Acasă Explorează Ajutor
Înregistrare Autentificare
ben
/
be-ytb
1
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Ramură: master
Ramuri Etichete
be-ytb
/
js
/
node_modules
/
aws-sdk
/
apis
/
inspector-scan-2023-08-08.examples.json

inspector-scan-2023-08-08.examples.json 6.4 KB
Permalink Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174 
  1. {
    2. 

  2.   "version": "1.0",
    3. 

  3.   "examples": {
    4. 

  4.     "ScanSbom": [
    5. 

  5.       {
    6. 

  6.         "input": {
    7. 

  7.           "outputFormat": "CYCLONE_DX_1_5",
    8. 

  8.           "sbom": {
    9. 

  9.             "bomFormat": "CycloneDX",
    10. 

  10.             "components": [
    11. 

  11.               {
    12. 

  12.                 "name": "log4j-core",
    13. 

  13.                 "type": "library",
    14. 

  14.                 "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.0"
    15. 

  15.               }
    16. 

  16.             ],
    17. 

  17.             "specVersion": "1.5"
    18. 

  18.           }
    19. 

  19.         },
    20. 

  20.         "output": {
    21. 

  21.           "sbom": {
    22. 

  22.             "metadata": {
    23. 

  23.               "properties": [
    24. 

  24.                 {
    25. 

  25.                   "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
    26. 

  26.                   "value": "0"
    27. 

  27.                 },
    28. 

  28.                 {
    29. 

  29.                   "name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
    30. 

  30.                   "value": "0"
    31. 

  31.                 },
    32. 

  32.                 {
    33. 

  33.                   "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
    34. 

  34.                   "value": "1"
    35. 

  35.                 },
    36. 

  36.                 {
    37. 

  37.                   "name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
    38. 

  38.                   "value": "0"
    39. 

  39.                 }
    40. 

  40.               ],
    41. 

  41.               "timestamp": "2023-11-16T02:55:34.355Z",
    42. 

  42.               "tools": [
    43. 

  43.                 {
    44. 

  44.                   "version": "9f8c30ff+20b2305b",
    45. 

  45.                   "name": "CycloneDX SBOM API",
    46. 

  46.                   "vendor": "Amazon Inspector"
    47. 

  47.                 }
    48. 

  48.               ]
    49. 

  49.             },
    50. 

  50.             "bomFormat": "CycloneDX",
    51. 

  51.             "components": [
    52. 

  52.               {
    53. 

  53.                 "name": "log4j-core",
    54. 

  54.                 "type": "library",
    55. 

  55.                 "bom-ref": "comp-1",
    56. 

  56.                 "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.0"
    57. 

  57.               }
    58. 

  58.             ],
    59. 

  59.             "serialNumber": "urn:uuid:26de5e0a-deb4-4b38-a208-7d19c1832e8c",
    60. 

  60.             "specVersion": "1.5",
    61. 

  61.             "vulnerabilities": [
    62. 

  62.               {
    63. 

  63.                 "advisories": [
    64. 

  64.                   {
    65. 

  65.                     "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    66. 

  66.                   },
    67. 

  67.                   {
    68. 

  68.                     "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
    69. 

  69.                   },
    70. 

  70.                   {
    71. 

  71.                     "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
    72. 

  72.                   },
    73. 

  73.                   {
    74. 

  74.                     "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
    75. 

  75.                   },
    76. 

  76.                   {
    77. 

  77.                     "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
    78. 

  78.                   },
    79. 

  79.                   {
    80. 

  80.                     "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    81. 

  81.                   },
    82. 

  82.                   {
    83. 

  83.                     "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    84. 

  84.                   },
    85. 

  85.                   {
    86. 

  86.                     "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
    87. 

  87.                   },
    88. 

  88.                   {
    89. 

  89.                     "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
    90. 

  90.                   },
    91. 

  91.                   {
    92. 

  92.                     "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
    93. 

  93.                   }
    94. 

  94.                 ],
    95. 

  95.                 "affects": [
    96. 

  96.                   {
    97. 

  97.                     "ref": "comp-1"
    98. 

  98.                   }
    99. 

  99.                 ],
    100. 

  100.                 "bom-ref": "vuln-1",
    101. 

  101.                 "created": "2021-12-28T20:15:08Z",
    102. 

  102.                 "cwes": [
    103. 

  103.                   20,
    104. 

  104.                   74
    105. 

  105.                 ],
    106. 

  106.                 "description": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.",
    107. 

  107.                 "id": "CVE-2021-44832",
    108. 

  108.                 "properties": [
    109. 

  109.                   {
    110. 

  110.                     "name": "amazon:inspector:sbom_scanner:exploit_available",
    111. 

  111.                     "value": "true"
    112. 

  112.                   },
    113. 

  113.                   {
    114. 

  114.                     "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public",
    115. 

  115.                     "value": "2023-01-02T00:00:00Z"
    116. 

  116.                   },
    117. 

  117.                   {
    118. 

  118.                     "name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
    119. 

  119.                     "value": "2.17.1"
    120. 

  120.                   }
    121. 

  121.                 ],
    122. 

  122.                 "ratings": [
    123. 

  123.                   {
    124. 

  124.                     "method": "CVSSv31",
    125. 

  125.                     "score": 6.5,
    126. 

  126.                     "severity": "medium",
    127. 

  127.                     "source": {
    128. 

  128.                       "name": "NVD",
    129. 

  129.                       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832"
    130. 

  130.                     },
    131. 

  131.                     "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
    132. 

  132.                   },
    133. 

  133.                   {
    134. 

  134.                     "method": "other",
    135. 

  135.                     "score": 0.02686,
    136. 

  136.                     "severity": "none",
    137. 

  137.                     "source": {
    138. 

  138.                       "name": "EPSS",
    139. 

  139.                       "url": "https://www.first.org/epss/"
    140. 

  140.                     },
    141. 

  141.                     "vector": "model:v2023.03.01,date:2023-11-15T00:00:00+0000"
    142. 

  142.                   }
    143. 

  143.                 ],
    144. 

  144.                 "references": [
    145. 

  145.                   {
    146. 

  146.                     "id": "GHSA-8489-44mv-ggj8",
    147. 

  147.                     "source": {
    148. 

  148.                       "name": "GITHUB_SEC",
    149. 

  149.                       "url": "https://github.com/advisories"
    150. 

  150.                     }
    151. 

  151.                   },
    152. 

  152.                   {
    153. 

  153.                     "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339",
    154. 

  154.                     "source": {
    155. 

  155.                       "name": "SNYK",
    156. 

  156.                       "url": "https://security.snyk.io/vuln"
    157. 

  157.                     }
    158. 

  158.                   }
    159. 

  159.                 ],
    160. 

  160.                 "source": {
    161. 

  161.                   "name": "NVD",
    162. 

  162.                   "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832"
    163. 

  163.                 },
    164. 

  164.                 "updated": "2023-11-07T03:39:43Z"
    165. 

  165.               }
    166. 

  166.             ]
    167. 

  167.           }
    168. 

  168.         },
    169. 

  169.         "id": "example-1",
    170. 

  170.         "title": "Sample ScanSbom Call"
    171. 

  171.       }
    172. 

  172.     ]
    173. 

  173.   }
    174. 

  174. }
    175.