diff --git a/fixtures/locks-e2e/1-Gemfile.lock.out.txt b/fixtures/locks-e2e/1-Gemfile.lock.out.txt index 6012e1dd..b22403d6 100644 --- a/fixtures/locks-e2e/1-Gemfile.lock.out.txt +++ b/fixtures/locks-e2e/1-Gemfile.lock.out.txt @@ -13,6 +13,8 @@ fixtures/locks-e2e/1-Gemfile.lock: found 229 packages actionview@5.2.6 is affected by the following vulnerabilities: GHSA-ch3h-j2vf-95pv: XSS Vulnerability in Action View tag helpers (https://github.com/advisories/GHSA-ch3h-j2vf-95pv) GHSA-xp5h-f8jf-rc8q: rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements (https://github.com/advisories/GHSA-xp5h-f8jf-rc8q) + activeadmin@2.7.0 is affected by the following vulnerabilities: + GHSA-356j-hg45-x525: Potential CSV export data leak (https://github.com/advisories/GHSA-356j-hg45-x525) activerecord@5.2.6 is affected by the following vulnerabilities: GHSA-3hhc-qp5v-9p2j: Active Record RCE bug with Serialized Columns (https://github.com/advisories/GHSA-3hhc-qp5v-9p2j) GHSA-579w-22j4-4749: Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter (https://github.com/advisories/GHSA-579w-22j4-4749) @@ -69,6 +71,12 @@ fixtures/locks-e2e/1-Gemfile.lock: found 229 packages GHSA-mcvf-2q2m-x72m: Improper neutralization of data URIs may allow XSS in rails-html-sanitizer (https://github.com/advisories/GHSA-mcvf-2q2m-x72m) GHSA-pg8v-g4xq-hww9: Rails::Html::Sanitizer vulnerable to Cross-site Scripting (https://github.com/advisories/GHSA-pg8v-g4xq-hww9) GHSA-rrfc-7g8p-99q8: Possible XSS vulnerability with certain configurations of rails-html-sanitizer (https://github.com/advisories/GHSA-rrfc-7g8p-99q8) + resque@2.0.0 is affected by the following vulnerabilities: + GHSA-gc3j-vvwf-4rp8: Resque vulnerable to reflected XSS in resque-web failed and queues lists (https://github.com/advisories/GHSA-gc3j-vvwf-4rp8) + GHSA-r8xx-8vm8-x6wj: Resque vulnerable to Reflected Cross Site Scripting through pathnames (https://github.com/advisories/GHSA-r8xx-8vm8-x6wj) + GHSA-r9mq-m72x-257g: Resque vulnerable to reflected XSS in Queue Endpoint (https://github.com/advisories/GHSA-r9mq-m72x-257g) + resque-scheduler@4.4.0 is affected by the following vulnerabilities: + GHSA-9hmq-fm33-x4xx: Resque Scheduler Reflected XSS In Delayed Jobs View (https://github.com/advisories/GHSA-9hmq-fm33-x4xx) rexml@3.2.4 is affected by the following vulnerabilities: GHSA-8cr8-4vfw-mr7h: REXML round-trip instability (https://github.com/advisories/GHSA-8cr8-4vfw-mr7h) sinatra@2.1.0 is affected by the following vulnerabilities: @@ -77,4 +85,4 @@ fixtures/locks-e2e/1-Gemfile.lock: found 229 packages tzinfo@1.2.9 is affected by the following vulnerabilities: GHSA-5cm2-9h8c-rvfx: TZInfo relative path traversal vulnerability allows loading of arbitrary files (https://github.com/advisories/GHSA-5cm2-9h8c-rvfx) - 54 known vulnerabilities found in fixtures/locks-e2e/1-Gemfile.lock + 59 known vulnerabilities found in fixtures/locks-e2e/1-Gemfile.lock diff --git a/fixtures/locks-e2e/1-Pipfile.lock.out.txt b/fixtures/locks-e2e/1-Pipfile.lock.out.txt index 5bd7877e..cfd52bbc 100644 --- a/fixtures/locks-e2e/1-Pipfile.lock.out.txt +++ b/fixtures/locks-e2e/1-Pipfile.lock.out.txt @@ -13,6 +13,7 @@ fixtures/locks-e2e/1-Pipfile.lock: found 114 packages GHSA-xqr8-7jwr-rhp7: Removal of e-Tugra root certificate (https://github.com/advisories/GHSA-xqr8-7jwr-rhp7) cryptography@41.0.1 is affected by the following vulnerabilities: GHSA-cf7p-gm2m-833m: cryptography mishandles SSH certificates (https://github.com/advisories/GHSA-cf7p-gm2m-833m) + GHSA-jfhm-5ghh-2f97: cryptography vulnerable to NULL-dereference when loading PKCS7 certificates (https://github.com/advisories/GHSA-jfhm-5ghh-2f97) GHSA-jm77-qphf-c4w8: pyca/cryptography's wheels include vulnerable OpenSSL (https://github.com/advisories/GHSA-jm77-qphf-c4w8) GHSA-v8gr-m533-ghj9: Vulnerable OpenSSL included in cryptography wheels (https://github.com/advisories/GHSA-v8gr-m533-ghj9) pillow@8.4.0 is affected by the following vulnerabilities: @@ -40,4 +41,4 @@ fixtures/locks-e2e/1-Pipfile.lock: found 114 packages GHSA-5286-f2rf-35c2: Wagtail vulnerable to stored Cross-site Scripting attack via ModelAdmin views (https://github.com/advisories/GHSA-5286-f2rf-35c2) GHSA-fc75-58r8-rm3h: Wagtail vulnerable to disclosure of user names via admin bulk action views (https://github.com/advisories/GHSA-fc75-58r8-rm3h) - 25 known vulnerabilities found in fixtures/locks-e2e/1-Pipfile.lock + 26 known vulnerabilities found in fixtures/locks-e2e/1-Pipfile.lock diff --git a/fixtures/locks-e2e/1-poetry.lock.out.txt b/fixtures/locks-e2e/1-poetry.lock.out.txt index 287b4809..c94e4709 100644 --- a/fixtures/locks-e2e/1-poetry.lock.out.txt +++ b/fixtures/locks-e2e/1-poetry.lock.out.txt @@ -5,6 +5,7 @@ fixtures/locks-e2e/1-poetry.lock: found 142 packages Using db PyPI (%% vulnerabilities, including withdrawn - last updated %%) cryptography@41.0.2 is affected by the following vulnerabilities: + GHSA-jfhm-5ghh-2f97: cryptography vulnerable to NULL-dereference when loading PKCS7 certificates (https://github.com/advisories/GHSA-jfhm-5ghh-2f97) GHSA-jm77-qphf-c4w8: pyca/cryptography's wheels include vulnerable OpenSSL (https://github.com/advisories/GHSA-jm77-qphf-c4w8) GHSA-v8gr-m533-ghj9: Vulnerable OpenSSL included in cryptography wheels (https://github.com/advisories/GHSA-v8gr-m533-ghj9) django@3.2 is affected by the following vulnerabilities: @@ -23,8 +24,8 @@ fixtures/locks-e2e/1-poetry.lock: found 142 packages GHSA-p64x-8rxx-wf6q: Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection (https://github.com/advisories/GHSA-p64x-8rxx-wf6q) GHSA-p99v-5w3c-jqq9: Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks (https://github.com/advisories/GHSA-p99v-5w3c-jqq9) GHSA-q2jf-h9jm-m7p4: Django contains Uncontrolled Resource Consumption via cached header (https://github.com/advisories/GHSA-q2jf-h9jm-m7p4) - GHSA-qmf9-6jqf-j8fq: Django potential denial of service vulnerability in UsernameField on Windows (https://github.com/advisories/GHSA-qmf9-6jqf-j8fq) GHSA-qm57-vhq3-3fwf: Header injection possible in Django (https://github.com/advisories/GHSA-qm57-vhq3-3fwf) + GHSA-qmf9-6jqf-j8fq: Django potential denial of service vulnerability in UsernameField on Windows (https://github.com/advisories/GHSA-qmf9-6jqf-j8fq) GHSA-qrw5-5h28-6cmg: Django denial-of-service vulnerability in internationalized URLs (https://github.com/advisories/GHSA-qrw5-5h28-6cmg) GHSA-r3xc-prgr-mg9p: Django bypasses validation when using one form field to upload multiple files (https://github.com/advisories/GHSA-r3xc-prgr-mg9p) GHSA-rxjp-mfm9-w4wr: Path Traversal in Django (https://github.com/advisories/GHSA-rxjp-mfm9-w4wr) @@ -51,4 +52,4 @@ fixtures/locks-e2e/1-poetry.lock: found 142 packages GHSA-fc75-58r8-rm3h: Wagtail vulnerable to disclosure of user names via admin bulk action views (https://github.com/advisories/GHSA-fc75-58r8-rm3h) GHSA-xqxm-2rpm-3889: Comment reply notifications sent to incorrect users (https://github.com/advisories/GHSA-xqxm-2rpm-3889) - 41 known vulnerabilities found in fixtures/locks-e2e/1-poetry.lock + 42 known vulnerabilities found in fixtures/locks-e2e/1-poetry.lock diff --git a/fixtures/locks-e2e/1-yarn.lock.out.txt b/fixtures/locks-e2e/1-yarn.lock.out.txt index d493dbfb..1c08d20f 100644 --- a/fixtures/locks-e2e/1-yarn.lock.out.txt +++ b/fixtures/locks-e2e/1-yarn.lock.out.txt @@ -26,7 +26,7 @@ fixtures/locks-e2e/1-yarn.lock: found 1678 packages eventsource@1.1.0 is affected by the following vulnerabilities: GHSA-6h5x-7c5m-7cr7: Exposure of Sensitive Information in eventsource (https://github.com/advisories/GHSA-6h5x-7c5m-7cr7) glob-parent@3.1.0 is affected by the following vulnerabilities: - GHSA-ww39-953v-wcq6: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) + GHSA-ww39-953v-wcq6: glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) gsap@2.0.2 is affected by the following vulnerabilities: GHSA-6g8v-hpgw-h2v7: Prototype pollution in gsap (https://github.com/advisories/GHSA-6g8v-hpgw-h2v7) json5@1.0.1 is affected by the following vulnerabilities: diff --git a/fixtures/locks-e2e/2-go.mod.out.txt b/fixtures/locks-e2e/2-go.mod.out.txt index 56b88e94..5d0fc92d 100644 --- a/fixtures/locks-e2e/2-go.mod.out.txt +++ b/fixtures/locks-e2e/2-go.mod.out.txt @@ -18,6 +18,7 @@ fixtures/locks-e2e/2-go.mod: found 73 packages GHSA-x24g-9w7v-vprh: HashiCorp go-getter command injection (https://github.com/advisories/GHSA-x24g-9w7v-vprh) GO-2022-0586: Resource exhaustion in github.com/hashicorp/go-getter and related modules golang.org/x/crypto@0.0.0-20210421170649-83a5a9bb288b is affected by the following vulnerabilities: + GHSA-45x7-px36-x8w8: Russh vulnerable to Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC (https://github.com/advisories/GHSA-45x7-px36-x8w8) GHSA-8c26-wmh5-6g9v: golang.org/x/crypto/ssh Denial of service via crafted Signer (https://github.com/advisories/GHSA-8c26-wmh5-6g9v) GHSA-gwc9-m7rh-j2ww: x/crypto/ssh vulnerable to panic via malformed packets (https://github.com/advisories/GHSA-gwc9-m7rh-j2ww) golang.org/x/net@0.0.0-20210326060303-6b1517762897 is affected by the following vulnerabilities: @@ -26,6 +27,7 @@ fixtures/locks-e2e/2-go.mod: found 73 packages GHSA-69cg-p879-7622: golang.org/x/net/http2 Denial of Service vulnerability (https://github.com/advisories/GHSA-69cg-p879-7622) GHSA-83g2-8m93-v3w7: golang.org/x/net/html Infinite Loop vulnerability (https://github.com/advisories/GHSA-83g2-8m93-v3w7) GHSA-h86h-8ppg-mxmh: golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion (https://github.com/advisories/GHSA-h86h-8ppg-mxmh) + GHSA-qppj-fm5r-hxr3: swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack (https://github.com/advisories/GHSA-qppj-fm5r-hxr3) GHSA-vvpx-j8f3-3w6h: Uncontrolled Resource Consumption (https://github.com/advisories/GHSA-vvpx-j8f3-3w6h) GO-2022-0288: Unbounded memory growth in net/http and golang.org/x/net/http2 GO-2022-1144: Excessive memory growth in net/http and golang.org/x/net/http2 @@ -38,4 +40,4 @@ fixtures/locks-e2e/2-go.mod: found 73 packages GHSA-m425-mq94-257g: gRPC-Go HTTP/2 Rapid Reset vulnerability (https://github.com/advisories/GHSA-m425-mq94-257g) GHSA-qppj-fm5r-hxr3: swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack (https://github.com/advisories/GHSA-qppj-fm5r-hxr3) - 25 known vulnerabilities found in fixtures/locks-e2e/2-go.mod + 27 known vulnerabilities found in fixtures/locks-e2e/2-go.mod diff --git a/fixtures/locks-e2e/2-package-lock.json.out.txt b/fixtures/locks-e2e/2-package-lock.json.out.txt index 8485394b..ea319885 100644 --- a/fixtures/locks-e2e/2-package-lock.json.out.txt +++ b/fixtures/locks-e2e/2-package-lock.json.out.txt @@ -33,7 +33,7 @@ fixtures/locks-e2e/2-package-lock.json: found 1468 packages GHSA-74fj-2j2h-c42q: Exposure of sensitive information in follow-redirects (https://github.com/advisories/GHSA-74fj-2j2h-c42q) GHSA-pw2r-vq6v-hr8c: Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects (https://github.com/advisories/GHSA-pw2r-vq6v-hr8c) glob-parent@3.1.0 is affected by the following vulnerabilities: - GHSA-ww39-953v-wcq6: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) + GHSA-ww39-953v-wcq6: glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) jsdom@11.12.0 is affected by the following vulnerabilities: GHSA-f4c9-cqv8-9v98: Insufficient Granularity of Access Control in JSDom (https://github.com/advisories/GHSA-f4c9-cqv8-9v98) jsdom@13.2.0 is affected by the following vulnerabilities: diff --git a/fixtures/locks-e2e/2-poetry.lock.out.txt b/fixtures/locks-e2e/2-poetry.lock.out.txt index adc12af8..359fc124 100644 --- a/fixtures/locks-e2e/2-poetry.lock.out.txt +++ b/fixtures/locks-e2e/2-poetry.lock.out.txt @@ -8,6 +8,7 @@ fixtures/locks-e2e/2-poetry.lock: found 143 packages PYSEC-2020-220: A flaw was found in Ansible Base when using the aws_ssm connection plugin as... PYSEC-2021-125: A flaw was found in Ansible where the secret information present in async_files... cryptography@41.0.3 is affected by the following vulnerabilities: + GHSA-jfhm-5ghh-2f97: cryptography vulnerable to NULL-dereference when loading PKCS7 certificates (https://github.com/advisories/GHSA-jfhm-5ghh-2f97) GHSA-v8gr-m533-ghj9: Vulnerable OpenSSL included in cryptography wheels (https://github.com/advisories/GHSA-v8gr-m533-ghj9) django@3.2.20 is affected by the following vulnerabilities: GHSA-7h4p-27mh-hmrw: Django Denial of service vulnerability in django.utils.encoding.uri_to_iri (https://github.com/advisories/GHSA-7h4p-27mh-hmrw) @@ -26,4 +27,4 @@ fixtures/locks-e2e/2-poetry.lock: found 143 packages GHSA-5286-f2rf-35c2: Wagtail vulnerable to stored Cross-site Scripting attack via ModelAdmin views (https://github.com/advisories/GHSA-5286-f2rf-35c2) GHSA-fc75-58r8-rm3h: Wagtail vulnerable to disclosure of user names via admin bulk action views (https://github.com/advisories/GHSA-fc75-58r8-rm3h) - 15 known vulnerabilities found in fixtures/locks-e2e/2-poetry.lock + 16 known vulnerabilities found in fixtures/locks-e2e/2-poetry.lock diff --git a/fixtures/locks-e2e/2-pom.xml.out.txt b/fixtures/locks-e2e/2-pom.xml.out.txt index c767ec0c..630185e5 100644 --- a/fixtures/locks-e2e/2-pom.xml.out.txt +++ b/fixtures/locks-e2e/2-pom.xml.out.txt @@ -19,5 +19,6 @@ fixtures/locks-e2e/2-pom.xml: found 8 packages GHSA-7c2q-5qmr-v76q: DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998 (https://github.com/advisories/GHSA-7c2q-5qmr-v76q) GHSA-8m5h-hrqm-pxm2: Path traversal in the OWASP Enterprise Security API (https://github.com/advisories/GHSA-8m5h-hrqm-pxm2) GHSA-q77q-vx4q-xx6q: Cross-site Scripting in org.owasp.esapi:esapi (https://github.com/advisories/GHSA-q77q-vx4q-xx6q) + GHSA-r68h-jhhj-9jvm: Validator.isValidSafeHTML is being deprecated and will be deleted from org.owasp.esapi:esapi in 1 year (https://github.com/advisories/GHSA-r68h-jhhj-9jvm) - 12 known vulnerabilities found in fixtures/locks-e2e/2-pom.xml + 13 known vulnerabilities found in fixtures/locks-e2e/2-pom.xml diff --git a/fixtures/locks-e2e/2-yarn.lock.out.txt b/fixtures/locks-e2e/2-yarn.lock.out.txt index 67e3a38e..7ce14873 100644 --- a/fixtures/locks-e2e/2-yarn.lock.out.txt +++ b/fixtures/locks-e2e/2-yarn.lock.out.txt @@ -45,9 +45,9 @@ fixtures/locks-e2e/2-yarn.lock: found 1991 packages get-func-name@2.0.0 is affected by the following vulnerabilities: GHSA-4q6p-r6v2-jvc5: Chaijs/get-func-name vulnerable to ReDoS (https://github.com/advisories/GHSA-4q6p-r6v2-jvc5) glob-parent@3.1.0 is affected by the following vulnerabilities: - GHSA-ww39-953v-wcq6: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) + GHSA-ww39-953v-wcq6: glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) glob-parent@5.1.1 is affected by the following vulnerabilities: - GHSA-ww39-953v-wcq6: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) + GHSA-ww39-953v-wcq6: glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) highlight.js@10.1.2 is affected by the following vulnerabilities: GHSA-7wwv-vh3v-89cq: ReDOS vulnerabities: multiple grammars (https://github.com/advisories/GHSA-7wwv-vh3v-89cq) is-svg@3.0.0 is affected by the following vulnerabilities: diff --git a/fixtures/locks-e2e/3-yarn.lock.out.txt b/fixtures/locks-e2e/3-yarn.lock.out.txt index 103a76a0..83e439b8 100644 --- a/fixtures/locks-e2e/3-yarn.lock.out.txt +++ b/fixtures/locks-e2e/3-yarn.lock.out.txt @@ -17,7 +17,7 @@ fixtures/locks-e2e/3-yarn.lock: found 1225 packages decode-uri-component@0.2.0 is affected by the following vulnerabilities: GHSA-w573-4hg7-7wgq: decode-uri-component vulnerable to Denial of Service (DoS) (https://github.com/advisories/GHSA-w573-4hg7-7wgq) glob-parent@3.1.0 is affected by the following vulnerabilities: - GHSA-ww39-953v-wcq6: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) + GHSA-ww39-953v-wcq6: glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) got@6.7.1 is affected by the following vulnerabilities: GHSA-pfrx-2q88-qq97: Got allows a redirect to a UNIX socket (https://github.com/advisories/GHSA-pfrx-2q88-qq97) hosted-git-info@2.8.8 is affected by the following vulnerabilities: