From 6fb67c3c386564082e4b8b65035f53a1feab9fde Mon Sep 17 00:00:00 2001 From: ziad hany Date: Mon, 25 Aug 2025 03:11:17 +0300 Subject: [PATCH 1/2] Add initial support for collecting ProjectKBP old fix commits. Signed-off-by: ziad hany --- vulnerabilities/improvers/__init__.py | 4 + .../collect_commits_project_kb.py | 120 ++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 vulnerabilities/pipelines/v2_improvers/collect_commits_project_kb.py diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py index 1be791241..ab8e30503 100644 --- a/vulnerabilities/improvers/__init__.py +++ b/vulnerabilities/improvers/__init__.py @@ -19,6 +19,9 @@ from vulnerabilities.pipelines import flag_ghost_packages from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline from vulnerabilities.pipelines import remove_duplicate_advisories +from vulnerabilities.pipelines.v2_improvers import ( + collect_commits_project_kb as collect_commits_project_kb_v2, +) from vulnerabilities.pipelines.v2_improvers import compute_advisory_todo as compute_advisory_todo_v2 from vulnerabilities.pipelines.v2_improvers import compute_package_risk as compute_package_risk_v2 from vulnerabilities.pipelines.v2_improvers import ( @@ -68,5 +71,6 @@ compute_version_rank_v2.ComputeVersionRankPipeline, compute_advisory_todo_v2.ComputeToDo, compute_advisory_todo.ComputeToDo, + collect_commits_project_kb_v2.CollectFixCommitsProjectKBPipeline, ] ) diff --git a/vulnerabilities/pipelines/v2_improvers/collect_commits_project_kb.py b/vulnerabilities/pipelines/v2_improvers/collect_commits_project_kb.py new file mode 100644 index 000000000..aeb3f64e5 --- /dev/null +++ b/vulnerabilities/pipelines/v2_improvers/collect_commits_project_kb.py @@ -0,0 +1,120 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import csv +from pathlib import Path + +import saneyaml +from fetchcode.vcs import fetch_via_vcs + +from vulnerabilities.models import AdvisoryV2 +from vulnerabilities.models import CodeFixV2 +from vulnerabilities.pipelines import VulnerableCodePipeline + + +class CollectFixCommitsProjectKBPipeline(VulnerableCodePipeline): + """ + Pipeline to collect fix commits from Project KB: + https://github.com/SAP/project-kb/blob/main/MSR2019/dataset/vulas_db_msr2019_release.csv + https://github.com/SAP/project-kb/blob/vulnerability-data/statements/*/*.yaml + """ + + pipeline_id = "kb_project_fix_commits" + spdx_license_expression = "Apache-2.0" + license_url = "https://github.com/SAP/project-kb/blob/main/LICENSE.txt" + importer_name = "Project KB Importer" + qualified_name = "kb_project_fix_commits" + repo_url_vulnerability_data = "git+https://github.com/SAP/project-kb@vulnerability-data" + repo_url_main = "git+https://github.com/SAP/project-kb" + + @classmethod + def steps(cls): + return (cls.collect_fix_commits,) + + def collect_fix_commits(self): + self.vcs_response_main = fetch_via_vcs(self.repo_url_main) + self.vcs_response_vuln_data = fetch_via_vcs(self.repo_url_vulnerability_data) + + self.log(f"Processing ProjectKBP fix commits.") + csv_database_filepath = ( + Path(self.vcs_response_main.dest_dir) / "MSR2019/dataset/vulas_db_msr2019_release.csv" + ) + try: + with open(csv_database_filepath, mode="r", newline="", encoding="utf-8") as f: + reader = csv.reader(f) + next(reader, None) # Skip header row + for row in reader: + if len(row) != 4: + continue + vulnerability_id, repo_url, commit_hash, label = row + + if not vulnerability_id: + continue + + try: + advisory = AdvisoryV2.objects.get(advisory_id=vulnerability_id) + except AdvisoryV2.DoesNotExist: + self.log(f"Can't find vulnerability_id: {vulnerability_id}") + continue + + self.create_codefix_entries(advisory, repo_url, commit_hash, vulnerability_id) + except FileNotFoundError: + self.log(f"CSV file not found: {csv_database_filepath}") + + base_path = Path(self.vcs_response_vuln_data.dest_dir) / "statements" + for file_path in base_path.rglob("*.yaml"): + if file_path.name != "statement.yaml": + continue + + with open(file_path) as f: + vulnerability_fixes_data = saneyaml.load(f) + + vulnerability_id = vulnerability_fixes_data.get("vulnerability_id") + if not vulnerability_id: + continue + + try: + advisory = AdvisoryV2.objects.get(advisory_id=vulnerability_id) + except AdvisoryV2.DoesNotExist: + self.log(f"Can't find vulnerability_id: {vulnerability_id}") + continue + + for commit_data in vulnerability_fixes_data.get("fixes", []): + for commit in commit_data.get("commits", []): + commit_id = commit.get("id") + repo_url = commit.get("repository") + + if not commit_id or not repo_url: + continue + + self.create_codefix_entries(advisory, repo_url, commit_id, vulnerability_id) + + def create_codefix_entries(self, advisory, repo_url, commit_id, vulnerability_id): + repo_url = repo_url.rstrip("/").removesuffix(".git") + vcs_url = f"{repo_url}/commit/{commit_id}" + + for impact in advisory.impacted_packages.all(): + for package in impact.affecting_packages.all(): + code_fix, created = CodeFixV2.objects.get_or_create( + commits=[vcs_url], + advisory=advisory, + affected_package=package, + ) + if created: + self.log( + f"Created CodeFix entry for vulnerability_id: {vulnerability_id} with VCS URL {vcs_url}" + ) + + def clean_downloads(self): + if self.vcs_response_main or self.vcs_response_vuln_data: + self.log(f"Removing cloned repository") + self.vcs_response_main.delete() + self.vcs_response_vuln_data.delete() + + def on_failure(self): + self.clean_downloads() From 493e21022a42e8255b89feaa7a02fc2824ca8b58 Mon Sep 17 00:00:00 2001 From: ziad hany Date: Thu, 9 Oct 2025 15:56:41 +0300 Subject: [PATCH 2/2] Add ProjectKBv2 importer Add a test for the ProjectKB importer and collect fix commits pipeline. Signed-off-by: ziad hany --- vulnerabilities/importers/__init__.py | 2 + .../v2_importers/project_kb_importer.py | 125 +++ .../collect_commits_project_kb.py | 119 +-- .../test_project_kb_importer_v2.py | 89 ++ .../test_data/kbmsr2019/1/statement.yaml | 285 ++++++ .../test_data/kbmsr2019/2/statement.yaml | 298 ++++++ .../test_data/kbmsr2019/3/statement.yaml | 9 + .../dataset/vulas_db_msr2019_release.csv} | 0 .../kbmsr2019/statement-1-expected.json | 968 ++++++++++++++++++ .../kbmsr2019/statement-2-expected.json | 966 +++++++++++++++++ .../kbmsr2019/statement-3-expected.json | 19 + vulnerabilities/tests/test_msr2019.py | 2 +- 12 files changed, 2807 insertions(+), 75 deletions(-) create mode 100644 vulnerabilities/pipelines/v2_importers/project_kb_importer.py create mode 100644 vulnerabilities/tests/pipelines/v2_importers/test_project_kb_importer_v2.py create mode 100644 vulnerabilities/tests/test_data/kbmsr2019/1/statement.yaml create mode 100644 vulnerabilities/tests/test_data/kbmsr2019/2/statement.yaml create mode 100644 vulnerabilities/tests/test_data/kbmsr2019/3/statement.yaml rename vulnerabilities/tests/test_data/kbmsr2019/{test_msr_data.csv => MSR2019/dataset/vulas_db_msr2019_release.csv} (100%) create mode 100644 vulnerabilities/tests/test_data/kbmsr2019/statement-1-expected.json create mode 100644 vulnerabilities/tests/test_data/kbmsr2019/statement-2-expected.json create mode 100644 vulnerabilities/tests/test_data/kbmsr2019/statement-3-expected.json diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 82ee4525a..82c58b753 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -55,6 +55,7 @@ from vulnerabilities.pipelines.v2_importers import nvd_importer as nvd_importer_v2 from vulnerabilities.pipelines.v2_importers import oss_fuzz as oss_fuzz_v2 from vulnerabilities.pipelines.v2_importers import postgresql_importer as postgresql_importer_v2 +from vulnerabilities.pipelines.v2_importers import project_kb_importer as project_kb_importer_v2 from vulnerabilities.pipelines.v2_importers import pypa_importer as pypa_importer_v2 from vulnerabilities.pipelines.v2_importers import pysec_importer as pysec_importer_v2 from vulnerabilities.pipelines.v2_importers import redhat_importer as redhat_importer_v2 @@ -81,6 +82,7 @@ mozilla_importer_v2.MozillaImporterPipeline, github_osv_importer_v2.GithubOSVImporterPipeline, redhat_importer_v2.RedHatImporterPipeline, + project_kb_importer_v2.ProjectKBPipeline, nvd_importer.NVDImporterPipeline, github_importer.GitHubAPIImporterPipeline, gitlab_importer.GitLabImporterPipeline, diff --git a/vulnerabilities/pipelines/v2_importers/project_kb_importer.py b/vulnerabilities/pipelines/v2_importers/project_kb_importer.py new file mode 100644 index 000000000..2e4ee2ede --- /dev/null +++ b/vulnerabilities/pipelines/v2_importers/project_kb_importer.py @@ -0,0 +1,125 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import json +from pathlib import Path +from typing import Iterable + +import saneyaml +from fetchcode.vcs import fetch_via_vcs +from packageurl import PackageURL +from univers.maven import VersionRange + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackageV2 +from vulnerabilities.importer import ReferenceV2 +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2 +from vulnerabilities.utils import get_advisory_url + + +class ProjectKBPipeline(VulnerableCodeBaseImporterPipelineV2): + """ + ProjectKB Importer Pipeline + Collect advisory from ProjectKB data: + - YAML statements: https://github.com/SAP/project-kb/blob/vulnerability-data/statements/*/*.yaml + """ + + pipeline_id = "project-kb_v2" + spdx_license_expression = "Apache-2.0" + license_url = "https://github.com/SAP/project-kb/blob/main/LICENSE.txt" + repo_url = "git+https://github.com/SAP/project-kb@vulnerability-data" + + @classmethod + def steps(cls): + return (cls.clone_repo, cls.collect_and_store_advisories, cls.clean_downloads) + + def clone_repo(self): + self.log("Processing ProjectKB advisory data...") + self.vcs_response = fetch_via_vcs(self.repo_url) + + def advisories_count(self): + base_path = Path(self.vcs_response.dest_dir) / "statements" + count = sum(1 for _ in base_path.rglob("*.yaml")) + self.log(f"Estimated advisories to process: {count}") + return count + + def collect_advisories(self) -> Iterable[AdvisoryData]: + """Collect fix commits from YAML statements under /statements.""" + base_path = Path(self.vcs_response.dest_dir) / "statements" + + for yaml_file in base_path.rglob("*.yaml"): + if yaml_file.name != "statement.yaml": + continue + + with open(yaml_file, encoding="utf-8") as f: + yaml_data = saneyaml.load(f) + + vulnerability_id = yaml_data.get("vulnerability_id") + if not vulnerability_id: + continue + + note_texts = [] + for note_entry in yaml_data.get("notes", []): + text_content = note_entry.get("text") + if text_content: + note_texts.append(text_content) + description = "\n".join(note_texts) + + references = [] + for fix in yaml_data.get("fixes", []): + for commit in fix.get("commits", []): + commit_id = commit.get("id") + repo_url = commit.get("repository") + if not commit_id or not repo_url: + continue + + commit_url = repo_url.replace(".git", "") + "/commit/" + commit_id + ref = ReferenceV2.from_url(commit_url) + references.append(ref) + + affected_packages = [] + for artifact in yaml_data.get("artifacts", []): + affected = artifact.get("affected") + if not affected: + continue + + purl_str = artifact.get("id") + purl = PackageURL.from_string(purl_str) + + affected_package = AffectedPackageV2( + package=PackageURL(type=purl.type, namespace=purl.namespace, name=purl.name), + fixed_version_range=VersionRange.from_version(purl.version), + ) + affected_packages.append(affected_package) + + advisory_url = get_advisory_url( + file=yaml_file, + base_path=base_path, + url="https://github.com/SAP/project-kb/blob/vulnerability-data/statements/", + ) + + yield AdvisoryData( + advisory_id=vulnerability_id, + aliases=[], + summary=description or "", + affected_packages=affected_packages, + references_v2=references, + url=advisory_url, + original_advisory_text=json.dumps(yaml_data, indent=2, ensure_ascii=False), + ) + + def clean_downloads(self): + """Remove the cloned repository from disk.""" + self.log("Removing cloned repository...") + if self.vcs_response: + self.vcs_response.delete() + + def on_failure(self): + """Ensure cleanup happens on pipeline failure.""" + self.clean_downloads() diff --git a/vulnerabilities/pipelines/v2_improvers/collect_commits_project_kb.py b/vulnerabilities/pipelines/v2_improvers/collect_commits_project_kb.py index aeb3f64e5..ab3620b58 100644 --- a/vulnerabilities/pipelines/v2_improvers/collect_commits_project_kb.py +++ b/vulnerabilities/pipelines/v2_improvers/collect_commits_project_kb.py @@ -6,10 +6,10 @@ # See https://github.com/aboutcode-org/vulnerablecode for support or download. # See https://aboutcode.org for more information about nexB OSS projects. # + import csv from pathlib import Path -import saneyaml from fetchcode.vcs import fetch_via_vcs from vulnerabilities.models import AdvisoryV2 @@ -21,100 +21,71 @@ class CollectFixCommitsProjectKBPipeline(VulnerableCodePipeline): """ Pipeline to collect fix commits from Project KB: https://github.com/SAP/project-kb/blob/main/MSR2019/dataset/vulas_db_msr2019_release.csv - https://github.com/SAP/project-kb/blob/vulnerability-data/statements/*/*.yaml """ pipeline_id = "kb_project_fix_commits" spdx_license_expression = "Apache-2.0" license_url = "https://github.com/SAP/project-kb/blob/main/LICENSE.txt" - importer_name = "Project KB Importer" qualified_name = "kb_project_fix_commits" - repo_url_vulnerability_data = "git+https://github.com/SAP/project-kb@vulnerability-data" - repo_url_main = "git+https://github.com/SAP/project-kb" + repo_url = "git+https://github.com/SAP/project-kb" @classmethod def steps(cls): - return (cls.collect_fix_commits,) + return ( + cls.clone, + cls.collect_fix_commits, + ) + + def clone(self): + self.log("Cloning repositories for ProjectKB fix commits from CSV...") + self.vcs_response = fetch_via_vcs(self.repo_url) def collect_fix_commits(self): - self.vcs_response_main = fetch_via_vcs(self.repo_url_main) - self.vcs_response_vuln_data = fetch_via_vcs(self.repo_url_vulnerability_data) + self.log("Collecting fix commits from ProjectKB...") - self.log(f"Processing ProjectKBP fix commits.") - csv_database_filepath = ( - Path(self.vcs_response_main.dest_dir) / "MSR2019/dataset/vulas_db_msr2019_release.csv" - ) - try: - with open(csv_database_filepath, mode="r", newline="", encoding="utf-8") as f: - reader = csv.reader(f) - next(reader, None) # Skip header row - for row in reader: - if len(row) != 4: - continue - vulnerability_id, repo_url, commit_hash, label = row - - if not vulnerability_id: - continue - - try: - advisory = AdvisoryV2.objects.get(advisory_id=vulnerability_id) - except AdvisoryV2.DoesNotExist: - self.log(f"Can't find vulnerability_id: {vulnerability_id}") - continue - - self.create_codefix_entries(advisory, repo_url, commit_hash, vulnerability_id) - except FileNotFoundError: - self.log(f"CSV file not found: {csv_database_filepath}") - - base_path = Path(self.vcs_response_vuln_data.dest_dir) / "statements" - for file_path in base_path.rglob("*.yaml"): - if file_path.name != "statement.yaml": - continue + csv_path = Path(self.vcs_response.dest_dir) / "MSR2019/dataset/vulas_db_msr2019_release.csv" - with open(file_path) as f: - vulnerability_fixes_data = saneyaml.load(f) + with open(csv_path, newline="", encoding="utf-8") as f: + reader = csv.reader(f) + next(reader, None) # skip header + rows = [r for r in reader if len(r) == 4 and r[0]] - vulnerability_id = vulnerability_fixes_data.get("vulnerability_id") - if not vulnerability_id: - continue + vuln_ids = {r[0] for r in rows} + advisories = AdvisoryV2.objects.filter(advisory_id__in=vuln_ids).prefetch_related( + "impacted_packages__affecting_packages" + ) + advisory_map = {a.advisory_id: a for a in advisories} - try: - advisory = AdvisoryV2.objects.get(advisory_id=vulnerability_id) - except AdvisoryV2.DoesNotExist: - self.log(f"Can't find vulnerability_id: {vulnerability_id}") + codefixes = [] + for vuln_id, repo_url, commit, _ in rows: + advisory = advisory_map.get(vuln_id) + if not advisory: continue - for commit_data in vulnerability_fixes_data.get("fixes", []): - for commit in commit_data.get("commits", []): - commit_id = commit.get("id") - repo_url = commit.get("repository") - - if not commit_id or not repo_url: - continue - - self.create_codefix_entries(advisory, repo_url, commit_id, vulnerability_id) - - def create_codefix_entries(self, advisory, repo_url, commit_id, vulnerability_id): - repo_url = repo_url.rstrip("/").removesuffix(".git") - vcs_url = f"{repo_url}/commit/{commit_id}" - - for impact in advisory.impacted_packages.all(): - for package in impact.affecting_packages.all(): - code_fix, created = CodeFixV2.objects.get_or_create( - commits=[vcs_url], - advisory=advisory, - affected_package=package, - ) - if created: - self.log( - f"Created CodeFix entry for vulnerability_id: {vulnerability_id} with VCS URL {vcs_url}" + repo_url = repo_url.rstrip("/").removesuffix(".git") + vcs_url = f"{repo_url}/commit/{commit}" + + for impact in advisory.impacted_packages.all(): + for pkg in impact.affecting_packages.all(): + codefixes.append( + CodeFixV2( + commits=[vcs_url], + advisory=advisory, + affected_package=pkg, + ) ) + if codefixes: + CodeFixV2.objects.bulk_create(codefixes, ignore_conflicts=True) + self.log(f"Created {len(codefixes)} CodeFix entries.") + else: + self.log("No CodeFix entries created.") + def clean_downloads(self): - if self.vcs_response_main or self.vcs_response_vuln_data: + """Remove the cloned repository from disk.""" + if self.vcs_response: self.log(f"Removing cloned repository") - self.vcs_response_main.delete() - self.vcs_response_vuln_data.delete() + self.vcs_response.delete() def on_failure(self): self.clean_downloads() diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_project_kb_importer_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_project_kb_importer_v2.py new file mode 100644 index 000000000..cc696d61e --- /dev/null +++ b/vulnerabilities/tests/pipelines/v2_importers/test_project_kb_importer_v2.py @@ -0,0 +1,89 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +from datetime import datetime +from datetime import timezone +from pathlib import Path +from types import SimpleNamespace +from unittest import TestCase +from unittest.mock import patch + +import pytest + +from vulnerabilities.models import AdvisoryV2 +from vulnerabilities.models import CodeFixV2 +from vulnerabilities.models import ImpactedPackage +from vulnerabilities.models import PackageV2 +from vulnerabilities.pipelines.v2_importers.project_kb_importer import ProjectKBPipeline +from vulnerabilities.pipelines.v2_improvers.collect_commits_project_kb import ( + CollectFixCommitsProjectKBPipeline, +) +from vulnerabilities.tests import util_tests + +TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "kbmsr2019" + + +class TestProjectKbImporterPipeline(TestCase): + """ + Integration-style test that validates YAML → Advisory → JSON conversion + using real test data files, but mocks network and repo access. + """ + + @patch( + "vulnerabilities.pipelines.v2_importers.project_kb_importer.get_advisory_url", + return_value="https://mocked.url/advisory", + ) + def test_project_kb_collect_advisories_v2(self, mock_get_advisory_url): + pipeline = ProjectKBPipeline() + pipeline.vcs_response = SimpleNamespace(dest_dir=TEST_DATA) + + for idx in range(1, 4): + yaml_file = TEST_DATA / str(idx) / f"statement.yaml" + expected_file = TEST_DATA / f"statement-{idx}-expected.json" + + with patch( + "vulnerabilities.pipelines.v2_importers.project_kb_importer.Path.rglob", + return_value=[yaml_file], + ): + result = [adv.to_dict() for adv in pipeline.collect_advisories()] + + util_tests.check_results_against_json(result, expected_file) + + @pytest.mark.django_db + def test_collect_fix_commits_uses_existing_csv(self): + """ + Test that CollectFixCommitsProjectKBPipeline.collect_fix_commits() + reads an existing ProjectKB CSV file and creates CodeFixV2 entries. + """ + + advisory = AdvisoryV2.objects.create( + advisory_id="CVE-2018-8034", + datasource_id="test-datasource", + avid="TEST-1234", + unique_content_id="unique-test-id", + url="https://example.com/advisory/CVE-2018-8034", + date_collected=datetime.now(timezone.utc), + ) + + pkg1 = PackageV2.objects.create(name="test_name1", type="test") + pkg2 = PackageV2.objects.create(name="test_name2", type="test") + + impacted = ImpactedPackage.objects.create(advisory=advisory) + impacted.affecting_packages.set([pkg1, pkg2]) + + pipeline = CollectFixCommitsProjectKBPipeline() + pipeline.vcs_response = SimpleNamespace(dest_dir=TEST_DATA) + + pipeline.collect_fix_commits() + + fixes = CodeFixV2.objects.all() + assert len(fixes) == 2 + assert [fix.commits for fix in fixes] == [ + ["https://github.com/apache/tomcat/commit/2835bb4e030c1c741ed0847bb3b9c3822e4fbc8a"], + ["https://github.com/apache/tomcat/commit/2835bb4e030c1c741ed0847bb3b9c3822e4fbc8a"], + ] diff --git a/vulnerabilities/tests/test_data/kbmsr2019/1/statement.yaml b/vulnerabilities/tests/test_data/kbmsr2019/1/statement.yaml new file mode 100644 index 000000000..f6ef246d4 --- /dev/null +++ b/vulnerabilities/tests/test_data/kbmsr2019/1/statement.yaml @@ -0,0 +1,285 @@ +vulnerability_id: CVE-2019-17531 +notes: +- text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: b5a304a98590b6bb766134f9261e6566dcbbb6d0 + repository: https://github.com/FasterXML/jackson-databind +artifacts: +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.7 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.8 + reason: Reviewed manually + affected: true +- id: pkg:maven/org.apache.htrace/htrace-core4@4.1.0-incubating + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr4 + reason: Reviewed manually + affected: true +- id: pkg:maven/net.sf.ehcache/ehcache@2.10.6 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.9 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.5 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/org.apache.htrace/htrace-core@3.1.0-incubating + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.1 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.8.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.10 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/org.apache.htrace/htrace-core4@4.2.0-incubating + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.8 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.7 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.couchbase.client/core-io@1.7.9 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.1 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr2 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr1 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0.rc2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.signalfx.public/signalfx-java@0.0.48 + reason: Reviewed manually + affected: false \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/kbmsr2019/2/statement.yaml b/vulnerabilities/tests/test_data/kbmsr2019/2/statement.yaml new file mode 100644 index 000000000..7c3e4e834 --- /dev/null +++ b/vulnerabilities/tests/test_data/kbmsr2019/2/statement.yaml @@ -0,0 +1,298 @@ +vulnerability_id: CVE-2019-16942 +notes: +- text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 9593e16cf5a3d289a9c584f7123639655de9ddac + repository: https://github.com/FasterXML/jackson-databind + - id: 328a0f833daf6baa443ac3b37c818a0204714b0b + repository: https://github.com/FasterXML/jackson-databind + - id: 54aa38d87dcffa5ccc23e64922e9536c82c1b9c8 + repository: https://github.com/FasterXML/jackson-databind +artifacts: +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.7 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/org.apache.htrace/htrace-core4@4.1.0-incubating + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.8 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr4 + reason: Reviewed manually + affected: true +- id: pkg:maven/net.sf.ehcache/ehcache@2.10.6 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.signalfx.public/signalfx-java@0.2.0 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.9 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.5 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/org.apache.htrace/htrace-core@3.1.0-incubating + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.1 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.8.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.10 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.couchbase.client/core-io@1.7.2 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.couchbase.client/core-io@1.7.0 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/org.apache.htrace/htrace-core@3.2.0-incubating + reason: Reviewed manually + affected: false +- id: pkg:maven/org.apache.htrace/htrace-core4@4.2.0-incubating + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.6 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.couchbase.client/core-io@1.7.7 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.8 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.couchbase.client/core-io@1.5.9 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.couchbase.client/core-io@1.7.4 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.7 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.couchbase.client/core-io@1.7.9 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.signalfx.public/signalfx-java@0.1.0 + reason: Reviewed manually + affected: false +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.5 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.3 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.4 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.1 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0.rc2 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8 + reason: Reviewed manually + affected: true +- id: pkg:maven/com.signalfx.public/signalfx-java@0.0.48 + reason: Reviewed manually + affected: false \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/kbmsr2019/3/statement.yaml b/vulnerabilities/tests/test_data/kbmsr2019/3/statement.yaml new file mode 100644 index 000000000..3cd2001d0 --- /dev/null +++ b/vulnerabilities/tests/test_data/kbmsr2019/3/statement.yaml @@ -0,0 +1,9 @@ +vulnerability_id: CVE-2019-1020012 +notes: +- links: [] + text: parse-server before 3.4.1 allows DoS after any POST to a volatile class. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 8709daf698ea69b59268cb66f0f7cee75b52daa5 + repository: https://github.com/parse-community/parse-server \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/kbmsr2019/test_msr_data.csv b/vulnerabilities/tests/test_data/kbmsr2019/MSR2019/dataset/vulas_db_msr2019_release.csv similarity index 100% rename from vulnerabilities/tests/test_data/kbmsr2019/test_msr_data.csv rename to vulnerabilities/tests/test_data/kbmsr2019/MSR2019/dataset/vulas_db_msr2019_release.csv diff --git a/vulnerabilities/tests/test_data/kbmsr2019/statement-1-expected.json b/vulnerabilities/tests/test_data/kbmsr2019/statement-1-expected.json new file mode 100644 index 000000000..69494ee6f --- /dev/null +++ b/vulnerabilities/tests/test_data/kbmsr2019/statement-1-expected.json @@ -0,0 +1,968 @@ +[ + { + "advisory_id": "CVE-2019-17531", + "aliases": [], + "summary": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", + "affected_packages": [ + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.1.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.1.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.5.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.5.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.1.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.5.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.5.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.7" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.7" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.9.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.8" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.9.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.0.pr3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.0.pr4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.7.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.9" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.10" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.8.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.0.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.0.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.10" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.2.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.7" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.8" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.7" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.0.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.7.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.7.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.0.rc2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.9" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.8" + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0" + } + ], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/kbmsr2019/statement-2-expected.json b/vulnerabilities/tests/test_data/kbmsr2019/statement-2-expected.json new file mode 100644 index 000000000..a7a54242c --- /dev/null +++ b/vulnerabilities/tests/test_data/kbmsr2019/statement-2-expected.json @@ -0,0 +1,966 @@ +[ + { + "advisory_id": "CVE-2019-16942", + "aliases": [], + "summary": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", + "affected_packages": [ + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.1.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.1.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.5.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.5.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.1.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.5.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.3.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.5.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.7" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.7" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.9.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.9.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.8" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.0.pr3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.0.pr4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.7.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.9" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.10" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.8.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.0.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.0.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.11" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.2.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.10" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.4.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.6" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.7" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.8" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.7" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.0.0" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.6.7.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.5" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.3" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.4" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.1" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.7.9.2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.8.0.rc2" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.9" + }, + { + "package": { + "type": "maven", + "namespace": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "2.9.8" + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23e64922e9536c82c1b9c8" + } + ], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/kbmsr2019/statement-3-expected.json b/vulnerabilities/tests/test_data/kbmsr2019/statement-3-expected.json new file mode 100644 index 000000000..1e25dd5fd --- /dev/null +++ b/vulnerabilities/tests/test_data/kbmsr2019/statement-3-expected.json @@ -0,0 +1,19 @@ +[ + { + "advisory_id": "CVE-2019-1020012", + "aliases": [], + "summary": "parse-server before 3.4.1 allows DoS after any POST to a volatile class.", + "affected_packages": [], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/parse-community/parse-server/commit/8709daf698ea69b59268cb66f0f7cee75b52daa5" + } + ], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_msr2019.py b/vulnerabilities/tests/test_msr2019.py index 16696dd71..c75887e55 100644 --- a/vulnerabilities/tests/test_msr2019.py +++ b/vulnerabilities/tests/test_msr2019.py @@ -26,7 +26,7 @@ def test_data_fetch(mock_value): def test_kbmsr_to_advisories(): - TEST_DATA = os.path.join(TEST_DIR, "test_msr_data.csv") + TEST_DATA = os.path.join(TEST_DIR, "MSR2019", "dataset", "vulas_db_msr2019_release.csv") with open(TEST_DATA) as f: lines = [l for l in f.readlines()] test_data = csv.reader(lines)