@fabasoad/sarif-to-slack 0.2.5 → 1.1.0

package/test-data/sarif/osv-scanner-hex.sarif

@@ -0,0 +1,147 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "addresses": [],
+      "artifacts": [
+        {
+          "length": -1,
+          "location": {
+            "index": -1,
+            "uri": "file:///Users/john.doe/projects/elixir/hex/mix.lock"
+          },
+          "parentIndex": -1,
+          "roles": []
+        }
+      ],
+      "graphs": [],
+      "invocations": [],
+      "language": "en-US",
+      "logicalLocations": [],
+      "newlineSequences": [
+        "\r\n",
+        "\n"
+      ],
+      "policies": [],
+      "redactionTokens": [],
+      "results": [
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/elixir/hex/mix.lock"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'paginator@bc2c01ab' is vulnerable to 'CVE-2020-15150' (also known as 'GHSA-w98m-2xqg-9cvj')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2020-15150",
+          "ruleIndex": 0,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/elixir/hex/mix.lock"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'paginator@bc2c01ab' is vulnerable to 'CVE-2020-15150' (also known as 'GHSA-w98m-2xqg-9cvj')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2020-15150",
+          "ruleIndex": 0,
+          "stacks": [],
+          "taxa": []
+        }
+      ],
+      "runAggregates": [],
+      "taxonomies": [],
+      "threadFlowLocations": [],
+      "tool": {
+        "driver": {
+          "contents": [
+            "localizedData",
+            "nonLocalizedData"
+          ],
+          "informationUri": "https://github.com/google/osv-scanner",
+          "isComprehensive": false,
+          "language": "en-US",
+          "locations": [],
+          "name": "osv-scanner",
+          "notifications": [],
+          "rules": [
+            {
+              "deprecatedIds": [
+                "CVE-2020-15150",
+                "GHSA-w98m-2xqg-9cvj"
+              ],
+              "fullDescription": {
+                "markdown": "There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` function.\n\n### Impact\nThere is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` function. This will potentially affect all current users of `Paginator` prior to version \u003e= 1.0.0.\n\n### Patches\nThe vulnerability has been patched in version 1.0.0 and all users should upgrade to this version immediately. Note that this patched version uses a dependency that requires an Elixir version \u003e=1.5.\n\n### Credits\n\nThank you to Peter Stöckli.",
+                "text": "There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` function.\n\n### Impact\nThere is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` function. This will potentially affect all current users of `Paginator` prior to version \u003e= 1.0.0.\n\n### Patches\nThe vulnerability has been patched in version 1.0.0 and all users should upgrade to this version immediately. Note that this patched version uses a dependency that requires an Elixir version \u003e=1.5.\n\n### Credits\n\nThank you to Peter Stöckli."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2020-15150](https://osv.dev/CVE-2020-15150)**.\n\n## [GHSA-w98m-2xqg-9cvj](https://osv.dev/GHSA-w98m-2xqg-9cvj)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` function.\n\u003e \n\u003e ### Impact\n\u003e There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` function. This will potentially affect all current users of `Paginator` prior to version \u003e= 1.0.0.\n\u003e \n\u003e ### Patches\n\u003e The vulnerability has been patched in version 1.0.0 and all users should upgrade to this version immediately. Note that this patched version uses a dependency that requires an Elixir version \u003e=1.5.\n\u003e \n\u003e ### Credits\n\u003e \n\u003e Thank you to Peter Stöckli.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/elixir/hex/mix.lock | paginator | bc2c01abdd98281ff39b6a7439cf540091122a7927bdaabc167c61d4508f9cbb |\n| lockfile:/Users/john.doe/projects/elixir/hex/mix.lock | paginator | bc2c01abdd98281ff39b6a7439cf540091122a7927bdaabc167c61d4508f9cbb |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-w98m-2xqg-9cvj | paginator | 1.0.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/elixir/hex/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-15150\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2020-15150](https://osv.dev/CVE-2020-15150)**.\n\n## [GHSA-w98m-2xqg-9cvj](https://osv.dev/GHSA-w98m-2xqg-9cvj)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` function.\n\u003e \n\u003e ### Impact\n\u003e There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` function. This will potentially affect all current users of `Paginator` prior to version \u003e= 1.0.0.\n\u003e \n\u003e ### Patches\n\u003e The vulnerability has been patched in version 1.0.0 and all users should upgrade to this version immediately. Note that this patched version uses a dependency that requires an Elixir version \u003e=1.5.\n\u003e \n\u003e ### Credits\n\u003e \n\u003e Thank you to Peter Stöckli.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/elixir/hex/mix.lock | paginator | bc2c01abdd98281ff39b6a7439cf540091122a7927bdaabc167c61d4508f9cbb |\n| lockfile:/Users/john.doe/projects/elixir/hex/mix.lock | paginator | bc2c01abdd98281ff39b6a7439cf540091122a7927bdaabc167c61d4508f9cbb |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-w98m-2xqg-9cvj | paginator | 1.0.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/elixir/hex/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-15150\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2020-15150",
+              "name": "CVE-2020-15150",
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2020-15150: Remote Code Execution in paginator",
+                "text": "CVE-2020-15150: Remote Code Execution in paginator"
+              }
+            }
+          ],
+          "supportedTaxonomies": [],
+          "taxa": [],
+          "version": "2.2.0"
+        },
+        "extensions": []
+      },
+      "translations": [],
+      "versionControlProvenance": [],
+      "webRequests": [],
+      "webResponses": []
+    }
+  ],
+  "properties": {}
+}

package/test-data/sarif/osv-scanner-maven.sarif

@@ -0,0 +1,171 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "addresses": [],
+      "artifacts": [
+        {
+          "length": -1,
+          "location": {
+            "index": -1,
+            "uri": "file:///Users/john.doe/projects/java/maven/pom.xml"
+          },
+          "parentIndex": -1,
+          "roles": []
+        }
+      ],
+      "graphs": [],
+      "invocations": [],
+      "language": "en-US",
+      "logicalLocations": [],
+      "newlineSequences": [
+        "\r\n",
+        "\n"
+      ],
+      "policies": [],
+      "redactionTokens": [],
+      "results": [
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/java/maven/pom.xml"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'commons-collections:commons-collections@3.2.1' is vulnerable to 'CVE-2015-6420' (also known as 'GHSA-6hgm-866r-3cjv')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2015-6420",
+          "ruleIndex": 0,
+          "stacks": [],
+          "taxa": []
+        },
+        {
+          "attachments": [],
+          "codeFlows": [],
+          "fixes": [],
+          "graphTraversals": [],
+          "graphs": [],
+          "kind": "fail",
+          "level": "warning",
+          "locations": [
+            {
+              "annotations": [],
+              "id": -1,
+              "logicalLocations": [],
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": -1,
+                  "uri": "file:///Users/john.doe/projects/java/maven/pom.xml"
+                }
+              },
+              "relationships": []
+            }
+          ],
+          "message": {
+            "arguments": [],
+            "text": "Package 'commons-collections:commons-collections@3.2.1' is vulnerable to 'CVE-2015-7501' (also known as 'GHSA-fjq5-5j5f-mvxh')."
+          },
+          "rank": -1,
+          "relatedLocations": [],
+          "ruleId": "CVE-2015-7501",
+          "ruleIndex": 1,
+          "stacks": [],
+          "taxa": []
+        }
+      ],
+      "runAggregates": [],
+      "taxonomies": [],
+      "threadFlowLocations": [],
+      "tool": {
+        "driver": {
+          "contents": [
+            "localizedData",
+            "nonLocalizedData"
+          ],
+          "informationUri": "https://github.com/google/osv-scanner",
+          "isComprehensive": false,
+          "language": "en-US",
+          "locations": [],
+          "name": "osv-scanner",
+          "notifications": [],
+          "rules": [
+            {
+              "deprecatedIds": [
+                "CVE-2015-6420",
+                "GHSA-6hgm-866r-3cjv"
+              ],
+              "fullDescription": {
+                "markdown": "Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.",
+                "text": "Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2015-6420](https://osv.dev/CVE-2015-6420)**.\n\n## [GHSA-6hgm-866r-3cjv](https://osv.dev/GHSA-6hgm-866r-3cjv)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/java/maven/pom.xml | commons-collections:commons-collections | 3.2.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6hgm-866r-3cjv | org.apache.commons:commons-collections4 | 4.1 |\n| GHSA-6hgm-866r-3cjv | commons-collections:commons-collections | 3.2.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/java/maven/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2015-6420\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2015-6420](https://osv.dev/CVE-2015-6420)**.\n\n## [GHSA-6hgm-866r-3cjv](https://osv.dev/GHSA-6hgm-866r-3cjv)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/java/maven/pom.xml | commons-collections:commons-collections | 3.2.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6hgm-866r-3cjv | org.apache.commons:commons-collections4 | 4.1 |\n| GHSA-6hgm-866r-3cjv | commons-collections:commons-collections | 3.2.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/java/maven/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2015-6420\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2015-6420",
+              "name": "CVE-2015-6420",
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2015-6420: Insecure Deserialization in Apache Commons Collection",
+                "text": "CVE-2015-6420: Insecure Deserialization in Apache Commons Collection"
+              }
+            },
+            {
+              "deprecatedIds": [
+                "CVE-2015-7501",
+                "GHSA-fjq5-5j5f-mvxh"
+              ],
+              "fullDescription": {
+                "markdown": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
+                "text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library."
+              },
+              "help": {
+                "markdown": "**Your dependency is vulnerable to [CVE-2015-7501](https://osv.dev/CVE-2015-7501)**.\n\n## [GHSA-fjq5-5j5f-mvxh](https://osv.dev/GHSA-fjq5-5j5f-mvxh)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/java/maven/pom.xml | commons-collections:commons-collections | 3.2.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-fjq5-5j5f-mvxh | commons-collections:commons-collections | 3.2.2 |\n| GHSA-fjq5-5j5f-mvxh | org.apache.commons:commons-collections4 | 4.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/java/maven/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2015-7501\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
+                "text": "**Your dependency is vulnerable to [CVE-2015-7501](https://osv.dev/CVE-2015-7501)**.\n\n## [GHSA-fjq5-5j5f-mvxh](https://osv.dev/GHSA-fjq5-5j5f-mvxh)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/java/maven/pom.xml | commons-collections:commons-collections | 3.2.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-fjq5-5j5f-mvxh | commons-collections:commons-collections | 3.2.2 |\n| GHSA-fjq5-5j5f-mvxh | org.apache.commons:commons-collections4 | 4.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/java/maven/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2015-7501\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
+              },
+              "id": "CVE-2015-7501",
+              "name": "CVE-2015-7501",
+              "properties": {
+                "security-severity": "9.8"
+              },
+              "relationships": [],
+              "shortDescription": {
+                "markdown": "CVE-2015-7501: Deserialization of Untrusted Data in Apache commons collections",
+                "text": "CVE-2015-7501: Deserialization of Untrusted Data in Apache commons collections"
+              }
+            }
+          ],
+          "supportedTaxonomies": [],
+          "taxa": [],
+          "version": "2.2.0"
+        },
+        "extensions": []
+      },
+      "translations": [],
+      "versionControlProvenance": [],
+      "webRequests": [],
+      "webResponses": []
+    }
+  ],
+  "properties": {}
+}