ],
+      "runAggregates": [],
+      "taxonomies": [],
+      "threadFlowLocations": [],
+      "tool": {
+        "driver": {
+          "contents": [
+            "localizedData",
+            "nonLocalizedData"
+          ],
+          "informationUri": "https://github.com/google/osv-scanner",
+          "isComprehensive": false,
+          "language": "en-US",
+          "locations": [],
+          "name": "osv-scanner",
+          "notifications": [],
+          "rules": [
+            {
+              "deprecatedIds": [
+                "CVE-2023-29401",
+                "GO-2023-1737",
+                "GHSA-2c4m-59x9-fr2g"
+              ],
+              "fullDescription": {
+                "markdown": "The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\".\n\nIf the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.",
+                "text": "The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\".\n\nIf the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2023-29401](https://osv.dev/CVE-2023-29401)**\n(Also published as: [GO-2023-1737](https://osv.dev/GO-2023-1737), [GHSA-2c4m-59x9-fr2g](https://osv.dev/GHSA-2c4m-59x9-fr2g), ).\n\n## [GO-2023-1737](https://osv.dev/GO-2023-1737)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\".\n\u003e \n\u003e If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.\n\n\u003c/details\u003e\n\n## [GHSA-2c4m-59x9-fr2g](https://osv.dev/GHSA-2c4m-59x9-fr2g)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\".\n\u003e \n\u003e If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-2c4m-59x9-fr2g | github.com/gin-gonic/gin | 1.9.1 |\n| GO-2023-1737 | github.com/gin-gonic/gin | 1.9.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-29401\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2023-29401](https://osv.dev/CVE-2023-29401)**\n(Also published as: [GO-2023-1737](https://osv.dev/GO-2023-1737), [GHSA-2c4m-59x9-fr2g](https://osv.dev/GHSA-2c4m-59x9-fr2g), ).\n\n## [GO-2023-1737](https://osv.dev/GO-2023-1737)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\".\n\u003e \n\u003e If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.\n\n\u003c/details\u003e\n\n## [GHSA-2c4m-59x9-fr2g](https://osv.dev/GHSA-2c4m-59x9-fr2g)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\".\n\u003e \n\u003e If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-2c4m-59x9-fr2g | github.com/gin-gonic/gin | 1.9.1 |\n| GO-2023-1737 | github.com/gin-gonic/gin | 1.9.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-29401\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2023-29401",
+              "name": "CVE-2023-29401",
+              "properties": {
+                "security-severity": "4.3"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2023-29401: Improper handling of filenames in Content-Disposition HTTP header in github.com/gin-gonic/gin",
+                "text": "CVE-2023-29401: Improper handling of filenames in Content-Disposition HTTP header in github.com/gin-gonic/gin"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2023-26125",
+                "GHSA-3vp4-m3rf-835h"
+              ],
+              "fullDescription": {
+                "markdown": "Versions of the package github.com/gin-gonic/gin before version 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.\n\n**Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.",
+                "text": "Versions of the package github.com/gin-gonic/gin before version 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.\n\n**Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2023-26125](https://osv.dev/CVE-2023-26125)**.\n\n## [GHSA-3vp4-m3rf-835h](https://osv.dev/GHSA-3vp4-m3rf-835h)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Versions of the package github.com/gin-gonic/gin before version 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.\n\u003e \n\u003e **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3vp4-m3rf-835h | github.com/gin-gonic/gin | 1.9.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-26125\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2023-26125](https://osv.dev/CVE-2023-26125)**.\n\n## [GHSA-3vp4-m3rf-835h](https://osv.dev/GHSA-3vp4-m3rf-835h)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Versions of the package github.com/gin-gonic/gin before version 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.\n\u003e \n\u003e **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-3vp4-m3rf-835h | github.com/gin-gonic/gin | 1.9.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-26125\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2023-26125",
+              "name": "CVE-2023-26125",
+              "properties": {
+                "security-severity": "5.6"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2023-26125: Improper input validation in github.com/gin-gonic/gin",
+                "text": "CVE-2023-26125: Improper input validation in github.com/gin-gonic/gin"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2022-3064",
+                "GO-2022-0956",
+                "GHSA-6q6q-88xp-6f2r"
+              ],
+              "fullDescription": {
+                "markdown": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.",
+                "text": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2022-3064](https://osv.dev/CVE-2022-3064)**\n(Also published as: [GO-2022-0956](https://osv.dev/GO-2022-0956), [GHSA-6q6q-88xp-6f2r](https://osv.dev/GHSA-6q6q-88xp-6f2r), ).\n\n## [GO-2022-0956](https://osv.dev/GO-2022-0956)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.\n\n\u003c/details\u003e\n\n## [GHSA-6q6q-88xp-6f2r](https://osv.dev/GHSA-6q6q-88xp-6f2r)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | gopkg.in/yaml.v2 | 2.2.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6q6q-88xp-6f2r | gopkg.in/yaml.v2 | 2.2.4 |\n| GO-2022-0956 | gopkg.in/yaml.v2 | 2.2.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-3064\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2022-3064](https://osv.dev/CVE-2022-3064)**\n(Also published as: [GO-2022-0956](https://osv.dev/GO-2022-0956), [GHSA-6q6q-88xp-6f2r](https://osv.dev/GHSA-6q6q-88xp-6f2r), ).\n\n## [GO-2022-0956](https://osv.dev/GO-2022-0956)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.\n\n\u003c/details\u003e\n\n## [GHSA-6q6q-88xp-6f2r](https://osv.dev/GHSA-6q6q-88xp-6f2r)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | gopkg.in/yaml.v2 | 2.2.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6q6q-88xp-6f2r | gopkg.in/yaml.v2 | 2.2.4 |\n| GO-2022-0956 | gopkg.in/yaml.v2 | 2.2.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-3064\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2022-3064",
+              "name": "CVE-2022-3064",
+              "properties": {
+                "security-severity": "7.5"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2022-3064: Excessive resource consumption in gopkg.in/yaml.v2",
+                "text": "CVE-2022-3064: Excessive resource consumption in gopkg.in/yaml.v2"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2020-36567",
+                "GO-2020-0001",
+                "GHSA-6vm3-jj99-7229"
+              ],
+              "fullDescription": {
+                "markdown": "The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.",
+                "text": "The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2020-36567](https://osv.dev/CVE-2020-36567)**\n(Also published as: [GO-2020-0001](https://osv.dev/GO-2020-0001), [GHSA-6vm3-jj99-7229](https://osv.dev/GHSA-6vm3-jj99-7229), ).\n\n## [GO-2020-0001](https://osv.dev/GO-2020-0001)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.\n\n\u003c/details\u003e\n\n## [GHSA-6vm3-jj99-7229](https://osv.dev/GHSA-6vm3-jj99-7229)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Gin is a HTTP web framework written in Go (Golang). Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6vm3-jj99-7229 | github.com/gin-gonic/gin | 1.6.0 |\n| GO-2020-0001 | github.com/gin-gonic/gin | 1.6.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-36567\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2020-36567](https://osv.dev/CVE-2020-36567)**\n(Also published as: [GO-2020-0001](https://osv.dev/GO-2020-0001), [GHSA-6vm3-jj99-7229](https://osv.dev/GHSA-6vm3-jj99-7229), ).\n\n## [GO-2020-0001](https://osv.dev/GO-2020-0001)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.\n\n\u003c/details\u003e\n\n## [GHSA-6vm3-jj99-7229](https://osv.dev/GHSA-6vm3-jj99-7229)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Gin is a HTTP web framework written in Go (Golang). Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6vm3-jj99-7229 | github.com/gin-gonic/gin | 1.6.0 |\n| GO-2020-0001 | github.com/gin-gonic/gin | 1.6.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-36567\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2020-36567",
+              "name": "CVE-2020-36567",
+              "properties": {
+                "security-severity": "7.5"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2020-36567: Arbitrary log line injection in github.com/gin-gonic/gin",
+                "text": "CVE-2020-36567: Arbitrary log line injection in github.com/gin-gonic/gin"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2019-25211",
+                "GO-2024-2955",
+                "GHSA-869c-j7wc-8jqv"
+              ],
+              "fullDescription": {
+                "markdown": "parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.",
+                "text": "parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2019-25211](https://osv.dev/CVE-2019-25211)**.\n\n## [GHSA-869c-j7wc-8jqv](https://osv.dev/GHSA-869c-j7wc-8jqv)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-869c-j7wc-8jqv | github.com/gin-gonic/gin | 1.6.0 |\n| GHSA-869c-j7wc-8jqv | github.com/gin-contrib/cors | 1.6.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-25211\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2019-25211](https://osv.dev/CVE-2019-25211)**.\n\n## [GHSA-869c-j7wc-8jqv](https://osv.dev/GHSA-869c-j7wc-8jqv)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-869c-j7wc-8jqv | github.com/gin-gonic/gin | 1.6.0 |\n| GHSA-869c-j7wc-8jqv | github.com/gin-contrib/cors | 1.6.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-25211\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2019-25211",
+              "name": "CVE-2019-25211",
+              "properties": {
+                "security-severity": "9.3"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2019-25211: Gin mishandles a wildcard at the end of an origin string",
+                "text": "CVE-2019-25211: Gin mishandles a wildcard at the end of an origin string"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2020-28483",
+                "GO-2021-0052",
+                "GHSA-h395-qcrw-5vmq"
+              ],
+              "fullDescription": {
+                "markdown": "Due to improper HTTP header sanitization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source.",
+                "text": "Due to improper HTTP header sanitization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2020-28483](https://osv.dev/CVE-2020-28483)**\n(Also published as: [GO-2021-0052](https://osv.dev/GO-2021-0052), [GHSA-h395-qcrw-5vmq](https://osv.dev/GHSA-h395-qcrw-5vmq), ).\n\n## [GO-2021-0052](https://osv.dev/GO-2021-0052)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to improper HTTP header sanitization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source.\n\n\u003c/details\u003e\n\n## [GHSA-h395-qcrw-5vmq](https://osv.dev/GHSA-h395-qcrw-5vmq)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. This affects all versions of package github.com/gin-gonic/gin under 1.7.7. \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-h395-qcrw-5vmq | github.com/gin-gonic/gin | 1.7.7 |\n| GO-2021-0052 | github.com/gin-gonic/gin | 1.7.7 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-28483\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2020-28483](https://osv.dev/CVE-2020-28483)**\n(Also published as: [GO-2021-0052](https://osv.dev/GO-2021-0052), [GHSA-h395-qcrw-5vmq](https://osv.dev/GHSA-h395-qcrw-5vmq), ).\n\n## [GO-2021-0052](https://osv.dev/GO-2021-0052)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to improper HTTP header sanitization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source.\n\n\u003c/details\u003e\n\n## [GHSA-h395-qcrw-5vmq](https://osv.dev/GHSA-h395-qcrw-5vmq)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. This affects all versions of package github.com/gin-gonic/gin under 1.7.7. \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | github.com/gin-gonic/gin | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-h395-qcrw-5vmq | github.com/gin-gonic/gin | 1.7.7 |\n| GO-2021-0052 | github.com/gin-gonic/gin | 1.7.7 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-28483\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2020-28483",
+              "name": "CVE-2020-28483",
+              "properties": {
+                "security-severity": "7.1"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2020-28483: Inconsistent interpretation of HTTP Requests in github.com/gin-gonic/gin",
+                "text": "CVE-2020-28483: Inconsistent interpretation of HTTP Requests in github.com/gin-gonic/gin"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2022-29526",
+                "BIT-golang-2022-29526",
+                "GO-2022-0493",
+                "GHSA-p782-xgp4-8hr8"
+              ],
+              "fullDescription": {
+                "markdown": "When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.",
+                "text": "When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2022-29526](https://osv.dev/CVE-2022-29526)**\n(Also published as: [GO-2022-0493](https://osv.dev/GO-2022-0493), [GHSA-p782-xgp4-8hr8](https://osv.dev/GHSA-p782-xgp4-8hr8), ).\n\n## [GO-2022-0493](https://osv.dev/GO-2022-0493)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.\n\n\u003c/details\u003e\n\n## [GHSA-p782-xgp4-8hr8](https://osv.dev/GHSA-p782-xgp4-8hr8)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Reporting in syscall. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.\n\u003e \n\u003e ### Specific Go Packages Affected\n\u003e golang.org/x/sys/unix\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | golang.org/x/sys | 0.0.0-20190222072716-a9d3bda3a223 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-p782-xgp4-8hr8 | golang.org/x/sys | 0.0.0-20220412211240-33da011f77ad |\n| GO-2022-0493 | stdlib | 1.17.10, 1.18.2 |\n| GO-2022-0493 | golang.org/x/sys | 0.0.0-20220412211240-33da011f77ad |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-29526\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2022-29526](https://osv.dev/CVE-2022-29526)**\n(Also published as: [GO-2022-0493](https://osv.dev/GO-2022-0493), [GHSA-p782-xgp4-8hr8](https://osv.dev/GHSA-p782-xgp4-8hr8), ).\n\n## [GO-2022-0493](https://osv.dev/GO-2022-0493)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.\n\n\u003c/details\u003e\n\n## [GHSA-p782-xgp4-8hr8](https://osv.dev/GHSA-p782-xgp4-8hr8)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Reporting in syscall. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.\n\u003e \n\u003e ### Specific Go Packages Affected\n\u003e golang.org/x/sys/unix\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | golang.org/x/sys | 0.0.0-20190222072716-a9d3bda3a223 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-p782-xgp4-8hr8 | golang.org/x/sys | 0.0.0-20220412211240-33da011f77ad |\n| GO-2022-0493 | stdlib | 1.17.10, 1.18.2 |\n| GO-2022-0493 | golang.org/x/sys | 0.0.0-20220412211240-33da011f77ad |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-29526\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2022-29526",
+              "name": "CVE-2022-29526",
+              "properties": {
+                "security-severity": "5.3"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2022-29526: Incorrect privilege reporting in syscall and golang.org/x/sys/unix",
+                "text": "CVE-2022-29526: Incorrect privilege reporting in syscall and golang.org/x/sys/unix"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2021-4235",
+                "GO-2021-0061",
+                "GHSA-r88r-gmrh-7j83"
+              ],
+              "fullDescription": {
+                "markdown": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.",
+                "text": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2021-4235](https://osv.dev/CVE-2021-4235)**\n(Also published as: [GO-2021-0061](https://osv.dev/GO-2021-0061), [GHSA-r88r-gmrh-7j83](https://osv.dev/GHSA-r88r-gmrh-7j83), ).\n\n## [GO-2021-0061](https://osv.dev/GO-2021-0061)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n## [GHSA-r88r-gmrh-7j83](https://osv.dev/GHSA-r88r-gmrh-7j83)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | gopkg.in/yaml.v2 | 2.2.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-r88r-gmrh-7j83 | gopkg.in/yaml.v2 | 2.2.3 |\n| GO-2021-0061 | gopkg.in/yaml.v2 | 2.2.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-4235\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2021-4235](https://osv.dev/CVE-2021-4235)**\n(Also published as: [GO-2021-0061](https://osv.dev/GO-2021-0061), [GHSA-r88r-gmrh-7j83](https://osv.dev/GHSA-r88r-gmrh-7j83), ).\n\n## [GO-2021-0061](https://osv.dev/GO-2021-0061)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n## [GHSA-r88r-gmrh-7j83](https://osv.dev/GHSA-r88r-gmrh-7j83)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | gopkg.in/yaml.v2 | 2.2.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-r88r-gmrh-7j83 | gopkg.in/yaml.v2 | 2.2.3 |\n| GO-2021-0061 | gopkg.in/yaml.v2 | 2.2.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-4235\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2021-4235",
+              "name": "CVE-2021-4235",
+              "properties": {
+                "security-severity": "5.5"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2021-4235: Denial of service in gopkg.in/yaml.v2",
+                "text": "CVE-2021-4235: Denial of service in gopkg.in/yaml.v2"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2019-11254",
+                "GO-2020-0036",
+                "GHSA-wxc4-f4m6-wwqv"
+              ],
+              "fullDescription": {
+                "markdown": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.",
+                "text": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2019-11254](https://osv.dev/CVE-2019-11254)**\n(Also published as: [GO-2020-0036](https://osv.dev/GO-2020-0036), [GHSA-wxc4-f4m6-wwqv](https://osv.dev/GHSA-wxc4-f4m6-wwqv), ).\n\n## [GO-2020-0036](https://osv.dev/GO-2020-0036)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n## [GHSA-wxc4-f4m6-wwqv](https://osv.dev/GHSA-wxc4-f4m6-wwqv)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | gopkg.in/yaml.v2 | 2.2.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-wxc4-f4m6-wwqv | gopkg.in/yaml.v2 | 2.2.8 |\n| GO-2020-0036 | gopkg.in/yaml.v2 | 2.2.8 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-11254\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2019-11254](https://osv.dev/CVE-2019-11254)**\n(Also published as: [GO-2020-0036](https://osv.dev/GO-2020-0036), [GHSA-wxc4-f4m6-wwqv](https://osv.dev/GHSA-wxc4-f4m6-wwqv), ).\n\n## [GO-2020-0036](https://osv.dev/GO-2020-0036)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n## [GHSA-wxc4-f4m6-wwqv](https://osv.dev/GHSA-wxc4-f4m6-wwqv)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/go/gomodules/go.mod | gopkg.in/yaml.v2 | 2.2.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-wxc4-f4m6-wwqv | gopkg.in/yaml.v2 | 2.2.8 |\n| GO-2020-0036 | gopkg.in/yaml.v2 | 2.2.8 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/go/gomodules/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2019-11254\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2019-11254",
+              "name": "CVE-2019-11254",
+              "properties": {
+                "security-severity": "6.5"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2019-11254: Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2",
+                "text": "CVE-2019-11254: Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2"
+              }
+            }
+          ],
+          "supportedTaxonomies": [],
+          "taxa": [],
+          "version": "2.2.0"
+        },
+        "extensions": []
+      },
+      "translations": [],
+      "versionControlProvenance": [],
+      "webRequests": [],
+      "webResponses": []
+    }
+  ],
+  "properties": {}
+}