diff --git a/go.mod b/go.mod index 5510199..518b155 100644 --- a/go.mod +++ b/go.mod @@ -7,18 +7,18 @@ require ( github.com/google/go-github/v59 v59.0.0 github.com/hashicorp/go-version v1.7.0 github.com/olekukonko/tablewriter v0.0.5 - github.com/open-policy-agent/opa v0.67.0 + github.com/open-policy-agent/opa v0.68.0 github.com/owenrumney/go-sarif/v2 v2.3.3 github.com/package-url/packageurl-go v0.1.3 github.com/rs/zerolog v1.33.0 - github.com/schollz/progressbar/v3 v3.14.5 - github.com/shurcooL/githubv4 v0.0.0-20240429030203-be2daab69064 + github.com/schollz/progressbar/v3 v3.15.0 + github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7 github.com/spf13/cobra v1.8.1 github.com/spf13/viper v1.19.0 github.com/stretchr/testify v1.9.0 - github.com/xanzy/go-gitlab v0.107.0 - golang.org/x/oauth2 v0.21.0 - golang.org/x/sync v0.7.0 + github.com/xanzy/go-gitlab v0.109.0 + golang.org/x/oauth2 v0.23.0 + golang.org/x/sync v0.8.0 gopkg.in/yaml.v3 v3.0.1 ) @@ -43,40 +43,41 @@ require ( github.com/magiconair/properties v1.8.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/mattn/go-runewidth v0.0.15 // indirect + github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect - github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/pelletier/go-toml/v2 v2.2.3 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_golang v1.20.3 // indirect github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.53.0 // indirect - github.com/prometheus/procfs v0.14.0 // indirect + github.com/prometheus/common v0.59.1 // indirect + github.com/prometheus/procfs v0.15.1 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/rivo/uniseg v0.4.7 // indirect - github.com/sagikazarmark/locafero v0.4.0 // indirect + github.com/sagikazarmark/locafero v0.6.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect - github.com/spf13/cast v1.6.0 // indirect + github.com/spf13/cast v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - go.opentelemetry.io/otel v1.28.0 // indirect - go.opentelemetry.io/otel/metric v1.28.0 // indirect - go.opentelemetry.io/otel/sdk v1.28.0 // indirect - go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/sdk v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/text v0.16.0 // indirect - golang.org/x/time v0.5.0 // indirect + golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/text v0.18.0 // indirect + golang.org/x/time v0.6.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index dfbb159..2e8630b 100644 --- a/go.sum +++ b/go.sum @@ -95,8 +95,8 @@ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213/go.mod h1:vNUNkEQ1e29fT/6vq2aBdFsgNPmy8qMdSay1npru+Sw= -github.com/klauspost/compress v1.17.2 h1:RlWWUY/Dr4fL8qk9YG7DTZ7PDgME2V4csBXA8L/ixi4= -github.com/klauspost/compress v1.17.2/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= @@ -113,38 +113,40 @@ github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= -github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= -github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= +github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ= github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= -github.com/open-policy-agent/opa v0.67.0 h1:FOdsO9yNhfmrh+72oVK7ImWmzruG+VSpfbr5IBqEWVs= -github.com/open-policy-agent/opa v0.67.0/go.mod h1:aqKlHc8E2VAAylYE9x09zJYr/fYzGX+JKne89UGqFzk= +github.com/open-policy-agent/opa v0.68.0 h1:Jl3U2vXRjwk7JrHmS19U3HZO5qxQRinQbJ2eCJYSqJQ= +github.com/open-policy-agent/opa v0.68.0/go.mod h1:5E5SvaPwTpwt2WM177I9Z3eT7qUpmOGjk1ZdHs+TZ4w= github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU= github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs= github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0= -github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= -github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= +github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= +github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= -github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4= +github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= -github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE= -github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U= -github.com/prometheus/procfs v0.14.0 h1:Lw4VdGGoKEZilJsayHf0B+9YgLGREba2C6xr+Fdfq6s= -github.com/prometheus/procfs v0.14.0/go.mod h1:XL+Iwz8k8ZabyZfMFHPiilCniixqQarAy5Mu67pHlNQ= +github.com/prometheus/common v0.59.1 h1:LXb1quJHWm1P6wq/U824uxYi4Sg0oGvNeUm1z5dJoX0= +github.com/prometheus/common v0.59.1/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= @@ -156,14 +158,14 @@ github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8= github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ= -github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= +github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk= +github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0= github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= -github.com/schollz/progressbar/v3 v3.14.5 h1:97RrSxbBASxQuZN9yemnyGrFZ/swnG6IrEe2R0BseX8= -github.com/schollz/progressbar/v3 v3.14.5/go.mod h1:Nrzpuw3Nl0srLY0VlTvC4V6RL50pcEymjy6qyJAaLa0= -github.com/shurcooL/githubv4 v0.0.0-20240429030203-be2daab69064 h1:RCQBSFx5JrsbHltqTtJ+kN3U0Y3a/N/GlVdmRSoxzyE= -github.com/shurcooL/githubv4 v0.0.0-20240429030203-be2daab69064/go.mod h1:zqMwyHmnN/eDOZOdiTohqIUKUrTFX62PNlu7IJdu0q8= +github.com/schollz/progressbar/v3 v3.15.0 h1:cNZmcNiVyea6oofBTg80ZhVXxf3wG/JoAhqCCwopkQo= +github.com/schollz/progressbar/v3 v3.15.0/go.mod h1:ncBdc++eweU0dQoeZJ3loXoAc+bjaallHRIm8pVVeQM= +github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7 h1:cYCy18SHPKRkvclm+pWm1Lk4YrREb4IOIb/YdFO0p2M= +github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7/go.mod h1:zqMwyHmnN/eDOZOdiTohqIUKUrTFX62PNlu7IJdu0q8= github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 h1:17JxqqJY66GmZVHkmAsGEkcIu0oCe3AM420QDgGwZx0= github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466/go.mod h1:9dIRpgIY7hVhoqfe0/FcYp0bpInZaT7dc3BYOprrIUE= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= @@ -172,8 +174,8 @@ github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9yS github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= -github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= -github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -181,14 +183,8 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= @@ -197,8 +193,8 @@ github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BG github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= -github.com/xanzy/go-gitlab v0.107.0 h1:P2CT9Uy9yN9lJo3FLxpMZ4xj6uWcpnigXsjvqJ6nd2Y= -github.com/xanzy/go-gitlab v0.107.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY= +github.com/xanzy/go-gitlab v0.109.0 h1:RcRme5w8VpLXTSTTMZdVoQWY37qTJWg+gwdQl4aAttE= +github.com/xanzy/go-gitlab v0.109.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= @@ -210,54 +206,54 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= -go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= +go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= -golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= +golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= +golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= -golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= -golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= -golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= +golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE= +golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y= @@ -265,8 +261,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1: google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= +google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/opa/opa_test.go b/opa/opa_test.go index 0d803d5..1857080 100644 --- a/opa/opa_test.go +++ b/opa/opa_test.go @@ -67,6 +67,16 @@ func TestSemverConstraintCheck(t *testing.T) { version: "1.0.0", expected: true, }, + { + constraint: "<=3.11.13", + version: "3.11.13", + expected: true, + }, + { + constraint: "<=3.11.13", + version: "3.11.14", + expected: false, + }, { constraint: ">=4.0.0,<4.4.1", version: "4", diff --git a/opa/populate_build_platform_vuln_database_test.go b/opa/populate_build_platform_vuln_database_test.go index 0aee2c7..3b1ff82 100644 --- a/opa/populate_build_platform_vuln_database_test.go +++ b/opa/populate_build_platform_vuln_database_test.go @@ -48,9 +48,10 @@ type CVEData struct { Vendor string `json:"vendor"` Product string `json:"product"` Versions []struct { - LessThan string `json:"lessThan"` - Version string `json:"version"` - VersionType string `json:"versionType"` + LessThan string `json:"lessThan"` + LessThanOrEqual string `json:"lessThanOrEqual"` + Version string `json:"version"` + VersionType string `json:"versionType"` } } `json:"affected"` Descriptions []struct { @@ -65,6 +66,9 @@ type CVEData struct { CvssV31 struct { VectorString string `json:"vectorString"` } `json:"cvssV3_1"` + CvssV40 struct { + VectorString string `json:"vectorString"` + } `json:"cvssV4_0"` } `json:"metrics"` } `json:"cna"` } `json:"containers"` @@ -99,17 +103,27 @@ func TransformCVEDataToAdvisories(cveData []CVEData) PlatformAdvisories { } for _, metric := range data.Containers.CNA.Metrics { - cveItem.Severity = append(cveItem.Severity, Severity{ - Type: "CVSS_V3", - Score: metric.CvssV31.VectorString, - }) + if metric.CvssV31.VectorString != "" { + cveItem.Severity = append(cveItem.Severity, Severity{ + Type: "CVSS_V3", + Score: metric.CvssV31.VectorString, + }) + } else if metric.CvssV40.VectorString != "" { + cveItem.Severity = append(cveItem.Severity, Severity{ + Type: "CVSS_V4", + Score: metric.CvssV40.VectorString, + }) + } } var versionRanges []string for _, version := range affected.Versions { if version.VersionType == "custom" || version.VersionType == "semver" { - if version.LessThan != "" && version.Version != "" { + if version.LessThanOrEqual != "" { + versionRange := fmt.Sprintf("<=%s", version.LessThanOrEqual) + versionRanges = append(versionRanges, versionRange) + } else if version.LessThan != "" && version.Version != "" { versionRange := fmt.Sprintf(">=%s,<%s", version.Version, version.LessThan) versionRanges = append(versionRanges, versionRange) } diff --git a/opa/rego/external/build_platform.rego b/opa/rego/external/build_platform.rego index a0f83a0..f6244d5 100644 --- a/opa/rego/external/build_platform.rego +++ b/opa/rego/external/build_platform.rego @@ -465,7 +465,13 @@ advisories = { }], "cwe_ids": ["CWE-269"], "vulnerable_versions": [], - "vulnerable_version_ranges": [], + "vulnerable_version_ranges": [ + "<=3.9.16", + "<=3.10.13", + "<=3.11.11", + "<=3.12.5", + "<=3.13.0", + ], "vulnerable_commit_shas": [], }, "CVE-2024-5746": { @@ -479,7 +485,12 @@ advisories = { }], "cwe_ids": ["CWE-918"], "vulnerable_versions": [], - "vulnerable_version_ranges": [], + "vulnerable_version_ranges": [ + "<=3.9.15", + "<=3.10.12", + "<=3.11.10", + "<=3.12.4", + ], "vulnerable_commit_shas": [], }, "CVE-2024-5795": { @@ -493,7 +504,13 @@ advisories = { }], "cwe_ids": ["CWE-400"], "vulnerable_versions": [], - "vulnerable_version_ranges": [], + "vulnerable_version_ranges": [ + "<=3.9.16", + "<=3.10.13", + "<=3.11.11", + "<=3.12.5", + "<=3.13.0", + ], "vulnerable_commit_shas": [], }, "CVE-2024-5815": { @@ -502,12 +519,18 @@ advisories = { "aliases": [], "summary": "A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17.\n\n\n This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [{ - "type": "CVSS_V3", - "score": "", + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/S:N/AU:N/R:U/RE:L/U:Amber", }], "cwe_ids": ["CWE-352"], "vulnerable_versions": [], - "vulnerable_version_ranges": [], + "vulnerable_version_ranges": [ + "<=3.9.16", + "<=3.10.13", + "<=3.11.11", + "<=3.12.5", + "<=3.13.0", + ], "vulnerable_commit_shas": [], }, "CVE-2024-5816": { @@ -516,12 +539,18 @@ advisories = { "aliases": [], "summary": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [{ - "type": "CVSS_V3", - "score": "", + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", }], "cwe_ids": ["CWE-863"], "vulnerable_versions": [], - "vulnerable_version_ranges": [], + "vulnerable_version_ranges": [ + "<=3.10.13", + "<=3.11.11", + "<=3.12.5", + "<=3.13.0", + "<=3.9.16", + ], "vulnerable_commit_shas": [], }, "CVE-2024-5817": { @@ -530,12 +559,18 @@ advisories = { "aliases": [], "summary": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub Projects. This was only exploitable in internal repositories and required the attacker to have access to the corresponding project board. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [{ - "type": "CVSS_V3", - "score": "", + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/U:Amber", }], "cwe_ids": ["CWE-863"], "vulnerable_versions": [], - "vulnerable_version_ranges": [], + "vulnerable_version_ranges": [ + "<=3.10.13", + "<=3.11.11", + "<=3.12.5", + "<=3.13.0", + "<=3.9.16", + ], "vulnerable_commit_shas": [], }, "CVE-2024-6336": { @@ -544,12 +579,37 @@ advisories = { "aliases": [], "summary": "A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [{ - "type": "CVSS_V3", - "score": "", + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:N/R:U/U:Amber", }], "cwe_ids": ["CWE-200"], "vulnerable_versions": [], - "vulnerable_version_ranges": [], + "vulnerable_version_ranges": [ + "<=3.10.13", + "<=3.11.11", + "<=3.12.5", + "<=3.13.0", + "<=3.9.16", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-6337": { + "osv_id": "CVE-2024-6337", + "published": "2024-08-20T19:19:49.193Z", + "aliases": [], + "summary": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.", + "severity": [{ + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/S:N", + }], + "cwe_ids": ["CWE-863"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + "<=3.10.15", + "<=3.11.14", + "<=3.12.7", + "<=3.13.2", + ], "vulnerable_commit_shas": [], }, "CVE-2024-6395": { @@ -558,12 +618,55 @@ advisories = { "aliases": [], "summary": "An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [{ - "type": "CVSS_V3", - "score": "", + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/V:C/RE:L/U:Amber", }], "cwe_ids": ["CWE-200"], "vulnerable_versions": [], - "vulnerable_version_ranges": [], + "vulnerable_version_ranges": [ + "<=3.10.13", + "<=3.11.11", + "<=3.12.5", + "<=3.13.0", + "<=3.9.16", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-6800": { + "osv_id": "CVE-2024-6800", + "published": "2024-08-20T19:21:31.409Z", + "aliases": [], + "summary": "An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers utilizing publicly exposed signed federation metadata XML. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.", + "severity": [{ + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/R:U/V:C/RE:H/U:Red", + }], + "cwe_ids": ["CWE-347"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + "<=3.13.2", + "<=3.12.7", + "<=3.11.13", + "<=3.10.15", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-7711": { + "osv_id": "CVE-2024-7711", + "published": "2024-08-20T19:17:37.776Z", + "aliases": [], + "summary": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program.", + "severity": [{ + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", + }], + "cwe_ids": ["CWE-863"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + "<=3.11.13", + "<=3.12.7", + "<=3.13.2", + ], "vulnerable_commit_shas": [], }, }, @@ -937,11 +1040,7 @@ advisories = { }], "cwe_ids": [""], "vulnerable_versions": [], - "vulnerable_version_ranges": [ - ">=10.8, <13.0.12", - ">=13.1, <13.1.6", - ">=13.2, <13.2.3", - ], + "vulnerable_version_ranges": [">=10.8"], "vulnerable_commit_shas": [], }, "CVE-2020-13284": { @@ -9591,6 +9690,7 @@ advisories = { "cwe_ids": ["CWE-284"], "vulnerable_versions": [], "vulnerable_version_ranges": [ + "<=16.4.3", ">=16.5,<16.5.4", ">=16.6,<16.6.2", ], @@ -9815,7 +9915,7 @@ advisories = { "osv_id": "CVE-2023-3979", "published": "2023-09-29T06:02:06.310Z", "aliases": [], - "summary": "An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch. ", + "summary": "An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch.", "severity": [{ "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", @@ -10209,6 +10309,7 @@ advisories = { "cwe_ids": ["CWE-284"], "vulnerable_versions": [], "vulnerable_version_ranges": [ + "<=16.2.7", ">=16.3,<16.3.5", ">=16.4,<16.4.1", ], @@ -10664,12 +10765,12 @@ advisories = { "osv_id": "CVE-2023-6955", "published": "2024-01-12T13:56:31.881Z", "aliases": [], - "summary": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. ", + "summary": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.", "severity": [{ "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N", }], - "cwe_ids": ["CWE-284"], + "cwe_ids": ["CWE-863"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=0,<16.5.6", @@ -10687,7 +10788,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", }], - "cwe_ids": ["CWE-284"], + "cwe_ids": ["CWE-640"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=16.1,<16.1.6", @@ -10736,6 +10837,24 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-0231": { + "osv_id": "CVE-2024-0231", + "published": "2024-07-24T22:08:20.025Z", + "aliases": [], + "summary": "A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", + }], + "cwe_ids": ["CWE-99"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=12.0,<17.0.5", + ">=17.1,<17.1.3", + ">=17.2,<17.2.1", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-0402": { "osv_id": "CVE-2024-0402", "published": "2024-01-26T01:02:39.052Z", @@ -10777,7 +10896,7 @@ advisories = { "osv_id": "CVE-2024-0456", "published": "2024-01-26T01:02:43.953Z", "aliases": [], - "summary": "An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project ", + "summary": "An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project", "severity": [{ "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", @@ -10899,7 +11018,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", }], - "cwe_ids": ["CWE-400"], + "cwe_ids": ["CWE-1333"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=9.2,<16.11.5", @@ -10917,7 +11036,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", }], - "cwe_ids": ["CWE-400"], + "cwe_ids": ["CWE-1333"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=13.1,<16.10.7", @@ -10953,7 +11072,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", }], - "cwe_ids": ["CWE-400"], + "cwe_ids": ["CWE-1333"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=15.8,<16.10.7", @@ -11007,7 +11126,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", }], - "cwe_ids": ["CWE-400"], + "cwe_ids": ["CWE-1333"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=8.4,<16.10.7", @@ -11124,6 +11243,42 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-2743": { + "osv_id": "CVE-2024-2743", + "published": "2024-09-12T16:57:23.260Z", + "aliases": [], + "summary": "An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + }], + "cwe_ids": ["CWE-863"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=13.3,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-2800": { + "osv_id": "CVE-2024-2800", + "published": "2024-08-08T10:31:37.860Z", + "aliases": [], + "summary": "ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + }], + "cwe_ids": ["CWE-1333"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=11.3,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-2818": { "osv_id": "CVE-2024-2818", "published": "2024-03-28T07:17:48.930Z", @@ -11196,6 +11351,24 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-3035": { + "osv_id": "CVE-2024-3035", + "published": "2024-08-08T10:31:32.879Z", + "aliases": [], + "summary": "A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", + }], + "cwe_ids": ["CWE-639"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=8.12,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-3092": { "osv_id": "CVE-2024-3092", "published": "2024-04-12T00:53:11.346Z", @@ -11213,6 +11386,24 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-3114": { + "osv_id": "CVE-2024-3114", + "published": "2024-08-08T10:31:22.868Z", + "aliases": [], + "summary": "An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + }], + "cwe_ids": ["CWE-1333"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=11.10,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-3115": { "osv_id": "CVE-2024-3115", "published": "2024-06-26T23:31:35.425Z", @@ -11222,7 +11413,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", }], - "cwe_ids": ["CWE-200"], + "cwe_ids": ["CWE-862"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=16.0,<16.11.5", @@ -11231,6 +11422,42 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-3127": { + "osv_id": "CVE-2024-3127", + "published": "2024-08-22T15:31:07.481Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + }], + "cwe_ids": ["CWE-284"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=12.5,<17.1.6", + ">=17.2,<17.2.4", + ">=17.3,<17.3.1", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-3958": { + "osv_id": "CVE-2024-3958", + "published": "2024-08-08T10:31:17.868Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + }], + "cwe_ids": ["CWE-94"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=0,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-3959": { "osv_id": "CVE-2024-3959", "published": "2024-06-26T23:31:25.425Z", @@ -11276,7 +11503,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", }], - "cwe_ids": ["CWE-284"], + "cwe_ids": ["CWE-863"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=16.1,<16.11.5", @@ -11321,6 +11548,78 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-4207": { + "osv_id": "CVE-2024-4207", + "published": "2024-08-08T10:31:12.873Z", + "aliases": [], + "summary": "A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", + }], + "cwe_ids": ["CWE-79"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=5.1,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-4210": { + "osv_id": "CVE-2024-4210", + "published": "2024-08-08T10:02:29.806Z", + "aliases": [], + "summary": "A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + }], + "cwe_ids": ["CWE-400"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=12.6,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-4283": { + "osv_id": "CVE-2024-4283", + "published": "2024-09-16T21:34:08.579Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", + }], + "cwe_ids": ["CWE-601"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=11.1,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-4472": { + "osv_id": "CVE-2024-4472", + "published": "2024-09-12T18:26:38.059Z", + "aliases": [], + "summary": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + }], + "cwe_ids": ["CWE-532"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.5,<17.1.7", + ">=17.3,<17.3.2", + ">=17.2,<17.2.5", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-4539": { "osv_id": "CVE-2024-4539", "published": "2024-05-09T01:38:21.737Z", @@ -11375,6 +11674,60 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-4612": { + "osv_id": "CVE-2024-4612", + "published": "2024-09-12T16:57:08.255Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", + }], + "cwe_ids": ["CWE-601"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=12.9,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-4660": { + "osv_id": "CVE-2024-4660", + "published": "2024-09-12T16:57:03.244Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + }], + "cwe_ids": ["CWE-862"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=11.2,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-4784": { + "osv_id": "CVE-2024-4784", + "published": "2024-08-08T10:02:19.809Z", + "aliases": [], + "summary": "An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", + }], + "cwe_ids": ["CWE-305"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.7,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-4835": { "osv_id": "CVE-2024-4835", "published": "2024-05-23T06:30:50.384Z", @@ -11411,6 +11764,24 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-5067": { + "osv_id": "CVE-2024-5067", + "published": "2024-07-24T22:08:05.034Z", + "aliases": [], + "summary": "An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + }], + "cwe_ids": ["CWE-200"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.11,<17.0.5", + ">=17.1,<17.1.3", + ">=17.2,<17.2.1", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-5257": { "osv_id": "CVE-2024-5257", "published": "2024-07-11T06:57:09.372Z", @@ -11464,6 +11835,24 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-5423": { + "osv_id": "CVE-2024-5423", + "published": "2024-08-08T10:31:02.871Z", + "aliases": [], + "summary": "Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + }], + "cwe_ids": ["CWE-400"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=1,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-5430": { "osv_id": "CVE-2024-5430", "published": "2024-06-26T23:30:50.436Z", @@ -11482,6 +11871,24 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-5435": { + "osv_id": "CVE-2024-5435", + "published": "2024-09-12T16:56:58.445Z", + "aliases": [], + "summary": "An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", + }], + "cwe_ids": ["CWE-209"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=15.10,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-5469": { "osv_id": "CVE-2024-5469", "published": "2024-06-14T04:04:49.726Z", @@ -11491,7 +11898,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", }], - "cwe_ids": ["CWE-400"], + "cwe_ids": ["CWE-754"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=16.10.0,<16.10.6", @@ -11543,7 +11950,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", }], - "cwe_ids": ["CWE-653"], + "cwe_ids": ["CWE-863"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=16.11.0,<16.11.5", @@ -11552,6 +11959,24 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-6329": { + "osv_id": "CVE-2024-6329", + "published": "2024-08-08T10:02:09.817Z", + "aliases": [], + "summary": "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", + }], + "cwe_ids": ["CWE-116"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=8.16,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-6385": { "osv_id": "CVE-2024-6385", "published": "2024-07-11T06:56:54.515Z", @@ -11570,6 +11995,60 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-6389": { + "osv_id": "CVE-2024-6389", + "published": "2024-09-12T16:56:48.267Z", + "aliases": [], + "summary": "An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + }], + "cwe_ids": ["CWE-497"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=17.1,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-6446": { + "osv_id": "CVE-2024-6446", + "published": "2024-09-12T16:56:53.258Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", + }], + "cwe_ids": ["CWE-840"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=17.1,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-6502": { + "osv_id": "CVE-2024-6502", + "published": "2024-08-22T15:30:52.480Z", + "aliases": [], + "summary": "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", + }], + "cwe_ids": ["CWE-684"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=8.2,<17.1.6", + ">=17.2,<17.2.4", + ">=17.3,<17.3.1", + ], + "vulnerable_commit_shas": [], + }, "CVE-2024-6595": { "osv_id": "CVE-2024-6595", "published": "2024-07-17T01:30:43.332Z", @@ -11579,7 +12058,7 @@ advisories = { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N", }], - "cwe_ids": ["CWE-427"], + "cwe_ids": ["CWE-451"], "vulnerable_versions": [], "vulnerable_version_ranges": [ ">=11.8,<16.11.6", @@ -11588,5 +12067,310 @@ advisories = { ], "vulnerable_commit_shas": [], }, + "CVE-2024-6678": { + "osv_id": "CVE-2024-6678", + "published": "2024-09-12T18:26:33.060Z", + "aliases": [], + "summary": "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + }], + "cwe_ids": ["CWE-290"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=8.14,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-6685": { + "osv_id": "CVE-2024-6685", + "published": "2024-09-16T21:33:58.732Z", + "aliases": [], + "summary": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", + }], + "cwe_ids": ["CWE-639"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.7,<17.1.7", + ">=17.3,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-7047": { + "osv_id": "CVE-2024-7047", + "published": "2024-07-25T00:30:40.657Z", + "aliases": [], + "summary": "A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", + }], + "cwe_ids": ["CWE-79"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.6,<17.0.5", + ">=17.1,<17.1.3", + ">=17.2,<17.2.1", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-7057": { + "osv_id": "CVE-2024-7057", + "published": "2024-07-25T00:30:55.513Z", + "aliases": [], + "summary": "An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + }], + "cwe_ids": ["CWE-284"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.7,<17.0.5", + ">=17.1,<17.1.3", + ">=17.2,<17.2.1", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-7060": { + "osv_id": "CVE-2024-7060", + "published": "2024-07-24T22:07:50.018Z", + "aliases": [], + "summary": "An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", + }], + "cwe_ids": ["CWE-200"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=15.4,<17.0.5", + ">=17.1,<17.1.3", + ">=17.2,<17.2.1", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-7091": { + "osv_id": "CVE-2024-7091", + "published": "2024-07-24T22:07:45.260Z", + "aliases": [], + "summary": "An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", + }], + "cwe_ids": ["CWE-200"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=15.6,<17.0.5", + ">=17.1,<17.1.3", + ">=17.2,<17.2.1", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-7110": { + "osv_id": "CVE-2024-7110", + "published": "2024-08-22T15:30:47.474Z", + "aliases": [], + "summary": "An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", + }], + "cwe_ids": ["CWE-77"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=17.1,<17.1.6", + ">=17.2,<17.2.4", + ">=17.3,<17.3.1", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-7554": { + "osv_id": "CVE-2024-7554", + "published": "2024-08-08T10:30:47.869Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + }], + "cwe_ids": ["CWE-200"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=13.9,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-7610": { + "osv_id": "CVE-2024-7610", + "published": "2024-08-08T10:30:43.133Z", + "aliases": [], + "summary": "A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + }], + "cwe_ids": ["CWE-400"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=15.9,<17.0.6", + ">=17.1,<17.1.4", + ">=17.2,<17.2.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-8041": { + "osv_id": "CVE-2024-8041", + "published": "2024-08-22T15:30:37.643Z", + "aliases": [], + "summary": "A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + }], + "cwe_ids": ["CWE-400"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=0,<17.1.6", + ">=17.2,<17.2.4", + ">=17.3,<17.3.1", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-8124": { + "osv_id": "CVE-2024-8124", + "published": "2024-09-12T16:56:33.253Z", + "aliases": [], + "summary": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + }], + "cwe_ids": ["CWE-1333"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.4,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-8311": { + "osv_id": "CVE-2024-8311", + "published": "2024-09-12T18:27:24.446Z", + "aliases": [], + "summary": "An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + }], + "cwe_ids": ["CWE-424"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-8631": { + "osv_id": "CVE-2024-8631", + "published": "2024-09-12T17:11:03.832Z", + "aliases": [], + "summary": "A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", + }], + "cwe_ids": ["CWE-267"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.6,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-8635": { + "osv_id": "CVE-2024-8635", + "published": "2024-09-12T17:01:51.084Z", + "aliases": [], + "summary": "A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", + }], + "cwe_ids": ["CWE-918"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.8,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-8640": { + "osv_id": "CVE-2024-8640", + "published": "2024-09-12T16:56:23.356Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + }], + "cwe_ids": ["CWE-77"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.11,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-8641": { + "osv_id": "CVE-2024-8641", + "published": "2024-09-12T18:26:18.243Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", + }], + "cwe_ids": ["CWE-270"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=13.7,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-8754": { + "osv_id": "CVE-2024-8754", + "published": "2024-09-12T17:02:00.988Z", + "aliases": [], + "summary": "An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", + }], + "cwe_ids": ["CWE-642"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=16.9.7,<17.1.7", + ">=17.2,<17.2.5", + ">=17.3,<17.3.2", + ], + "vulnerable_commit_shas": [], + }, }, }