@fabasoad/sarif-to-slack 0.2.4 → 1.0.0

package/test-data/sarif/osv-scanner-uv.sarif

@@ -0,0 +1,206 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "addresses": [],
+      "artifacts": [
+        {
+          "length": -1,
+          "location": {
+            "index": -1,
+            "uri": "file:///Users/john.doe/projects/python/uv/uv.lock"
+          },
+          "parentIndex": -1,
+          "roles": []
+        }
+      ],
+      "graphs": [],
+      "invocations": [],
+      "language": "en-US",
+      "logicalLocations": [],
+      "newlineSequences": [
+        "\r\n",
+        "\n"
+      ],
+      "policies": [],
+      "redactionTokens": [],
+      "results": [
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/python/uv/uv.lock"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'py@1.4.26' is vulnerable to 'CVE-2020-29651' (also known as 'PYSEC-2020-92', 'GHSA-hj5v-574p-mj7c')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2020-29651",
+          "ruleIndex": 0,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/python/uv/uv.lock"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'py@1.4.26' is vulnerable to 'CVE-2020-29651' (also known as 'PYSEC-2020-92', 'GHSA-hj5v-574p-mj7c')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2020-29651",
+          "ruleIndex": 0,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/python/uv/uv.lock"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'py@1.4.26' is vulnerable to 'CVE-2022-42969' (also known as 'PYSEC-2022-42969', 'GHSA-w596-4wvx-j9j6')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2022-42969",
+          "ruleIndex": 1,
+          "stacks": [],
+          "taxa": []
+        }
+      ],
+      "runAggregates": [],
+      "taxonomies": [],
+      "threadFlowLocations": [],
+      "tool": {
+        "driver": {
+          "contents": [
+            "localizedData",
+            "nonLocalizedData"
+          ],
+          "informationUri": "https://github.com/google/osv-scanner",
+          "isComprehensive": false,
+          "language": "en-US",
+          "locations": [],
+          "name": "osv-scanner",
+          "notifications": [],
+          "rules": [
+            {
+              "deprecatedIds": [
+                "CVE-2020-29651",
+                "PYSEC-2020-92",
+                "GHSA-hj5v-574p-mj7c"
+              ],
+              "fullDescription": {
+                "markdown": "A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.",
+                "text": "A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2020-29651](https://osv.dev/CVE-2020-29651)**\n(Also published as: [PYSEC-2020-92](https://osv.dev/PYSEC-2020-92), [GHSA-hj5v-574p-mj7c](https://osv.dev/GHSA-hj5v-574p-mj7c), ).\n\n## [PYSEC-2020-92](https://osv.dev/PYSEC-2020-92)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.\n\n\u003c/details\u003e\n\n## [GHSA-hj5v-574p-mj7c](https://osv.dev/GHSA-hj5v-574p-mj7c)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/uv/uv.lock | py | 1.4.26 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-hj5v-574p-mj7c | py | 1.10.0 |\n| PYSEC-2020-92 | py | 1.10.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/uv/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-29651\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2020-29651](https://osv.dev/CVE-2020-29651)**\n(Also published as: [PYSEC-2020-92](https://osv.dev/PYSEC-2020-92), [GHSA-hj5v-574p-mj7c](https://osv.dev/GHSA-hj5v-574p-mj7c), ).\n\n## [PYSEC-2020-92](https://osv.dev/PYSEC-2020-92)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.\n\n\u003c/details\u003e\n\n## [GHSA-hj5v-574p-mj7c](https://osv.dev/GHSA-hj5v-574p-mj7c)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/uv/uv.lock | py | 1.4.26 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-hj5v-574p-mj7c | py | 1.10.0 |\n| PYSEC-2020-92 | py | 1.10.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/uv/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-29651\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2020-29651",
+              "name": "CVE-2020-29651",
+              "properties": {
+                "security-severity": "8.7"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2020-29651: py vulnerable to Regular Expression Denial of Service",
+                "text": "CVE-2020-29651: py vulnerable to Regular Expression Denial of Service"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2022-42969",
+                "PYSEC-2022-42969",
+                "GHSA-w596-4wvx-j9j6"
+              ],
+              "fullDescription": {
+                "markdown": "",
+                "text": ""
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2022-42969](https://osv.dev/CVE-2022-42969)**.\n\n## [PYSEC-2022-42969](https://osv.dev/PYSEC-2022-42969)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/uv/uv.lock | py | 1.4.26 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/uv/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-42969\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2022-42969](https://osv.dev/CVE-2022-42969)**.\n\n## [PYSEC-2022-42969](https://osv.dev/PYSEC-2022-42969)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/python/uv/uv.lock | py | 1.4.26 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/python/uv/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-42969\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2022-42969",
+              "name": "CVE-2022-42969",
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2022-42969",
+                "text": "CVE-2022-42969"
+              }
+            }
+          ],
+          "supportedTaxonomies": [],
+          "taxa": [],
+          "version": "2.2.0"
+        },
+        "extensions": []
+      },
+      "translations": [],
+      "versionControlProvenance": [],
+      "webRequests": [],
+      "webResponses": []
+    }
+  ],
+  "properties": {}
+}