-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create example.js #40
Conversation
Hey @itsarraj0test 👋, Thanks for contributing the new Pull Request !! Secrets Bot2024-10-08T07:20:26.6861156Z Current runner version: '2.320.0' 2024-10-08T07:20:26.6883654Z ##[group]Operating System 2024-10-08T07:20:26.6884421Z Ubuntu 2024-10-08T07:20:26.6884756Z 22.04.5 2024-10-08T07:20:26.6885038Z LTS 2024-10-08T07:20:26.6885441Z ##[endgroup] 2024-10-08T07:20:26.6885808Z ##[group]Runner Image 2024-10-08T07:20:26.6886194Z Image: ubuntu-22.04 2024-10-08T07:20:26.6886658Z Version: 20240922.1.0 2024-10-08T07:20:26.6887937Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240922.1/images/ubuntu/Ubuntu2204-Readme.md 2024-10-08T07:20:26.6889362Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240922.1 2024-10-08T07:20:26.6890313Z ##[endgroup] 2024-10-08T07:20:26.6890712Z ##[group]Runner Image Provisioner 2024-10-08T07:20:26.6891158Z 2.0.384.1 2024-10-08T07:20:26.6891559Z ##[endgroup] 2024-10-08T07:20:26.6905882Z ##[group]GITHUB_TOKEN Permissions 2024-10-08T07:20:26.6907646Z Issues: write 2024-10-08T07:20:26.6908085Z Metadata: read 2024-10-08T07:20:26.6908721Z PullRequests: write 2024-10-08T07:20:26.6909288Z ##[endgroup] 2024-10-08T07:20:26.6912140Z Secret source: Actions 2024-10-08T07:20:26.6912733Z Prepare workflow directory 2024-10-08T07:20:26.7531727Z Prepare all required actions 2024-10-08T07:20:26.7688397Z Getting action download info 2024-10-08T07:20:26.9930345Z Download action repository 'actions/checkout@v3' (SHA:f43a0e5ff2bd294095638e18286ca9a3d1956744) 2024-10-08T07:20:27.0881033Z Download action repository 'trufflesecurity/TruffleHog-Enterprise-Github-Action@main' (SHA:896eb9c43cebe80ae73e5aa5948595121ac7229c) 2024-10-08T07:20:27.5370423Z Complete job name: TruffleHog Bot scan 2024-10-08T07:20:27.5988998Z ##[group]Build container for action use: '/home/runner/work/_actions/trufflesecurity/TruffleHog-Enterprise-Github-Action/main/Dockerfile'. 2024-10-08T07:20:27.6046153Z ##[command]/usr/bin/docker build -t 13d7dc:10b534e1478e4c749be83dbf064ad8db -f "/home/runner/work/_actions/trufflesecurity/TruffleHog-Enterprise-Github-Action/main/Dockerfile" "/home/runner/work/_actions/trufflesecurity/TruffleHog-Enterprise-Github-Action/main" 2024-10-08T07:20:28.1759536Z #0 building with "default" instance using docker driver 2024-10-08T07:20:28.1760272Z 2024-10-08T07:20:28.1760565Z #1 [internal] load build definition from Dockerfile 2024-10-08T07:20:28.1761410Z #1 transferring dockerfile: 153B done 2024-10-08T07:20:28.1762096Z #1 DONE 0.0s 2024-10-08T07:20:28.1762353Z 2024-10-08T07:20:28.1762932Z #2 [internal] load metadata for us-docker.pkg.dev/thog-artifacts/public/scanner:latest 2024-10-08T07:20:29.0956538Z #2 DONE 1.1s 2024-10-08T07:20:29.2120110Z 2024-10-08T07:20:29.2121079Z #3 [internal] load .dockerignore 2024-10-08T07:20:29.2122058Z #3 transferring context: 2B done 2024-10-08T07:20:29.2122773Z #3 DONE 0.0s 2024-10-08T07:20:29.2123174Z 2024-10-08T07:20:29.2123544Z #4 [internal] load build context 2024-10-08T07:20:29.2124419Z #4 transferring context: 112B done 2024-10-08T07:20:29.2125088Z #4 DONE 0.0s 2024-10-08T07:20:29.2125354Z 2024-10-08T07:20:29.2126145Z #5 [1/2] FROM us-docker.pkg.dev/thog-artifacts/public/scanner:latest@sha256:3ddf1817b36313e28549c98fae955474c963929488c2762a3e17d8cd9ad7f7d1 2024-10-08T07:20:29.2128040Z #5 resolve us-docker.pkg.dev/thog-artifacts/public/scanner:latest@sha256:3ddf1817b36313e28549c98fae955474c963929488c2762a3e17d8cd9ad7f7d1 done 2024-10-08T07:20:29.2129417Z #5 sha256:6d9d40a1eb71b3a08e69ca6dff5dc75a671389eacefdb46fe572b48990c1777f 1.16kB / 1.16kB done 2024-10-08T07:20:29.2130571Z #5 sha256:73e5984d21eba9ed309a98a73bea0f5005954f47397b7ebf5ee5fdfe62c1b2b3 1.84kB / 1.84kB done 2024-10-08T07:20:29.2131683Z #5 sha256:32b772fa507186eddade1aa8a0f01f5ceacba1fa94a5bb968eb355ac417baca3 0B / 3.63MB 0.1s 2024-10-08T07:20:29.2132751Z #5 sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 0B / 10.43MB 0.1s 2024-10-08T07:20:29.2133840Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 0B / 70.83MB 0.1s 2024-10-08T07:20:29.2134894Z #5 sha256:3ddf1817b36313e28549c98fae955474c963929488c2762a3e17d8cd9ad7f7d1 743B / 743B done 2024-10-08T07:20:29.5125089Z #5 sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 1.05MB / 10.43MB 0.4s 2024-10-08T07:20:29.7114790Z #5 sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 10.43MB / 10.43MB 0.5s done 2024-10-08T07:20:29.7116926Z #5 sha256:0beab322d5169c30c34fd495071b4ecda5d29e324dfc70a397df0b13fcce9b61 0B / 184B 0.6s 2024-10-08T07:20:29.8120623Z #5 sha256:32b772fa507186eddade1aa8a0f01f5ceacba1fa94a5bb968eb355ac417baca3 3.63MB / 3.63MB 0.6s done 2024-10-08T07:20:29.8124455Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 7.34MB / 70.83MB 0.7s 2024-10-08T07:20:29.8126681Z #5 extracting sha256:32b772fa507186eddade1aa8a0f01f5ceacba1fa94a5bb968eb355ac417baca3 2024-10-08T07:20:29.9732740Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 15.70MB / 70.83MB 0.8s 2024-10-08T07:20:29.9734420Z #5 sha256:0beab322d5169c30c34fd495071b4ecda5d29e324dfc70a397df0b13fcce9b61 184B / 184B 0.7s done 2024-10-08T07:20:29.9736104Z #5 extracting sha256:32b772fa507186eddade1aa8a0f01f5ceacba1fa94a5bb968eb355ac417baca3 0.1s done 2024-10-08T07:20:29.9737780Z #5 extracting sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 0.1s 2024-10-08T07:20:30.0761808Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 27.26MB / 70.83MB 0.9s 2024-10-08T07:20:30.2124511Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 50.33MB / 70.83MB 1.1s 2024-10-08T07:20:30.2126762Z #5 extracting sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 0.2s done 2024-10-08T07:20:30.3480499Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 67.11MB / 70.83MB 1.2s 2024-10-08T07:20:30.3482094Z #5 extracting sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 2024-10-08T07:20:30.4493399Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 70.83MB / 70.83MB 1.2s done 2024-10-08T07:20:30.7742653Z #5 extracting sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 0.3s done 2024-10-08T07:20:30.7744368Z #5 extracting sha256:0beab322d5169c30c34fd495071b4ecda5d29e324dfc70a397df0b13fcce9b61 2024-10-08T07:20:30.9618729Z #5 extracting sha256:0beab322d5169c30c34fd495071b4ecda5d29e324dfc70a397df0b13fcce9b61 done 2024-10-08T07:20:30.9619515Z #5 DONE 1.7s 2024-10-08T07:20:30.9619701Z 2024-10-08T07:20:30.9619928Z #6 [2/2] COPY entrypoint.sh /entrypoint.sh 2024-10-08T07:20:30.9620406Z #6 DONE 0.0s 2024-10-08T07:20:30.9620617Z 2024-10-08T07:20:30.9620746Z #7 exporting to image 2024-10-08T07:20:30.9621156Z #7 exporting layers 2024-10-08T07:20:31.0054548Z #7 exporting layers 0.2s done 2024-10-08T07:20:31.0259594Z #7 writing image sha256:371c1bab738f2258ce35a7225eb2ea5e8303b030d448e9901f5d21ad1884a08d done 2024-10-08T07:20:31.0260695Z #7 naming to docker.io/library/13d7dc:10b534e1478e4c749be83dbf064ad8db done 2024-10-08T07:20:31.0261751Z #7 DONE 0.2s 2024-10-08T07:20:31.0312443Z ##[endgroup] 2024-10-08T07:20:31.0712192Z ##[group]Run actions/checkout@v3 2024-10-08T07:20:31.0712649Z with: 2024-10-08T07:20:31.0712926Z fetch-depth: 0 2024-10-08T07:20:31.0713376Z repository: itsarraj/PRBotCheck 2024-10-08T07:20:31.0713961Z token: *** 2024-10-08T07:20:31.0714316Z ssh-strict: true 2024-10-08T07:20:31.0714695Z persist-credentials: true 2024-10-08T07:20:31.0715070Z clean: true 2024-10-08T07:20:31.0715425Z sparse-checkout-cone-mode: true 2024-10-08T07:20:31.0715846Z fetch-tags: false 2024-10-08T07:20:31.0716178Z lfs: false 2024-10-08T07:20:31.0716510Z submodules: false 2024-10-08T07:20:31.0716862Z set-safe-directory: true 2024-10-08T07:20:31.0717383Z ##[endgroup] 2024-10-08T07:20:31.2375350Z Syncing repository: itsarraj/PRBotCheck 2024-10-08T07:20:31.2377193Z ##[group]Getting Git version info 2024-10-08T07:20:31.2378213Z Working directory is '/home/runner/work/PRBotCheck/PRBotCheck' 2024-10-08T07:20:31.2379183Z [command]/usr/bin/git version 2024-10-08T07:20:31.2379693Z git version 2.46.1 2024-10-08T07:20:31.2381396Z ##[endgroup] 2024-10-08T07:20:31.2392524Z Temporarily overriding HOME='/home/runner/work/_temp/3f65a7f1-d9e9-47cc-a70b-bd3d07fe8b7f' before making global git config changes 2024-10-08T07:20:31.2393556Z Adding repository directory to the temporary git global config as a safe directory 2024-10-08T07:20:31.2394634Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:20:31.2402122Z Deleting the contents of '/home/runner/work/PRBotCheck/PRBotCheck' 2024-10-08T07:20:31.2405610Z ##[group]Initializing the repository 2024-10-08T07:20:31.2408543Z [command]/usr/bin/git init /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:20:31.2507879Z hint: Using 'master' as the name for the initial branch. This default branch name 2024-10-08T07:20:31.2509243Z hint: is subject to change. To configure the initial branch name to use in all 2024-10-08T07:20:31.2510504Z hint: of your new repositories, which will suppress this warning, call: 2024-10-08T07:20:31.2511399Z hint: 2024-10-08T07:20:31.2512191Z hint: git config --global init.defaultBranch 2024-10-08T07:20:31.2513128Z hint: 2024-10-08T07:20:31.2514003Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and 2024-10-08T07:20:31.2515343Z hint: 'development'. The just-created branch can be renamed via this command: 2024-10-08T07:20:31.2516437Z hint: 2024-10-08T07:20:31.2516985Z hint: git branch -m 2024-10-08T07:20:31.2518169Z Initialized empty Git repository in /home/runner/work/PRBotCheck/PRBotCheck/.git/ 2024-10-08T07:20:31.2524838Z [command]/usr/bin/git remote add origin https://github.com/itsarraj/PRBotCheck 2024-10-08T07:20:31.2555075Z ##[endgroup] 2024-10-08T07:20:31.2556026Z ##[group]Disabling automatic garbage collection 2024-10-08T07:20:31.2557062Z [command]/usr/bin/git config --local gc.auto 0 2024-10-08T07:20:31.2583587Z ##[endgroup] 2024-10-08T07:20:31.2584512Z ##[group]Setting up auth 2024-10-08T07:20:31.2588772Z [command]/usr/bin/git config --local --name-only --get-regexp core.sshCommand 2024-10-08T07:20:31.2614392Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 2024-10-08T07:20:31.2908897Z [command]/usr/bin/git config --local --name-only --get-regexp http.https://github.com/.extraheader 2024-10-08T07:20:31.2936175Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http.https://github.com/.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :" 2024-10-08T07:20:31.3158539Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic *** 2024-10-08T07:20:31.3189412Z ##[endgroup] 2024-10-08T07:20:31.3190653Z ##[group]Fetching the repository 2024-10-08T07:20:31.3198781Z [command]/usr/bin/git -c protocol.version=2 fetch --prune --progress --no-recurse-submodules origin +refs/heads/:refs/remotes/origin/ +refs/tags/:refs/tags/ 2024-10-08T07:20:31.6096001Z remote: Enumerating objects: 32, done. 2024-10-08T07:20:31.6096907Z remote: Counting objects: 3% (1/32) 2024-10-08T07:20:31.6097830Z remote: Counting objects: 6% (2/32) 2024-10-08T07:20:31.6101285Z remote: Counting objects: 9% (3/32) 2024-10-08T07:20:31.6102002Z remote: Counting objects: 12% (4/32) 2024-10-08T07:20:31.6103033Z remote: Counting objects: 15% (5/32) 2024-10-08T07:20:31.6103816Z remote: Counting objects: 18% (6/32) 2024-10-08T07:20:31.6104744Z remote: Counting objects: 21% (7/32) 2024-10-08T07:20:31.6105526Z remote: Counting objects: 25% (8/32) 2024-10-08T07:20:31.6106224Z remote: Counting objects: 28% (9/32) 2024-10-08T07:20:31.6107090Z remote: Counting objects: 31% (10/32) 2024-10-08T07:20:31.6108057Z remote: Counting objects: 34% (11/32) 2024-10-08T07:20:31.6108762Z remote: Counting objects: 37% (12/32) 2024-10-08T07:20:31.6110011Z remote: Counting objects: 40% (13/32) 2024-10-08T07:20:31.6110792Z remote: Counting objects: 43% (14/32) 2024-10-08T07:20:31.6111545Z remote: Counting objects: 46% (15/32) 2024-10-08T07:20:31.6112096Z remote: Counting objects: 50% (16/32) 2024-10-08T07:20:31.6112559Z remote: Counting objects: 53% (17/32) 2024-10-08T07:20:31.6112993Z remote: Counting objects: 56% (18/32) 2024-10-08T07:20:31.6113496Z remote: Counting objects: 59% (19/32) 2024-10-08T07:20:31.6113951Z remote: Counting objects: 62% (20/32) 2024-10-08T07:20:31.6114380Z remote: Counting objects: 65% (21/32) 2024-10-08T07:20:31.6114876Z remote: Counting objects: 68% (22/32) 2024-10-08T07:20:31.6115350Z remote: Counting objects: 71% (23/32) 2024-10-08T07:20:31.6115776Z remote: Counting objects: 75% (24/32) 2024-10-08T07:20:31.6116283Z remote: Counting objects: 78% (25/32) 2024-10-08T07:20:31.6116779Z remote: Counting objects: 81% (26/32) 2024-10-08T07:20:31.6117201Z remote: Counting objects: 84% (27/32) 2024-10-08T07:20:31.6117927Z remote: Counting objects: 87% (28/32) 2024-10-08T07:20:31.6118400Z remote: Counting objects: 90% (29/32) 2024-10-08T07:20:31.6118856Z remote: Counting objects: 93% (30/32) 2024-10-08T07:20:31.6119329Z remote: Counting objects: 96% (31/32) 2024-10-08T07:20:31.6119797Z remote: Counting objects: 100% (32/32) 2024-10-08T07:20:31.6120275Z remote: Counting objects: 100% (32/32), done. 2024-10-08T07:20:31.6120800Z remote: Compressing objects: 4% (1/22) 2024-10-08T07:20:31.6121300Z remote: Compressing objects: 9% (2/22) 2024-10-08T07:20:31.6121778Z remote: Compressing objects: 13% (3/22) 2024-10-08T07:20:31.6122264Z remote: Compressing objects: 18% (4/22) 2024-10-08T07:20:31.6122776Z remote: Compressing objects: 22% (5/22) 2024-10-08T07:20:31.6123272Z remote: Compressing objects: 27% (6/22) 2024-10-08T07:20:31.6123780Z remote: Compressing objects: 31% (7/22) 2024-10-08T07:20:31.6124253Z remote: Compressing objects: 36% (8/22) 2024-10-08T07:20:31.6124729Z remote: Compressing objects: 40% (9/22) 2024-10-08T07:20:31.6125246Z remote: Compressing objects: 45% (10/22) 2024-10-08T07:20:31.6125739Z remote: Compressing objects: 50% (11/22) 2024-10-08T07:20:31.6126221Z remote: Compressing objects: 54% (12/22) 2024-10-08T07:20:31.6126723Z remote: Compressing objects: 59% (13/22) 2024-10-08T07:20:31.6127206Z remote: Compressing objects: 63% (14/22) 2024-10-08T07:20:31.6127969Z remote: Compressing objects: 68% (15/22) 2024-10-08T07:20:31.6128538Z remote: Compressing objects: 72% (16/22) 2024-10-08T07:20:31.6128982Z remote: Compressing objects: 77% (17/22) 2024-10-08T07:20:31.6129489Z remote: Compressing objects: 81% (18/22) 2024-10-08T07:20:31.6130209Z remote: Compressing objects: 86% (19/22) 2024-10-08T07:20:31.6130671Z remote: Compressing objects: 90% (20/22) 2024-10-08T07:20:31.6131167Z remote: Compressing objects: 95% (21/22) 2024-10-08T07:20:31.6131702Z remote: Compressing objects: 100% (22/22) 2024-10-08T07:20:31.6132182Z remote: Compressing objects: 100% (22/22), done. 2024-10-08T07:20:31.6265177Z remote: Total 32 (delta 12), reused 25 (delta 5), pack-reused 0 (from 0) 2024-10-08T07:20:31.6384542Z From https://github.com/itsarraj/PRBotCheck 2024-10-08T07:20:31.6385458Z * [new branch] master -> origin/master 2024-10-08T07:20:31.6416698Z [command]/usr/bin/git branch --list --remote origin/master 2024-10-08T07:20:31.6439915Z origin/master 2024-10-08T07:20:31.6448792Z [command]/usr/bin/git rev-parse refs/remotes/origin/master 2024-10-08T07:20:31.6468892Z 62868f4 2024-10-08T07:20:31.6474481Z ##[endgroup] 2024-10-08T07:20:31.6475343Z ##[group]Determining the checkout info 2024-10-08T07:20:31.6476665Z ##[endgroup] 2024-10-08T07:20:31.6477665Z ##[group]Checking out the ref 2024-10-08T07:20:31.6479685Z [command]/usr/bin/git checkout --progress --force -B master refs/remotes/origin/master 2024-10-08T07:20:31.6520324Z Reset branch 'master' 2024-10-08T07:20:31.6523940Z branch 'master' set up to track 'origin/master'. 2024-10-08T07:20:31.6531500Z ##[endgroup] 2024-10-08T07:20:31.6560168Z [command]/usr/bin/git log -1 --format='%H' 2024-10-08T07:20:31.6580532Z '62868f47b40a795a4d99b3e3ddec9e6e76e772f0' 2024-10-08T07:20:31.6870818Z ##[group]Run trufflesecurity/TruffleHog-Enterprise-Github-Action@main 2024-10-08T07:20:31.6871504Z with: 2024-10-08T07:20:31.6871868Z args: --fail-verified master HEAD --json 2024-10-08T07:20:31.6872264Z ##[endgroup] 2024-10-08T07:20:31.7087553Z ##[command]/usr/bin/docker run --name d7dc10b534e1478e4c749be83dbf064ad8db_c39ccd --label 13d7dc --workdir /github/workspace --rm -e "INPUT_ARGS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/PRBotCheck/PRBotCheck":"/github/workspace" 13d7dc:10b534e1478e4c749be83dbf064ad8db "--fail-verified master HEAD --json" 2024-10-08T07:20:34.0216978Z {"level":"info-0","ts":"2024-10-08T07:20:34Z","logger":"thog/scanner","msg":"running trufflehog","pid":"vXFKD","version":"v1.90.20"} 2024-10-08T07:20:34.0219673Z {"level":"info-0","ts":"2024-10-08T07:20:34Z","logger":"thog/scanner","msg":"log level set","pid":"vXFKD","version":"v1.90.20","level":0} 2024-10-08T07:20:34.0220795Z 2024-10-08T07:20:34.0221996Z 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷 2024-10-08T07:20:34.0222705Z version: v1.90.20 2024-10-08T07:20:34.0223097Z 2024-10-08T07:20:34.0224732Z {"level":"info-0","ts":"2024-10-08T07:20:34Z","logger":"thog/scanner","msg":"resolved base reference","pid":"vXFKD","version":"v1.90.20","commit":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0"} 2024-10-08T07:20:34.0226867Z {"level":"info-0","ts":"2024-10-08T07:20:34Z","logger":"thog/scanner","msg":"resolved head reference","pid":"vXFKD","version":"v1.90.20","commit":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0"} 2024-10-08T07:20:34.0229640Z {"level":"info-0","ts":"2024-10-08T07:20:34Z","logger":"thog/scanner","msg":"resolved common merge base between references","pid":"vXFKD","version":"v1.90.20","commit":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0"} 2024-10-08T07:20:34.0231833Z {"level":"info-0","ts":"2024-10-08T07:20:34Z","logger":"thog/scanner","msg":"scanning repo","pid":"vXFKD","version":"v1.90.20","repo":"https://github.com/itsarraj/PRBotCheck","base":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0","head":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0"} 2024-10-08T07:20:34.0278423Z {"level":"info-0","ts":"2024-10-08T07:20:34Z","logger":"thog/scanner","msg":"finished scanning commits","pid":"vXFKD","version":"v1.90.20","commits_scanned":0} 2024-10-08T07:20:34.0290900Z {"level":"info-0","ts":"2024-10-08T07:20:34Z","logger":"thog/scanner","msg":"no secrets found","pid":"vXFKD","version":"v1.90.20"} 2024-10-08T07:20:34.1306624Z Post job cleanup. 2024-10-08T07:20:34.2035890Z [command]/usr/bin/git version 2024-10-08T07:20:34.2070136Z git version 2.46.1 2024-10-08T07:20:34.2113742Z Temporarily overriding HOME='/home/runner/work/_temp/55e17912-8441-4b16-a853-97aecdeb4f86' before making global git config changes 2024-10-08T07:20:34.2115776Z Adding repository directory to the temporary git global config as a safe directory 2024-10-08T07:20:34.2118441Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:20:34.2149445Z [command]/usr/bin/git config --local --name-only --get-regexp core.sshCommand 2024-10-08T07:20:34.2178354Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 2024-10-08T07:20:34.2409796Z [command]/usr/bin/git config --local --name-only --get-regexp http.https://github.com/.extraheader 2024-10-08T07:20:34.2429508Z http.https://github.com/.extraheader 2024-10-08T07:20:34.2440481Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader 2024-10-08T07:20:34.2468267Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http.https://github.com/.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :" 2024-10-08T07:20:34.2897756Z Cleaning up orphan processes SCA Bot2024-10-08T07:20:27.1286491Z Current runner version: '2.320.0' 2024-10-08T07:20:27.1315346Z ##[group]Operating System 2024-10-08T07:20:27.1315978Z Ubuntu 2024-10-08T07:20:27.1316432Z 22.04.5 2024-10-08T07:20:27.1316782Z LTS 2024-10-08T07:20:27.1317116Z ##[endgroup] 2024-10-08T07:20:27.1317621Z ##[group]Runner Image 2024-10-08T07:20:27.1318028Z Image: ubuntu-22.04 2024-10-08T07:20:27.1318432Z Version: 20240922.1.0 2024-10-08T07:20:27.1319524Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240922.1/images/ubuntu/Ubuntu2204-Readme.md 2024-10-08T07:20:27.1320951Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240922.1 2024-10-08T07:20:27.1321764Z ##[endgroup] 2024-10-08T07:20:27.1322266Z ##[group]Runner Image Provisioner 2024-10-08T07:20:27.1322744Z 2.0.384.1 2024-10-08T07:20:27.1323043Z ##[endgroup] 2024-10-08T07:20:27.1338107Z ##[group]GITHUB_TOKEN Permissions 2024-10-08T07:20:27.1339862Z Issues: write 2024-10-08T07:20:27.1340301Z Metadata: read 2024-10-08T07:20:27.1340998Z PullRequests: write 2024-10-08T07:20:27.1341498Z ##[endgroup] 2024-10-08T07:20:27.1344819Z Secret source: Actions 2024-10-08T07:20:27.1345414Z Prepare workflow directory 2024-10-08T07:20:27.1972988Z Prepare all required actions 2024-10-08T07:20:27.2131588Z Getting action download info 2024-10-08T07:20:27.3725632Z Download action repository 'actions/checkout@v3' (SHA:f43a0e5ff2bd294095638e18286ca9a3d1956744) 2024-10-08T07:20:27.6077403Z Complete job name: Snyk Bot scan 2024-10-08T07:20:27.6998528Z ##[group]Run actions/checkout@v3 2024-10-08T07:20:27.6999129Z with: 2024-10-08T07:20:27.6999649Z repository: itsarraj/PRBotCheck 2024-10-08T07:20:27.7000408Z token: *** 2024-10-08T07:20:27.7000940Z ssh-strict: true 2024-10-08T07:20:27.7001401Z persist-credentials: true 2024-10-08T07:20:27.7001825Z clean: true 2024-10-08T07:20:27.7002318Z sparse-checkout-cone-mode: true 2024-10-08T07:20:27.7002843Z fetch-depth: 1 2024-10-08T07:20:27.7003232Z fetch-tags: false 2024-10-08T07:20:27.7003880Z lfs: false 2024-10-08T07:20:27.7004342Z submodules: false 2024-10-08T07:20:27.7004753Z set-safe-directory: true 2024-10-08T07:20:27.7005309Z ##[endgroup] 2024-10-08T07:20:27.9198574Z Syncing repository: itsarraj/PRBotCheck 2024-10-08T07:20:27.9200743Z ##[group]Getting Git version info 2024-10-08T07:20:27.9201649Z Working directory is '/home/runner/work/PRBotCheck/PRBotCheck' 2024-10-08T07:20:27.9202687Z [command]/usr/bin/git version 2024-10-08T07:20:28.0450496Z git version 2.46.1 2024-10-08T07:20:28.0481566Z ##[endgroup] 2024-10-08T07:20:28.0549867Z Temporarily overriding HOME='/home/runner/work/_temp/f2e4ac35-0987-4331-b98b-c8c297b92d79' before making global git config changes 2024-10-08T07:20:28.0551349Z Adding repository directory to the temporary git global config as a safe directory 2024-10-08T07:20:28.0553818Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:20:28.0716530Z Deleting the contents of '/home/runner/work/PRBotCheck/PRBotCheck' 2024-10-08T07:20:28.0721496Z ##[group]Initializing the repository 2024-10-08T07:20:28.0725930Z [command]/usr/bin/git init /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:20:28.1675338Z hint: Using 'master' as the name for the initial branch. This default branch name 2024-10-08T07:20:28.1677626Z hint: is subject to change. To configure the initial branch name to use in all 2024-10-08T07:20:28.1679467Z hint: of your new repositories, which will suppress this warning, call: 2024-10-08T07:20:28.1680875Z hint: 2024-10-08T07:20:28.1682033Z hint: git config --global init.defaultBranch 2024-10-08T07:20:28.1683091Z hint: 2024-10-08T07:20:28.1684569Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and 2024-10-08T07:20:28.1686622Z hint: 'development'. The just-created branch can be renamed via this command: 2024-10-08T07:20:28.1687950Z hint: 2024-10-08T07:20:28.1688795Z hint: git branch -m 2024-10-08T07:20:28.1788187Z Initialized empty Git repository in /home/runner/work/PRBotCheck/PRBotCheck/.git/ 2024-10-08T07:20:28.1800985Z [command]/usr/bin/git remote add origin https://github.com/itsarraj/PRBotCheck 2024-10-08T07:20:28.1920655Z ##[endgroup] 2024-10-08T07:20:28.1921465Z ##[group]Disabling automatic garbage collection 2024-10-08T07:20:28.1922498Z [command]/usr/bin/git config --local gc.auto 0 2024-10-08T07:20:28.1955322Z ##[endgroup] 2024-10-08T07:20:28.1956735Z ##[group]Setting up auth 2024-10-08T07:20:28.1961105Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand 2024-10-08T07:20:28.1990885Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 2024-10-08T07:20:28.4000231Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader 2024-10-08T07:20:28.4026553Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :" 2024-10-08T07:20:28.4268553Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic *** 2024-10-08T07:20:28.4301792Z ##[endgroup] 2024-10-08T07:20:28.4302728Z ##[group]Fetching the repository 2024-10-08T07:20:28.4310413Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +62868f47b40a795a4d99b3e3ddec9e6e76e772f0:refs/remotes/origin/master 2024-10-08T07:20:28.7592904Z remote: Enumerating objects: 12, done. 2024-10-08T07:20:28.7594323Z remote: Counting objects: 8% (1/12) 2024-10-08T07:20:28.7595624Z remote: Counting objects: 16% (2/12) 2024-10-08T07:20:28.7596591Z remote: Counting objects: 25% (3/12) 2024-10-08T07:20:28.7597591Z remote: Counting objects: 33% (4/12) 2024-10-08T07:20:28.7598334Z remote: Counting objects: 41% (5/12) 2024-10-08T07:20:28.7599092Z remote: Counting objects: 50% (6/12) 2024-10-08T07:20:28.7599756Z remote: Counting objects: 58% (7/12) 2024-10-08T07:20:28.7600453Z remote: Counting objects: 66% (8/12) 2024-10-08T07:20:28.7600884Z remote: Counting objects: 75% (9/12) 2024-10-08T07:20:28.7601408Z remote: Counting objects: 83% (10/12) 2024-10-08T07:20:28.7602182Z remote: Counting objects: 91% (11/12) 2024-10-08T07:20:28.7602683Z remote: Counting objects: 100% (12/12) 2024-10-08T07:20:28.7603163Z remote: Counting objects: 100% (12/12), done. 2024-10-08T07:20:28.7604157Z remote: Compressing objects: 9% (1/11) 2024-10-08T07:20:28.7604673Z remote: Compressing objects: 18% (2/11) 2024-10-08T07:20:28.7605205Z remote: Compressing objects: 27% (3/11) 2024-10-08T07:20:28.7605792Z remote: Compressing objects: 36% (4/11) 2024-10-08T07:20:28.7606276Z remote: Compressing objects: 45% (5/11) 2024-10-08T07:20:28.7606785Z remote: Compressing objects: 54% (6/11) 2024-10-08T07:20:28.7607380Z remote: Compressing objects: 63% (7/11) 2024-10-08T07:20:28.7607827Z remote: Compressing objects: 72% (8/11) 2024-10-08T07:20:28.7608324Z remote: Compressing objects: 81% (9/11) 2024-10-08T07:20:28.7608904Z remote: Compressing objects: 90% (10/11) 2024-10-08T07:20:28.7609419Z remote: Compressing objects: 100% (11/11) 2024-10-08T07:20:28.7609910Z remote: Compressing objects: 100% (11/11), done. 2024-10-08T07:20:28.7610909Z remote: Total 12 (delta 0), reused 10 (delta 0), pack-reused 0 (from 0) 2024-10-08T07:20:28.7982864Z From https://github.com/itsarraj/PRBotCheck 2024-10-08T07:20:28.7984598Z * [new ref] 62868f4 -> origin/master 2024-10-08T07:20:28.8075344Z ##[endgroup] 2024-10-08T07:20:28.8076383Z ##[group]Determining the checkout info 2024-10-08T07:20:28.8077826Z ##[endgroup] 2024-10-08T07:20:28.8078822Z ##[group]Checking out the ref 2024-10-08T07:20:28.8083466Z [command]/usr/bin/git checkout --progress --force -B master refs/remotes/origin/master 2024-10-08T07:20:28.8127815Z Reset branch 'master' 2024-10-08T07:20:28.8130708Z branch 'master' set up to track 'origin/master'. 2024-10-08T07:20:28.8137429Z ##[endgroup] 2024-10-08T07:20:28.8185582Z [command]/usr/bin/git log -1 --format='%H' 2024-10-08T07:20:28.8207158Z '62868f47b40a795a4d99b3e3ddec9e6e76e772f0' 2024-10-08T07:20:28.8563721Z ##[group]Run rm -rf node_modules 2024-10-08T07:20:28.8564444Z �[36;1mrm -rf node_modules�[0m 2024-10-08T07:20:28.8564848Z �[36;1mrm -f package-lock.json�[0m 2024-10-08T07:20:28.8565270Z �[36;1mnpm install�[0m 2024-10-08T07:20:28.8565886Z �[36;1mecho "Downloading and authenticating Snyk CLI..."�[0m 2024-10-08T07:20:28.8566703Z �[36;1mcurl -Lo ./snyk "https://github.com/snyk/snyk/releases/download/v1.1100.0/snyk-linux"�[0m 2024-10-08T07:20:28.8567345Z �[36;1mchmod +x snyk�[0m 2024-10-08T07:20:28.8568129Z �[36;1m./snyk auth ***�[0m 2024-10-08T07:20:28.8568589Z �[36;1mecho "Running Snyk test and monitor..."�[0m 2024-10-08T07:20:28.8569187Z �[36;1m./snyk test --all-projects --color --json || true�[0m 2024-10-08T07:20:28.8569808Z �[36;1m./snyk monitor --all-projects || true�[0m 2024-10-08T07:20:28.8597121Z shell: /usr/bin/bash -e {0} 2024-10-08T07:20:28.8597736Z ##[endgroup] 2024-10-08T07:20:37.1699409Z npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. 2024-10-08T07:20:37.2125076Z npm warn deprecated hoek@4.2.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). 2024-10-08T07:20:37.2629878Z npm warn deprecated formatio@1.1.1: This package is unmaintained. Use @sinonjs/formatio instead 2024-10-08T07:20:37.2689492Z npm warn deprecated samsam@1.1.2: This package has been deprecated in favour of @sinonjs/samsam 2024-10-08T07:20:37.2693835Z npm warn deprecated glob@7.1.1: Glob versions prior to v9 are no longer supported 2024-10-08T07:20:37.2811221Z npm warn deprecated json3@3.3.2: Please use the native JSON object instead of JSON 3 2024-10-08T07:20:37.2822143Z npm warn deprecated mkdirp@0.3.3: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) 2024-10-08T07:20:37.2973693Z npm warn deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) 2024-10-08T07:20:37.4156936Z npm warn deprecated formidable@1.0.11: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau 2024-10-08T07:20:37.5341460Z npm warn deprecated connect@2.6.0: connect 2.x series is deprecated 2024-10-08T07:20:37.5356741Z npm warn deprecated sinon@1.17.0: 16.1.1 2024-10-08T07:20:37.7932845Z 2024-10-08T07:20:37.7934023Z added 112 packages, and audited 113 packages in 7s 2024-10-08T07:20:37.7936809Z 2024-10-08T07:20:37.7937731Z 15 packages are looking for funding 2024-10-08T07:20:37.7938665Z run `npm fund` for details 2024-10-08T07:20:37.8199604Z 2024-10-08T07:20:37.8200778Z 22 vulnerabilities (1 low, 2 moderate, 12 high, 7 critical) 2024-10-08T07:20:37.8201488Z 2024-10-08T07:20:37.8202024Z To address all issues possible (including breaking changes), run: 2024-10-08T07:20:37.8206118Z npm audit fix --force 2024-10-08T07:20:37.8206750Z 2024-10-08T07:20:37.8207207Z Some issues need review, and may require choosing 2024-10-08T07:20:37.8208100Z a different dependency. 2024-10-08T07:20:37.8208399Z 2024-10-08T07:20:37.8208568Z Run `npm audit` for details. 2024-10-08T07:20:37.8396289Z Downloading and authenticating Snyk CLI... 2024-10-08T07:20:37.8813175Z % Total % Received % Xferd Average Speed Time Time Time Current 2024-10-08T07:20:37.8816253Z Dload Upload Total Spent Left Speed 2024-10-08T07:20:37.8817064Z 2024-10-08T07:20:38.0115153Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 2024-10-08T07:20:38.0116784Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 2024-10-08T07:20:38.0914671Z 2024-10-08T07:20:38.0915807Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 2024-10-08T07:20:38.5541048Z 2024-10-08T07:20:38.5542453Z 100 67.1M 100 67.1M 0 0 99.8M 0 --:--:-- --:--:-- --:--:-- 99.8M 2024-10-08T07:20:39.6456440Z 2024-10-08T07:20:39.6457409Z Your account has been authenticated. Snyk is now ready to be used. 2024-10-08T07:20:39.6458438Z 2024-10-08T07:20:40.1074593Z Running Snyk test and monitor... 2024-10-08T07:20:50.8322236Z { 2024-10-08T07:20:50.8323141Z "vulnerabilities": [ 2024-10-08T07:20:50.8324069Z { 2024-10-08T07:20:50.8325115Z "id": "SNYK-JAVA-ORGAPACHEMAVEN-6144614", 2024-10-08T07:20:50.8326039Z "title": "Resources Downloaded over Insecure Protocol", 2024-10-08T07:20:50.8327029Z "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 2024-10-08T07:20:50.8327790Z "credit": [ 2024-10-08T07:20:50.8328474Z "Unknown" 2024-10-08T07:20:50.8329063Z ], 2024-10-08T07:20:50.8329533Z "semver": { 2024-10-08T07:20:50.8330232Z "vulnerable": [ 2024-10-08T07:20:50.8330827Z "[,3.8.1)" 2024-10-08T07:20:50.8331377Z ] 2024-10-08T07:20:50.8331971Z }, 2024-10-08T07:20:50.8332509Z "exploit": "Not Defined", 2024-10-08T07:20:50.8333148Z "fixedIn": [ 2024-10-08T07:20:50.8334104Z "3.8.1" 2024-10-08T07:20:50.8334610Z ], 2024-10-08T07:20:50.8335123Z "patches": [], 2024-10-08T07:20:50.8335843Z "insights": { 2024-10-08T07:20:50.8336391Z "triageAdvice": null 2024-10-08T07:20:50.8337032Z }, 2024-10-08T07:20:50.8337687Z "language": "java", 2024-10-08T07:20:50.8338284Z "severity": "high", 2024-10-08T07:20:50.8338856Z "cvssScore": 7.1, 2024-10-08T07:20:50.8339564Z "functions": [], 2024-10-08T07:20:50.8340144Z "malicious": false, 2024-10-08T07:20:50.8340733Z "isDisputed": false, 2024-10-08T07:20:50.8341658Z "moduleName": "org.apache.maven:maven-core", 2024-10-08T07:20:50.8342420Z "references": [ 2024-10-08T07:20:50.8342971Z { 2024-10-08T07:20:50.8344550Z "url": "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", 2024-10-08T07:20:50.8346139Z "title": "Apache Security Advisory" 2024-10-08T07:20:50.8346834Z }, 2024-10-08T07:20:50.8347435Z { 2024-10-08T07:20:50.8348330Z "url": "https://github.com/apache/maven/commit/28b4ea92d38365d0f27a5bd044ac4927580147f8", 2024-10-08T07:20:50.8349441Z "title": "GitHub Commit" 2024-10-08T07:20:50.8350186Z }, 2024-10-08T07:20:50.8350724Z { 2024-10-08T07:20:50.8351672Z "url": "https://github.com/apache/maven/commit/3b21386c3f1ab85060f6c950fb2fb17123df8647", 2024-10-08T07:20:50.8352992Z "title": "GitHub Commit" 2024-10-08T07:20:50.8353845Z }, 2024-10-08T07:20:50.8354263Z { 2024-10-08T07:20:50.8355308Z "url": "https://github.com/apache/maven/commit/907d53ad3264718f66ff15e1363d76b07dd0c05f", 2024-10-08T07:20:50.8356511Z "title": "GitHub Commit" 2024-10-08T07:20:50.8357349Z } 2024-10-08T07:20:50.8357879Z ], 2024-10-08T07:20:50.8358415Z "cvssDetails": [ 2024-10-08T07:20:50.8359129Z { 2024-10-08T07:20:50.8359722Z "assigner": "NVD", 2024-10-08T07:20:50.8360328Z "severity": "critical", 2024-10-08T07:20:50.8361356Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 2024-10-08T07:20:50.8362322Z "cvssV3BaseScore": 9.1, 2024-10-08T07:20:50.8363230Z "modificationTime": "2024-03-11T09:50:36.020732Z" 2024-10-08T07:20:50.8364956Z }, 2024-10-08T07:20:50.8365443Z { 2024-10-08T07:20:50.8365917Z "assigner": "Red Hat", 2024-10-08T07:20:50.8366739Z "severity": "high", 2024-10-08T07:20:50.8367585Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", 2024-10-08T07:20:50.8368915Z "cvssV3BaseScore": 7.4, 2024-10-08T07:20:50.8370069Z "modificationTime": "2024-03-11T09:53:46.595598Z" 2024-10-08T07:20:50.8370845Z } 2024-10-08T07:20:50.8371380Z ], 2024-10-08T07:20:50.8372042Z "cvssSources": [ 2024-10-08T07:20:50.8372591Z { 2024-10-08T07:20:50.8373174Z "type": "primary", 2024-10-08T07:20:50.8374354Z "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 2024-10-08T07:20:50.8375255Z "assigner": "Snyk", 2024-10-08T07:20:50.8375915Z "severity": "high", 2024-10-08T07:20:50.8376646Z "baseScore": 7.1, 2024-10-08T07:20:50.8377363Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8378325Z "modificationTime": "2024-03-06T14:09:37.073828Z" 2024-10-08T07:20:50.8379258Z }, 2024-10-08T07:20:50.8379736Z { 2024-10-08T07:20:50.8380270Z "type": "secondary", 2024-10-08T07:20:50.8381188Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 2024-10-08T07:20:50.8382060Z "assigner": "NVD", 2024-10-08T07:20:50.8382671Z "severity": "critical", 2024-10-08T07:20:50.8383749Z "baseScore": 9.1, 2024-10-08T07:20:50.8384419Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8385284Z "modificationTime": "2024-03-11T09:50:36.020732Z" 2024-10-08T07:20:50.8386254Z }, 2024-10-08T07:20:50.8386837Z { 2024-10-08T07:20:50.8387494Z "type": "secondary", 2024-10-08T07:20:50.8388316Z "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", 2024-10-08T07:20:50.8389140Z "assigner": "Red Hat", 2024-10-08T07:20:50.8389912Z "severity": "high", 2024-10-08T07:20:50.8390572Z "baseScore": 7.4, 2024-10-08T07:20:50.8391161Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8392254Z "modificationTime": "2024-03-11T09:53:46.595598Z" 2024-10-08T07:20:50.8393087Z } 2024-10-08T07:20:50.8393761Z ], 2024-10-08T07:20:50.8407713Z "description": "## Overview\n\nAffected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol. Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls.\r\n\r\nIf you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. For more information about repository management, visit [this page](https://maven.apache.org/repository-management.html).\n## Remediation\nUpgrade `org.apache.maven:maven-core` to version 3.8.1 or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E)\n- [GitHub Commit](https://github.com/apache/maven/commit/28b4ea92d38365d0f27a5bd044ac4927580147f8)\n- [GitHub Commit](https://github.com/apache/maven/commit/3b21386c3f1ab85060f6c950fb2fb17123df8647)\n- [GitHub Commit](https://github.com/apache/maven/commit/907d53ad3264718f66ff15e1363d76b07dd0c05f)\n", 2024-10-08T07:20:50.8419468Z "epssDetails": { 2024-10-08T07:20:50.8420133Z "percentile": "0.57700", 2024-10-08T07:20:50.8420743Z "probability": "0.00197", 2024-10-08T07:20:50.8421611Z "modelVersion": "v2023.03.01" 2024-10-08T07:20:50.8422255Z }, 2024-10-08T07:20:50.8422718Z "identifiers": { 2024-10-08T07:20:50.8423437Z "CVE": [ 2024-10-08T07:20:50.8424090Z "CVE-2021-26291" 2024-10-08T07:20:50.8424824Z ], 2024-10-08T07:20:50.8425293Z "CWE": [ 2024-10-08T07:20:50.8425904Z "CWE-494" 2024-10-08T07:20:50.8426551Z ], 2024-10-08T07:20:50.8427013Z "GHSA": [ 2024-10-08T07:20:50.8427701Z "GHSA-2f88-5hg8-9x2x" 2024-10-08T07:20:50.8428222Z ] 2024-10-08T07:20:50.8428665Z }, 2024-10-08T07:20:50.8429376Z "packageName": "org.apache.maven:maven-core", 2024-10-08T07:20:50.8430100Z "proprietary": false, 2024-10-08T07:20:50.8430773Z "creationTime": "2024-01-04T15:15:05.020423Z", 2024-10-08T07:20:50.8432017Z "functions_new": [], 2024-10-08T07:20:50.8432567Z "alternativeIds": [], 2024-10-08T07:20:50.8433552Z "disclosureTime": "2021-04-26T09:21:36Z", 2024-10-08T07:20:50.8434205Z "exploitDetails": { 2024-10-08T07:20:50.8434752Z "sources": [], 2024-10-08T07:20:50.8435388Z "maturityLevels": [ 2024-10-08T07:20:50.8435924Z { 2024-10-08T07:20:50.8436353Z "type": "secondary", 2024-10-08T07:20:50.8437035Z "level": "Not Defined", 2024-10-08T07:20:50.8437650Z "format": "CVSSv3" 2024-10-08T07:20:50.8438196Z }, 2024-10-08T07:20:50.8438710Z { 2024-10-08T07:20:50.8439182Z "type": "primary", 2024-10-08T07:20:50.8439872Z "level": "Not Defined", 2024-10-08T07:20:50.8440445Z "format": "CVSSv4" 2024-10-08T07:20:50.8440994Z } 2024-10-08T07:20:50.8441522Z ] 2024-10-08T07:20:50.8441913Z }, 2024-10-08T07:20:50.8442380Z "packageManager": "maven", 2024-10-08T07:20:50.8443094Z "mavenModuleName": { 2024-10-08T07:20:50.8443898Z "groupId": "org.apache.maven", 2024-10-08T07:20:50.8444617Z "artifactId": "maven-core" 2024-10-08T07:20:50.8445298Z }, 2024-10-08T07:20:50.8445948Z "publicationTime": "2024-01-04T15:16:41.308178Z", 2024-10-08T07:20:50.8446717Z "severityBasedOn": "CVSS", 2024-10-08T07:20:50.8447513Z "modificationTime": "2024-03-11T09:53:46.595598Z", 2024-10-08T07:20:50.8448259Z "socialTrendAlert": false, 2024-10-08T07:20:50.8448922Z "severityWithCritical": "high", 2024-10-08T07:20:50.8449584Z "from": [ 2024-10-08T07:20:50.8450254Z "jenkins.mvn.demo:mvnwebapp@0.0.1-SNAPSHOT", 2024-10-08T07:20:50.8451126Z "org.apache.maven:maven-embedder@2.0", 2024-10-08T07:20:50.8451968Z "org.apache.maven:maven-core@2.0" 2024-10-08T07:20:50.8452579Z ], 2024-10-08T07:20:50.8453041Z "upgradePath": [ 2024-10-08T07:20:50.8453905Z false, 2024-10-08T07:20:50.8454595Z "org.apache.maven:maven-embedder@3.8.1", 2024-10-08T07:20:50.8455373Z "org.apache.maven:maven-core@3.8.1" 2024-10-08T07:20:50.8456122Z ], 2024-10-08T07:20:50.8456628Z "isUpgradable": true, 2024-10-08T07:20:50.8457206Z "isPatchable": false, 2024-10-08T07:20:50.8458083Z "name": "org.apache.maven:maven-core", 2024-10-08T07:20:50.8458848Z "version": "2.0" 2024-10-08T07:20:50.8459368Z }, 2024-10-08T07:20:50.8459905Z { 2024-10-08T07:20:50.8460634Z "id": "SNYK-JAVA-ORGCODEHAUSPLEXUS-31521", 2024-10-08T07:20:50.8461490Z "title": "Directory Traversal", 2024-10-08T07:20:50.8462487Z "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:20:50.8463679Z "credit": [ 2024-10-08T07:20:50.8464291Z "Unknown" 2024-10-08T07:20:50.8465005Z ], 2024-10-08T07:20:50.8465474Z "semver": { 2024-10-08T07:20:50.8466047Z "vulnerable": [ 2024-10-08T07:20:50.8466808Z "[,3.0.24)" 2024-10-08T07:20:50.8467330Z ] 2024-10-08T07:20:50.8467740Z }, 2024-10-08T07:20:50.8468309Z "exploit": "Not Defined", 2024-10-08T07:20:50.8468885Z "fixedIn": [ 2024-10-08T07:20:50.8469344Z "3.0.24" 2024-10-08T07:20:50.8470132Z ], 2024-10-08T07:20:50.8470610Z "patches": [], 2024-10-08T07:20:50.8471203Z "insights": { 2024-10-08T07:20:50.8471673Z "triageAdvice": null 2024-10-08T07:20:50.8472254Z }, 2024-10-08T07:20:50.8472793Z "language": "java", 2024-10-08T07:20:50.8473506Z "severity": "medium", 2024-10-08T07:20:50.8474123Z "cvssScore": 5.3, 2024-10-08T07:20:50.8474903Z "functions": [ 2024-10-08T07:20:50.8475444Z { 2024-10-08T07:20:50.8475851Z "version": [ 2024-10-08T07:20:50.8476446Z "[,3.0.24)" 2024-10-08T07:20:50.8476984Z ], 2024-10-08T07:20:50.8477465Z "functionId": { 2024-10-08T07:20:50.8478169Z "filePath": "org/codehaus/plexus/util/Expand.java", 2024-10-08T07:20:50.8478984Z "className": "Expand", 2024-10-08T07:20:50.8479638Z "functionName": "extractFile" 2024-10-08T07:20:50.8480292Z } 2024-10-08T07:20:50.8480763Z } 2024-10-08T07:20:50.8481208Z ], 2024-10-08T07:20:50.8481755Z "malicious": false, 2024-10-08T07:20:50.8482279Z "isDisputed": false, 2024-10-08T07:20:50.8483571Z "moduleName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8484468Z "references": [ 2024-10-08T07:20:50.8484985Z { 2024-10-08T07:20:50.8486150Z "url": "https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef", 2024-10-08T07:20:50.8487481Z "title": "GitHub Commit" 2024-10-08T07:20:50.8488018Z }, 2024-10-08T07:20:50.8488466Z { 2024-10-08T07:20:50.8489344Z "url": "https://github.com/codehaus-plexus/plexus-utils/issues/4", 2024-10-08T07:20:50.8490164Z "title": "GitHub Issue" 2024-10-08T07:20:50.8490755Z } 2024-10-08T07:20:50.8491251Z ], 2024-10-08T07:20:50.8491708Z "cvssDetails": [ 2024-10-08T07:20:50.8492188Z { 2024-10-08T07:20:50.8492731Z "assigner": "NVD", 2024-10-08T07:20:50.8493701Z "severity": "high", 2024-10-08T07:20:50.8494580Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 2024-10-08T07:20:50.8495359Z "cvssV3BaseScore": 7.5, 2024-10-08T07:20:50.8496203Z "modificationTime": "2024-03-11T09:53:39.008801Z" 2024-10-08T07:20:50.8496958Z }, 2024-10-08T07:20:50.8497363Z { 2024-10-08T07:20:50.8497856Z "assigner": "Red Hat", 2024-10-08T07:20:50.8498508Z "severity": "high", 2024-10-08T07:20:50.8499253Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 2024-10-08T07:20:50.8500039Z "cvssV3BaseScore": 7.5, 2024-10-08T07:20:50.8500919Z "modificationTime": "2024-03-11T09:53:59.688096Z" 2024-10-08T07:20:50.8501626Z } 2024-10-08T07:20:50.8502138Z ], 2024-10-08T07:20:50.8502616Z "cvssSources": [ 2024-10-08T07:20:50.8503149Z { 2024-10-08T07:20:50.8503803Z "type": "primary", 2024-10-08T07:20:50.8504550Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:20:50.8505347Z "assigner": "Snyk", 2024-10-08T07:20:50.8505917Z "severity": "medium", 2024-10-08T07:20:50.8506579Z "baseScore": 5.3, 2024-10-08T07:20:50.8507124Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8507910Z "modificationTime": "2024-05-09T13:34:27.533160Z" 2024-10-08T07:20:50.8508669Z }, 2024-10-08T07:20:50.8509144Z { 2024-10-08T07:20:50.8509550Z "type": "secondary", 2024-10-08T07:20:50.8510361Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 2024-10-08T07:20:50.8511141Z "assigner": "NVD", 2024-10-08T07:20:50.8511651Z "severity": "high", 2024-10-08T07:20:50.8512318Z "baseScore": 7.5, 2024-10-08T07:20:50.8512884Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8513850Z "modificationTime": "2024-03-11T09:53:39.008801Z" 2024-10-08T07:20:50.8514622Z }, 2024-10-08T07:20:50.8515070Z { 2024-10-08T07:20:50.8515534Z "type": "secondary", 2024-10-08T07:20:50.8516565Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 2024-10-08T07:20:50.8517301Z "assigner": "Red Hat", 2024-10-08T07:20:50.8517917Z "severity": "high", 2024-10-08T07:20:50.8518560Z "baseScore": 7.5, 2024-10-08T07:20:50.8519072Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8520047Z "modificationTime": "2024-03-11T09:53:59.688096Z" 2024-10-08T07:20:50.8520838Z } 2024-10-08T07:20:50.8521294Z ], 2024-10-08T07:20:50.8528138Z "description": "## Overview\nAn attacker could access arbitrary files and directories stored on the file system by manipulating files with `dot-dot-slash (../)` sequences and their variations or by using absolute file paths. \r\n\r\n**Note:**\r\n\r\nThere is no indication that access to the filesystem beyond that of the application user can be achieved. So typical deployments will have only limited confidentiality impact from this vulnerability.\n\n## References\n- [https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef](https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef)\n- [https://github.com/codehaus-plexus/plexus-utils/issues/4](https://github.com/codehaus-plexus/plexus-utils/issues/4)\n", 2024-10-08T07:20:50.8534241Z "epssDetails": { 2024-10-08T07:20:50.8534835Z "percentile": "0.26522", 2024-10-08T07:20:50.8535485Z "probability": "0.00060", 2024-10-08T07:20:50.8536140Z "modelVersion": "v2023.03.01" 2024-10-08T07:20:50.8536742Z }, 2024-10-08T07:20:50.8537260Z "identifiers": { 2024-10-08T07:20:50.8537752Z "CVE": [ 2024-10-08T07:20:50.8538319Z "CVE-2022-4244" 2024-10-08T07:20:50.8538900Z ], 2024-10-08T07:20:50.8539322Z "CWE": [ 2024-10-08T07:20:50.8539836Z "CWE-22" 2024-10-08T07:20:50.8540379Z ] 2024-10-08T07:20:50.8540841Z }, 2024-10-08T07:20:50.8541467Z "packageName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8542369Z "proprietary": false, 2024-10-08T07:20:50.8543081Z "creationTime": "2017-09-20T00:00:00Z", 2024-10-08T07:20:50.8543982Z "functions_new": [ 2024-10-08T07:20:50.8544614Z { 2024-10-08T07:20:50.8545067Z "version": [ 2024-10-08T07:20:50.8545569Z "[,3.0.24)" 2024-10-08T07:20:50.8546126Z ], 2024-10-08T07:20:50.8546601Z "functionId": { 2024-10-08T07:20:50.8547280Z "className": "org.codehaus.plexus.util.Expand", 2024-10-08T07:20:50.8548169Z "functionName": "extractFile" 2024-10-08T07:20:50.8548753Z } 2024-10-08T07:20:50.8549210Z } 2024-10-08T07:20:50.8549717Z ], 2024-10-08T07:20:50.8550131Z "alternativeIds": [], 2024-10-08T07:20:50.8550875Z "disclosureTime": "2016-05-08T00:00:00Z", 2024-10-08T07:20:50.8551631Z "exploitDetails": { 2024-10-08T07:20:50.8552184Z "sources": [], 2024-10-08T07:20:50.8552704Z "maturityLevels": [ 2024-10-08T07:20:50.8553481Z { 2024-10-08T07:20:50.8553972Z "type": "secondary", 2024-10-08T07:20:50.8554738Z "level": "Not Defined", 2024-10-08T07:20:50.8555299Z "format": "CVSSv3" 2024-10-08T07:20:50.8555871Z }, 2024-10-08T07:20:50.8556399Z { 2024-10-08T07:20:50.8556827Z "type": "primary", 2024-10-08T07:20:50.8557451Z "level": "Not Defined", 2024-10-08T07:20:50.8558128Z "format": "CVSSv4" 2024-10-08T07:20:50.8558670Z } 2024-10-08T07:20:50.8559080Z ] 2024-10-08T07:20:50.8559579Z }, 2024-10-08T07:20:50.8560069Z "packageManager": "maven", 2024-10-08T07:20:50.8560636Z "mavenModuleName": { 2024-10-08T07:20:50.8561310Z "groupId": "org.codehaus.plexus", 2024-10-08T07:20:50.8562100Z "artifactId": "plexus-utils" 2024-10-08T07:20:50.8562700Z }, 2024-10-08T07:20:50.8563501Z "publicationTime": "2017-09-20T00:00:00Z", 2024-10-08T07:20:50.8564489Z "severityBasedOn": "CVSS", 2024-10-08T07:20:50.8565311Z "modificationTime": "2024-05-09T13:34:27.533160Z", 2024-10-08T07:20:50.8566168Z "socialTrendAlert": false, 2024-10-08T07:20:50.8566771Z "severityWithCritical": "medium", 2024-10-08T07:20:50.8567406Z "from": [ 2024-10-08T07:20:50.8568174Z "jenkins.mvn.demo:mvnwebapp@0.0.1-SNAPSHOT", 2024-10-08T07:20:50.8569165Z "org.apache.maven:maven-embedder@2.0", 2024-10-08T07:20:50.8570101Z "org.apache.maven:maven-core@2.0", 2024-10-08T07:20:50.8570931Z "org.codehaus.plexus:plexus-utils@1.0.4" 2024-10-08T07:20:50.8571647Z ], 2024-10-08T07:20:50.8572174Z "upgradePath": [ 2024-10-08T07:20:50.8572694Z false, 2024-10-08T07:20:50.8573515Z "org.apache.maven:maven-embedder@3.5.0", 2024-10-08T07:20:50.8574392Z "org.apache.maven:maven-core@3.5.0", 2024-10-08T07:20:50.8575253Z "org.codehaus.plexus:plexus-utils@3.0.24" 2024-10-08T07:20:50.8576021Z ], 2024-10-08T07:20:50.8576602Z "isUpgradable": true, 2024-10-08T07:20:50.8577143Z "isPatchable": false, 2024-10-08T07:20:50.8578003Z "name": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8578736Z "version": "1.0.4" 2024-10-08T07:20:50.8579240Z }, 2024-10-08T07:20:50.8579728Z { 2024-10-08T07:20:50.8580359Z "id": "SNYK-JAVA-ORGCODEHAUSPLEXUS-31522", 2024-10-08T07:20:50.8581110Z "title": "Shell Command Injection", 2024-10-08T07:20:50.8581974Z "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:20:50.8582709Z "credit": [ 2024-10-08T07:20:50.8583237Z "Charles Duffy" 2024-10-08T07:20:50.8584014Z ], 2024-10-08T07:20:50.8584420Z "semver": { 2024-10-08T07:20:50.8584922Z "vulnerable": [ 2024-10-08T07:20:50.8585520Z "[,3.0.16)" 2024-10-08T07:20:50.8585954Z ] 2024-10-08T07:20:50.8586414Z }, 2024-10-08T07:20:50.8587000Z "exploit": "Not Defined", 2024-10-08T07:20:50.8587580Z "fixedIn": [ 2024-10-08T07:20:50.8588050Z "3.0.16" 2024-10-08T07:20:50.8588598Z ], 2024-10-08T07:20:50.8589060Z "patches": [], 2024-10-08T07:20:50.8589518Z "insights": { 2024-10-08T07:20:50.8590115Z "triageAdvice": null 2024-10-08T07:20:50.8590691Z }, 2024-10-08T07:20:50.8591220Z "language": "java", 2024-10-08T07:20:50.8591739Z "severity": "critical", 2024-10-08T07:20:50.8592344Z "cvssScore": 9.8, 2024-10-08T07:20:50.8592944Z "functions": [ 2024-10-08T07:20:50.8593742Z { 2024-10-08T07:20:50.8594183Z "version": [ 2024-10-08T07:20:50.8594779Z "[,3.0.16)" 2024-10-08T07:20:50.8595320Z ], 2024-10-08T07:20:50.8595744Z "functionId": { 2024-10-08T07:20:50.8596544Z "filePath": "org/codehaus/plexus/util/cli/Commandline.java", 2024-10-08T07:20:50.8597415Z "className": "Commandline", 2024-10-08T07:20:50.8598075Z "functionName": "execute" 2024-10-08T07:20:50.8598694Z } 2024-10-08T07:20:50.8599178Z } 2024-10-08T07:20:50.8599599Z ], 2024-10-08T07:20:50.8600075Z "malicious": false, 2024-10-08T07:20:50.8600658Z "isDisputed": false, 2024-10-08T07:20:50.8601417Z "moduleName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8602279Z "references": [ 2024-10-08T07:20:50.8602746Z { 2024-10-08T07:20:50.8604181Z "url": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", 2024-10-08T07:20:50.8605465Z "title": "GitHub Commit" 2024-10-08T07:20:50.8606059Z }, 2024-10-08T07:20:50.8606448Z { 2024-10-08T07:20:50.8607599Z "url": "https://raw.githubusercontent.com/sonatype/plexus-utils/master/jira/PLXUTILS-161.json", 2024-10-08T07:20:50.8608850Z "title": "PLXUTILS-161 - Raw Jira Ticket JSON" 2024-10-08T07:20:50.8609550Z } 2024-10-08T07:20:50.8610040Z ], 2024-10-08T07:20:50.8610489Z "cvssDetails": [ 2024-10-08T07:20:50.8611226Z { 2024-10-08T07:20:50.8611711Z "assigner": "NVD", 2024-10-08T07:20:50.8612284Z "severity": "critical", 2024-10-08T07:20:50.8613071Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:20:50.8614910Z "cvssV3BaseScore": 9.8, 2024-10-08T07:20:50.8615701Z "modificationTime": "2024-03-11T09:46:36.869045Z" 2024-10-08T07:20:50.8616616Z }, 2024-10-08T07:20:50.8617146Z { 2024-10-08T07:20:50.8617638Z "assigner": "Red Hat", 2024-10-08T07:20:50.8618175Z "severity": "high", 2024-10-08T07:20:50.8618973Z "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:20:50.8619798Z "cvssV3BaseScore": 7.8, 2024-10-08T07:20:50.8620671Z "modificationTime": "2024-03-11T09:53:54.737412Z" 2024-10-08T07:20:50.8621319Z } 2024-10-08T07:20:50.8621776Z ], 2024-10-08T07:20:50.8622296Z "cvssSources": [ 2024-10-08T07:20:50.8622785Z { 2024-10-08T07:20:50.8623252Z "type": "primary", 2024-10-08T07:20:50.8624205Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:20:50.8624989Z "assigner": "Snyk", 2024-10-08T07:20:50.8625540Z "severity": "critical", 2024-10-08T07:20:50.8626224Z "baseScore": 9.8, 2024-10-08T07:20:50.8626839Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8627658Z "modificationTime": "2024-03-06T13:58:02.476253Z" 2024-10-08T07:20:50.8628407Z }, 2024-10-08T07:20:50.8628884Z { 2024-10-08T07:20:50.8629355Z "type": "secondary", 2024-10-08T07:20:50.8630134Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:20:50.8630896Z "assigner": "NVD", 2024-10-08T07:20:50.8631483Z "severity": "critical", 2024-10-08T07:20:50.8632183Z "baseScore": 9.8, 2024-10-08T07:20:50.8632699Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8633804Z "modificationTime": "2024-03-11T09:46:36.869045Z" 2024-10-08T07:20:50.8634739Z }, 2024-10-08T07:20:50.8635304Z { 2024-10-08T07:20:50.8635742Z "type": "secondary", 2024-10-08T07:20:50.8636577Z "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:20:50.8637381Z "assigner": "Red Hat", 2024-10-08T07:20:50.8637976Z "severity": "high", 2024-10-08T07:20:50.8638635Z "baseScore": 7.8, 2024-10-08T07:20:50.8639213Z "cvssVersion": "3.0", 2024-10-08T07:20:50.8640025Z "modificationTime": "2024-03-11T09:53:54.737412Z" 2024-10-08T07:20:50.8640746Z } 2024-10-08T07:20:50.8641177Z ], 2024-10-08T07:20:50.8647393Z "description": "## Overview\r\n[`Codehaus Plexus`](https://codehaus-plexus.github.io/) is a collection of components used by Apache Maven.\r\n\r\nAffected versions of this package are vulnerable to Shell Command Injection. The Commandline class in plexus-utils does not correctly quote the contents of double-quoted strings.\r\n\r\n## Remediation\r\nUpgrade _Codehaus Plexus_ to version `3.0.16` or higher.\r\n\r\n## References\r\n- [Github Commit](https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41)\r\n- [PLXUTILS-161 - Raw Jira Ticket JSON](https://raw.githubusercontent.com/sonatype/plexus-utils/master/jira/PLXUTILS-161.json)", 2024-10-08T07:20:50.8652684Z "epssDetails": { 2024-10-08T07:20:50.8653438Z "percentile": "0.73724", 2024-10-08T07:20:50.8654029Z "probability": "0.00395", 2024-10-08T07:20:50.8654754Z "modelVersion": "v2023.03.01" 2024-10-08T07:20:50.8655375Z }, 2024-10-08T07:20:50.8655890Z "identifiers": { 2024-10-08T07:20:50.8656347Z "CVE": [ 2024-10-08T07:20:50.8656924Z "CVE-2017-1000487" 2024-10-08T07:20:50.8657521Z ], 2024-10-08T07:20:50.8657915Z "CWE": [ 2024-10-08T07:20:50.8658446Z "CWE-77" 2024-10-08T07:20:50.8658989Z ] 2024-10-08T07:20:50.8659440Z }, 2024-10-08T07:20:50.8660056Z "packageName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8661124Z "proprietary": false, 2024-10-08T07:20:50.8661865Z "creationTime": "2016-09-20T00:00:00Z", 2024-10-08T07:20:50.8662525Z "functions_new": [ 2024-10-08T07:20:50.8663072Z { 2024-10-08T07:20:50.8663848Z "version": [ 2024-10-08T07:20:50.8664366Z "[,3.0.16)" 2024-10-08T07:20:50.8665108Z ], 2024-10-08T07:20:50.8665608Z "functionId": { 2024-10-08T07:20:50.8666362Z "className": "org.codehaus.plexus.util.cli.Commandline", 2024-10-08T07:20:50.8667327Z "functionName": "execute" 2024-10-08T07:20:50.8667905Z } 2024-10-08T07:20:50.8668373Z } 2024-10-08T07:20:50.8668885Z ], 2024-10-08T07:20:50.8669354Z "alternativeIds": [], 2024-10-08T07:20:50.8670067Z "disclosureTime": "2016-05-08T00:00:00Z", 2024-10-08T07:20:50.8670837Z "exploitDetails": { 2024-10-08T07:20:50.8671397Z "sources": [], 2024-10-08T07:20:50.8671927Z "maturityLevels": [ 2024-10-08T07:20:50.8672553Z { 2024-10-08T07:20:50.8673040Z "type": "secondary", 2024-10-08T07:20:50.8673947Z "level": "Not Defined", 2024-10-08T07:20:50.8674611Z "format": "CVSSv3" 2024-10-08T07:20:50.8675192Z }, 2024-10-08T07:20:50.8675643Z { 2024-10-08T07:20:50.8676139Z "type": "primary", 2024-10-08T07:20:50.8676758Z "level": "Not Defined", 2024-10-08T07:20:50.8677374Z "format": "CVSSv4" 2024-10-08T07:20:50.8677990Z } 2024-10-08T07:20:50.8678403Z ] 2024-10-08T07:20:50.8678844Z }, 2024-10-08T07:20:50.8679393Z "packageManager": "maven", 2024-10-08T07:20:50.8680038Z "mavenModuleName": { 2024-10-08T07:20:50.8680608Z "groupId": "org.codehaus.plexus", 2024-10-08T07:20:50.8681466Z "artifactId": "plexus-utils" 2024-10-08T07:20:50.8682090Z }, 2024-10-08T07:20:50.8682639Z "publicationTime": "2016-09-20T00:00:00Z", 2024-10-08T07:20:50.8683628Z "severityBasedOn": "CVSS", 2024-10-08T07:20:50.8684458Z "modificationTime": "2024-03-11T09:53:54.737412Z", 2024-10-08T07:20:50.8685291Z "socialTrendAlert": false, 2024-10-08T07:20:50.8685928Z "severityWithCritical": "critical", 2024-10-08T07:20:50.8686604Z "from": [ 2024-10-08T07:20:50.8687391Z "jenkins.mvn.demo:mvnwebapp@0.0.1-SNAPSHOT", 2024-10-08T07:20:50.8688310Z "org.apache.maven:maven-embedder@2.0", 2024-10-08T07:20:50.8689076Z "org.apache.maven:maven-core@2.0", 2024-10-08T07:20:50.8689987Z "org.codehaus.plexus:plexus-utils@1.0.4" 2024-10-08T07:20:50.8690671Z ], 2024-10-08T07:20:50.8691087Z "upgradePath": [ 2024-10-08T07:20:50.8691697Z false, 2024-10-08T07:20:50.8692341Z "org.apache.maven:maven-embedder@3.2.1", 2024-10-08T07:20:50.8693167Z "org.apache.maven:maven-core@3.2.1", 2024-10-08T07:20:50.8694360Z "org.codehaus.plexus:plexus-utils@3.0.17" 2024-10-08T07:20:50.8695075Z ], 2024-10-08T07:20:50.8695558Z "isUpgradable": true, 2024-10-08T07:20:50.8696256Z "isPatchable": false, 2024-10-08T07:20:50.8696948Z "name": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8697689Z "version": "1.0.4" 2024-10-08T07:20:50.8698282Z }, 2024-10-08T07:20:50.8698670Z { 2024-10-08T07:20:50.8699321Z "id": "SNYK-JAVA-ORGCODEHAUSPLEXUS-461102", 2024-10-08T07:20:50.8700216Z "title": "XML External Entity (XXE) Injection", 2024-10-08T07:20:50.8701166Z "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:U", 2024-10-08T07:20:50.8701995Z "credit": [ 2024-10-08T07:20:50.8702560Z "Florian Weimer" 2024-10-08T07:20:50.8703085Z ], 2024-10-08T07:20:50.8703794Z "semver": { 2024-10-08T07:20:50.8704329Z "vulnerable": [ 2024-10-08T07:20:50.8704869Z "[,3.0.24)" 2024-10-08T07:20:50.8705363Z ] 2024-10-08T07:20:50.8705817Z }, 2024-10-08T07:20:50.8706305Z "exploit": "Unproven", 2024-10-08T07:20:50.8707088Z "fixedIn": [ 2024-10-08T07:20:50.8707671Z "3.0.24" 2024-10-08T07:20:50.8708092Z ], 2024-10-08T07:20:50.8708538Z "patches": [], 2024-10-08T07:20:50.8709137Z "insights": { 2024-10-08T07:20:50.8709608Z "triageAdvice": null 2024-10-08T07:20:50.8710151Z }, 2024-10-08T07:20:50.8710673Z "language": "java", 2024-10-08T07:20:50.8711367Z "severity": "medium", 2024-10-08T07:20:50.8711872Z "cvssScore": 4.3, 2024-10-08T07:20:50.8712484Z "functions": [ 2024-10-08T07:20:50.8712956Z { 2024-10-08T07:20:50.8713515Z "version": [ 2024-10-08T07:20:50.8714104Z "(1.5.3,3.0.24)" 2024-10-08T07:20:50.8714638Z ], 2024-10-08T07:20:50.8715198Z "functionId": { 2024-10-08T07:20:50.8715894Z "filePath": "org/codehaus/plexus/util/xml/XmlWriterUtil.java", 2024-10-08T07:20:50.8716754Z "className": "XmlWriterUtil", 2024-10-08T07:20:50.8717531Z "functionName": "writeComment" 2024-10-08T07:20:50.8718204Z } 2024-10-08T07:20:50.8718614Z } 2024-10-08T07:20:50.8719160Z ], 2024-10-08T07:20:50.8719625Z "malicious": false, 2024-10-08T07:20:50.8720136Z "isDisputed": false, 2024-10-08T07:20:50.8720990Z "moduleName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8721728Z "references": [ 2024-10-08T07:20:50.8722243Z { 2024-10-08T07:20:50.8723678Z "url": "https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de", 2024-10-08T07:20:50.8724906Z "title": "GitHub Commit" 2024-10-08T07:20:50.8725533Z }, 2024-10-08T07:20:50.8726066Z { 2024-10-08T07:20:50.8726864Z "url": "https://github.com/codehaus-plexus/plexus-utils/issues/3", 2024-10-08T07:20:50.8727779Z "title": "GitHub Issue" 2024-10-08T07:20:50.8728441Z } 2024-10-08T07:20:50.8728908Z ], 2024-10-08T07:20:50.8729324Z "cvssDetails": [ 2024-10-08T07:20:50.8729916Z { 2024-10-08T07:20:50.8730413Z "assigner": "NVD", 2024-10-08T07:20:50.8730964Z "severity": "medium", 2024-10-08T07:20:50.8731828Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:20:50.8732695Z "cvssV3BaseScore": 4.3, 2024-10-08T07:20:50.8733800Z "modificationTime": "2024-03-11T09:53:38.966298Z" 2024-10-08T07:20:50.8734577Z }, 2024-10-08T07:20:50.8735058Z { 2024-10-08T07:20:50.8735528Z "assigner": "Red Hat", 2024-10-08T07:20:50.8736248Z "severity": "medium", 2024-10-08T07:20:50.8736995Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:20:50.8737833Z "cvssV3BaseScore": 4.3, 2024-10-08T07:20:50.8738752Z "modificationTime": "2024-03-11T09:53:59.734097Z" 2024-10-08T07:20:50.8739419Z } 2024-10-08T07:20:50.8739862Z ], 2024-10-08T07:20:50.8740434Z "cvssSources": [ 2024-10-08T07:20:50.8740962Z { 2024-10-08T07:20:50.8741392Z "type": "primary", 2024-10-08T07:20:50.8742292Z "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:U", 2024-10-08T07:20:50.8743171Z "assigner": "Snyk", 2024-10-08T07:20:50.8744182Z "severity": "medium", 2024-10-08T07:20:50.8744775Z "baseScore": 4.3, 2024-10-08T07:20:50.8745363Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8746282Z "modificationTime": "2024-03-06T14:09:20.690133Z" 2024-10-08T07:20:50.8746958Z }, 2024-10-08T07:20:50.8747402Z { 2024-10-08T07:20:50.8747975Z "type": "secondary", 2024-10-08T07:20:50.8748710Z "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:20:50.8749594Z "assigner": "NVD", 2024-10-08T07:20:50.8750240Z "severity": "medium", 2024-10-08T07:20:50.8750844Z "baseScore": 4.3, 2024-10-08T07:20:50.8751438Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8752268Z "modificationTime": "2024-03-11T09:53:38.966298Z" 2024-10-08T07:20:50.8753237Z }, 2024-10-08T07:20:50.8753978Z { 2024-10-08T07:20:50.8754498Z "type": "secondary", 2024-10-08T07:20:50.8755253Z "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:20:50.8756035Z "assigner": "Red Hat", 2024-10-08T07:20:50.8756719Z "severity": "medium", 2024-10-08T07:20:50.8757453Z "baseScore": 4.3, 2024-10-08T07:20:50.8758036Z "cvssVersion": "3.1", 2024-10-08T07:20:50.8758946Z "modificationTime": "2024-03-11T09:53:59.734097Z" 2024-10-08T07:20:50.8759685Z } 2024-10-08T07:20:50.8760085Z ], 2024-10-08T07:20:50.8767545Z "description": "## Overview\n[org.codehaus.plexus:plexus-utils](https://mvnrepository.com/artifact/org.codehaus.plexus/plexus-utils) is a collection of various utility classes to ease working with strings, files, command lines, XML and more.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `-->` sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.\n## Remediation\nUpgrade `org.codehaus.plexus:plexus-utils` to version 3.0.24 or higher.\n## References\n- [GitHub Commit](https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de)\n- [GitHub Issue](https://github.com/codehaus-plexus/plexus-utils/issues/3)\n", 2024-10-08T07:20:50.8773885Z "epssDetails": { 2024-10-08T07:20:50.8774560Z "percentile": "0.30216", 2024-10-08T07:20:50.8775169Z "probability": "0.00067", 2024-10-08T07:20:50.8775787Z "modelVersion": "v2023.03.01" 2024-10-08T07:20:50.8776440Z }, 2024-10-08T07:20:50.8776899Z "identifiers": { 2024-10-08T07:20:50.8777419Z "CVE": [ 2024-10-08T07:20:50.8778053Z "CVE-2022-4245" 2024-10-08T07:20:50.8778587Z ], 2024-10-08T07:20:50.8779046Z "CWE": [ 2024-10-08T07:20:50.8779675Z "CWE-91" 2024-10-08T07:20:50.8780115Z ] 2024-10-08T07:20:50.8780552Z }, 2024-10-08T07:20:50.8781247Z "packageName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8781907Z "proprietary": false, 2024-10-08T07:20:50.8782607Z "creationTime": "2019-09-06T15:46:47.546130Z", 2024-10-08T07:20:50.8783567Z "functions_new": [ 2024-10-08T07:20:50.8784076Z { 2024-10-08T07:20:50.8784479Z "version": [ 2024-10-08T07:20:50.8785049Z "(1.5.3,3.0.24)" 2024-10-08T07:20:50.8785545Z ], 2024-10-08T07:20:50.8786006Z "functionId": { 2024-10-08T07:20:50.8786776Z "className": "org.codehaus.plexus.util.xml.XmlWriterUtil", 2024-10-08T07:20:50.8787614Z "functionName": "writeComment" 2024-10-08T07:20:50.8788209Z } 2024-10-08T07:20:50.8788653Z } 2024-10-08T07:20:50.8789078Z ], 2024-10-08T07:20:50.8789516Z "alternativeIds": [], 2024-10-08T07:20:50.8790263Z "disclosureTime": "2015-09-21T15:48:37Z", 2024-10-08T07:20:50.8790887Z "exploitDetails": { 2024-10-08T07:20:50.8791406Z "sources": [ 2024-10-08T07:20:50.8791971Z "Snyk" 2024-10-08T07:20:50.8792429Z ], 2024-10-08T07:20:50.8792818Z "maturityLevels": [ 2024-10-08T07:20:50.8793583Z { 2024-10-08T07:20:50.8794042Z "type": "secondary", 2024-10-08T07:20:50.8794578Z "level": "Not Defined", 2024-10-08T07:20:50.8795291Z "format": "CVSSv3" 2024-10-08T07:20:50.8795801Z }, 2024-10-08T07:20:50.8796327Z { 2024-10-08T07:20:50.8796782Z "type": "primary", 2024-10-08T07:20:50.8797349Z "level": "Proof of Concept", 2024-10-08T07:20:50.8798020Z "format": "CVSSv4" 2024-10-08T07:20:50.8798527Z } 2024-10-08T07:20:50.8798953Z ] 2024-10-08T07:20:50.8799508Z }, 2024-10-08T07:20:50.8800003Z "packageManager": "maven", 2024-10-08T07:20:50.8800829Z "mavenModuleName": { 2024-10-08T07:20:50.8801546Z "groupId": "org.codehaus.plexus", 2024-10-08T07:20:50.8802317Z "artifactId": "plexus-utils" 2024-10-08T07:20:50.8802940Z }, 2024-10-08T07:20:50.8803755Z "publicationTime": "2019-09-06T15:46:00Z", 2024-10-08T07:20:50.8804492Z "severityBasedOn": "CVSS", 2024-10-08T07:20:50.8805478Z "modificationTime": "2024-03-11T09:53:59.734097Z", 2024-10-08T07:20:50.8806265Z "socialTrendAlert": false, 2024-10-08T07:20:50.8806898Z "severityWithCritical": "medium", 2024-10-08T07:20:50.8807550Z "from": [ 2024-10-08T07:20:50.8808276Z "jenkins.mvn.demo:mvnwebapp@0.0.1-SNAPSHOT", 2024-10-08T07:20:50.8809073Z "org.apache.maven:maven-embedder@2.0", 2024-10-08T07:20:50.8809887Z "org.apache.maven:maven-core@2.0", 2024-10-08T07:20:50.8810754Z "org.codehaus.plexus:plexus-utils@1.0.4" 2024-10-08T07:20:50.8811442Z ], 2024-10-08T07:20:50.8811841Z "upgradePath": [ 2024-10-08T07:20:50.8812428Z false, 2024-10-08T07:20:50.8813090Z "org.apache.maven:maven-embedder@3.5.0", 2024-10-08T07:20:50.8814118Z "org.apache.maven:maven-core@3.5.0", 2024-10-08T07:20:50.8814990Z "org.codehaus.plexus:plexus-utils@3.0.24" 2024-10-08T07:20:50.8815638Z ], 2024-10-08T07:20:50.8816067Z "isUpgradable": true, 2024-10-08T07:20:50.8816654Z "isPatchable": false, 2024-10-08T07:20:50.8817335Z "name": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:20:50.8818014Z "version": "1.0.4" 2024-10-08T07:20:50.8818582Z } 2024-10-08T07:20:50.8818930Z ], 2024-10-08T07:20:50.8819328Z "ok": false, 2024-10-08T07:20:50.8819876Z "dependencyCount": 28, 2024-10-08T07:20:50.8820335Z "org": "itsarraj", 2024-10-08T07:20:50.8821468Z "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", 2024-10-08T07:20:50.8822748Z "isPrivate": true, 2024-10-08T07:20:50.8823243Z "licensesPolicy": { 2024-10-08T07:20:50.8823909Z "severities": {}, 2024-10-08T07:20:50.8824482Z "orgLicenseRules": { 2024-10-08T07:20:50.8825047Z "AGPL-1.0": { 2024-10-08T07:20:50.8825685Z "licenseType": "AGPL-1.0", 2024-10-08T07:20:50.8826218Z "severity": "high", 2024-10-08T07:20:50.8826736Z "instructions": "" 2024-10-08T07:20:50.8827327Z }, 2024-10-08T07:20:50.8827759Z "AGPL-3.0": { 2024-10-08T07:20:50.8828304Z "licenseType": "AGPL-3.0", 2024-10-08T07:20:50.8828970Z "severity": "high", 2024-10-08T07:20:50.8829562Z "instructions": "" 2024-10-08T07:20:50.8830077Z }, 2024-10-08T07:20:50.8830674Z "Artistic-1.0": { 2024-10-08T07:20:50.8831322Z "licenseType": "Artistic-1.0", 2024-10-08T07:20:50.8831992Z "severity": "medium", 2024-10-08T07:20:50.8832620Z "instructions": "" 2024-10-08T07:20:50.8833099Z }, 2024-10-08T07:20:50.8833806Z "Artistic-2.0": { 2024-10-08T07:20:50.8834540Z "licenseType": "Artistic-2.0", 2024-10-08T07:20:50.8835234Z "severity": "medium", 2024-10-08T07:20:50.8835868Z "instructions": "" 2024-10-08T07:20:50.8836501Z }, 2024-10-08T07:20:50.8837015Z "CDDL-1.0": { 2024-10-08T07:20:50.8837645Z "licenseType": "CDDL-1.0", 2024-10-08T07:20:50.8838359Z "severity": "medium", 2024-10-08T07:20:50.8838962Z "instructions": "" 2024-10-08T07:20:50.8839532Z }, 2024-10-08T07:20:50.8840169Z "CPOL-1.02": { 2024-10-08T07:20:50.8840844Z "licenseType": "CPOL-1.02", 2024-10-08T07:20:50.8841435Z "severity": "high", 2024-10-08T07:20:50.8842092Z "instructions": "" 2024-10-08T07:20:50.8842660Z }, 2024-10-08T07:20:50.8843158Z "EPL-1.0": { 2024-10-08T07:20:50.8844007Z "licenseType": "EPL-1.0", 2024-10-08T07:20:50.8844638Z "severity": "medium", 2024-10-08T07:20:50.8845225Z "instructions": "" 2024-10-08T07:20:50.8845857Z }, 2024-10-08T07:20:50.8846357Z "GPL-2.0": { 2024-10-08T07:20:50.8847193Z "licenseType": "GPL-2.0", 2024-10-08T07:20:50.8847906Z "severity": "high", 2024-10-08T07:20:50.8848438Z "instructions": "" 2024-10-08T07:20:50.8849000Z }, 2024-10-08T07:20:50.8849572Z "GPL-3.0": { 2024-10-08T07:20:50.8850105Z "licenseType": "GPL-3.0", 2024-10-08T07:20:50.8850735Z "severity": "high", 2024-10-08T07:20:50.8851530Z "instructions": "" 2024-10-08T07:20:50.8852106Z }, 2024-10-08T07:20:50.8852561Z "LGPL-2.0": { 2024-10-08T07:20:50.8853244Z "licenseType": "LGPL-2.0", 2024-10-08T07:20:50.8854056Z "severity": "medium", 2024-10-08T07:20:50.8854703Z "instructions": "" 2024-10-08T07:20:50.8855203Z }, 2024-10-08T07:20:50.8855730Z "LGPL-2.1": { 2024-10-08T07:20:50.8856384Z "licenseType": "LGPL-2.1", 2024-10-08T07:20:50.8856958Z "severity": "medium", 2024-10-08T07:20:50.8857553Z "instructions": "" 2024-10-08T07:20:50.8858159Z }, 2024-10-08T07:20:50.8858685Z "LGPL-3.0": { 2024-10-08T07:20:50.8859230Z "licenseType": "LGPL-3.0", 2024-10-08T07:20:50.8859909Z "severity": "medium", 2024-10-08T07:20:50.8860519Z "instructions": "" 2024-10-08T07:20:50.8861014Z }, 2024-10-08T07:20:50.8861570Z "MPL-1.1": { 2024-10-08T07:20:50.8862164Z "licenseType": "MPL-1.1", 2024-10-08T07:20:50.8862773Z "severity": "medium", 2024-10-08T07:20:50.8863552Z "instructions": "" 2024-10-08T07:20:50.8864154Z }, 2024-10-08T07:20:50.8864712Z "MPL-2.0": { 2024-10-08T07:20:50.8865358Z "licenseType": "MPL-2.0", 2024-10-08T07:20:50.8866060Z "severity": "medium", 2024-10-08T07:20:50.8866687Z "instructions": "" 2024-10-08T07:20:50.8867357Z }, 2024-10-08T07:20:50.8867843Z "MS-RL": { 2024-10-08T07:20:50.8868468Z "licenseType": "MS-RL", 2024-10-08T07:20:50.8869222Z "severity": "medium", 2024-10-08T07:20:50.8869810Z "instructions": "" 2024-10-08T07:20:50.8870299Z }, 2024-10-08T07:20:50.8870918Z "SimPL-2.0": { 2024-10-08T07:20:50.8871516Z "licenseType": "SimPL-2.0", 2024-10-08T07:20:50.8872081Z "severity": "high", 2024-10-08T07:20:50.8873579Z "instructions": "" 2024-10-08T07:20:50.8874128Z } 2024-10-08T07:20:50.8874576Z } 2024-10-08T07:20:50.8875027Z }, 2024-10-08T07:20:50.8875489Z "packageManager": "maven", 2024-10-08T07:20:50.8876318Z "projectId": "585b6b28-57da-4dbb-bda8-0387c1c59e27", 2024-10-08T07:20:50.8877092Z "ignoreSettings": { 2024-10-08T07:20:50.8877624Z "adminOnly": false, 2024-10-08T07:20:50.8878183Z "reasonRequired": false, 2024-10-08T07:20:50.8878871Z "disregardFilesystemIgnores": false 2024-10-08T07:20:50.8879469Z }, 2024-10-08T07:20:50.8880026Z "summary": "4 vulnerable dependency paths", 2024-10-08T07:20:50.8880788Z "remediation": { 2024-10-08T07:20:50.8881314Z "unresolved": [], 2024-10-08T07:20:50.8881787Z "upgrade": { 2024-10-08T07:20:50.8882506Z "org.apache.maven:maven-embedder@2.0": { 2024-10-08T07:20:50.8883615Z "upgradeTo": "org.apache.maven:maven-embedder@3.8.1", 2024-10-08T07:20:50.8884348Z "upgrades": [ 2024-10-08T07:20:50.8885090Z "org.apache.maven:maven-core@2.0", 2024-10-08T07:20:50.8885951Z "org.codehaus.plexus:plexus-utils@1.0.4", 2024-10-08T07:20:50.8886946Z "org.codehaus.plexus:plexus-utils@1.0.4", 2024-10-08T07:20:50.8887776Z "org.codehaus.plexus:plexus-utils@1.0.4" 2024-10-08T07:20:50.8888469Z ], 2024-10-08T07:20:50.8888974Z "vulns": [ 2024-10-08T07:20:50.8889647Z "SNYK-JAVA-ORGAPACHEMAVEN-6144614", 2024-10-08T07:20:50.8890451Z "SNYK-JAVA-ORGCODEHAUSPLEXUS-31521", 2024-10-08T07:20:50.8891383Z "SNYK-JAVA-ORGCODEHAUSPLEXUS-461102", 2024-10-08T07:20:50.8892263Z "SNYK-JAVA-ORGCODEHAUSPLEXUS-31522" 2024-10-08T07:20:50.8892936Z ] 2024-10-08T07:20:50.8893567Z } 2024-10-08T07:20:50.8894020Z }, 2024-10-08T07:20:50.8894454Z "patch": {}, 2024-10-08T07:20:50.8895217Z "ignore": {}, 2024-10-08T07:20:50.8895708Z "pin": {} 2024-10-08T07:20:50.8896150Z }, 2024-10-08T07:20:50.8896700Z "filesystemPolicy": false, 2024-10-08T07:20:50.8897231Z "filtered": { 2024-10-08T07:20:50.8897694Z "ignore": [], 2024-10-08T07:20:50.8898261Z "patch": [] 2024-10-08T07:20:50.8898676Z }, 2024-10-08T07:20:50.8899134Z "uniqueCount": 4, 2024-10-08T07:20:50.8899945Z "projectName": "jenkins.mvn.demo:mvnwebapp", 2024-10-08T07:20:50.8900673Z "foundProjectCount": 1, 2024-10-08T07:20:50.8901252Z "displayTargetFile": "pom.xml", 2024-10-08T07:20:50.8901966Z "hasUnknownVersions": false, 2024-10-08T07:20:50.8902679Z "path": "/home/runner/work/PRBotCheck/PRBotCheck" 2024-10-08T07:20:50.8903501Z } 2024-10-08T07:20:54.5758742Z 2024-10-08T07:20:54.5760433Z Monitoring /home/runner/work/PRBotCheck/PRBotCheck/package-lock.json... 2024-10-08T07:20:54.5761390Z 2024-10-08T07:20:54.5763114Z Dependency express was not found in package-lock.json. Your package.json and package-lock.json are probably out of sync. Please run "npm install" and try again. 2024-10-08T07:20:54.5764929Z 2024-10-08T07:20:54.5765372Z ------------------------------------------------------- 2024-10-08T07:20:54.5765852Z 2024-10-08T07:20:54.5766424Z Monitoring /home/runner/work/PRBotCheck/PRBotCheck (jenkins.mvn.demo:mvnwebapp)... 2024-10-08T07:20:54.5767308Z 2024-10-08T07:20:54.5768172Z Explore this snapshot at https://app.snyk.io/org/itsarraj/project/585b6b28-57da-4dbb-bda8-0387c1c59e27/history/d4f76239-6d18-41c5-ab9e-5ba8f3c3eac0 2024-10-08T07:20:54.5769082Z 2024-10-08T07:20:54.5769484Z Notifications about newly disclosed issues related to these dependencies will be emailed to you. 2024-10-08T07:20:54.5770012Z 2024-10-08T07:20:54.5784817Z 2024-10-08T07:20:54.5785672Z You have reached your monthly limit of 200 private tests for your itsarraj org. 2024-10-08T07:20:54.5786865Z To learn more about our plans and increase your tests limit visit https://snyk.io/plans. 2024-10-08T07:20:54.8458461Z Post job cleanup. 2024-10-08T07:20:54.9170021Z [command]/usr/bin/git version 2024-10-08T07:20:54.9203721Z git version 2.46.1 2024-10-08T07:20:54.9245643Z Temporarily overriding HOME='/home/runner/work/_temp/8c4daa25-9381-4546-b195-07ff2ea830cd' before making global git config changes 2024-10-08T07:20:54.9246755Z Adding repository directory to the temporary git global config as a safe directory 2024-10-08T07:20:54.9248706Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:20:54.9279179Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand 2024-10-08T07:20:54.9307973Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 2024-10-08T07:20:54.9599974Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader 2024-10-08T07:20:54.9620224Z http.https://github.com/.extraheader 2024-10-08T07:20:54.9631567Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader 2024-10-08T07:20:54.9660026Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :" 2024-10-08T07:20:55.0116387Z Cleaning up orphan processesPlease consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components. |
Hey @itsarraj0test 👋, Thanks for contributing the new Pull Request !! Secrets Bot2024-10-08T07:22:01.3933606Z Current runner version: '2.320.0' 2024-10-08T07:22:01.3965768Z ##[group]Operating System 2024-10-08T07:22:01.3966438Z Ubuntu 2024-10-08T07:22:01.3966772Z 22.04.5 2024-10-08T07:22:01.3967130Z LTS 2024-10-08T07:22:01.3967484Z ##[endgroup] 2024-10-08T07:22:01.3967860Z ##[group]Runner Image 2024-10-08T07:22:01.3968304Z Image: ubuntu-22.04 2024-10-08T07:22:01.3968716Z Version: 20240922.1.0 2024-10-08T07:22:01.3969696Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240922.1/images/ubuntu/Ubuntu2204-Readme.md 2024-10-08T07:22:01.3971134Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240922.1 2024-10-08T07:22:01.3972004Z ##[endgroup] 2024-10-08T07:22:01.3972390Z ##[group]Runner Image Provisioner 2024-10-08T07:22:01.3973123Z 2.0.384.1 2024-10-08T07:22:01.3973470Z ##[endgroup] 2024-10-08T07:22:01.3988522Z ##[group]GITHUB_TOKEN Permissions 2024-10-08T07:22:01.3990113Z Issues: write 2024-10-08T07:22:01.3990647Z Metadata: read 2024-10-08T07:22:01.3991203Z PullRequests: write 2024-10-08T07:22:01.3991781Z ##[endgroup] 2024-10-08T07:22:01.3995005Z Secret source: Actions 2024-10-08T07:22:01.3995618Z Prepare workflow directory 2024-10-08T07:22:01.4658633Z Prepare all required actions 2024-10-08T07:22:01.4858551Z Getting action download info 2024-10-08T07:22:01.6823943Z Download action repository 'actions/checkout@v3' (SHA:f43a0e5ff2bd294095638e18286ca9a3d1956744) 2024-10-08T07:22:01.8204631Z Download action repository 'trufflesecurity/TruffleHog-Enterprise-Github-Action@main' (SHA:896eb9c43cebe80ae73e5aa5948595121ac7229c) 2024-10-08T07:22:02.5067312Z Complete job name: TruffleHog Bot scan 2024-10-08T07:22:02.5679154Z ##[group]Build container for action use: '/home/runner/work/_actions/trufflesecurity/TruffleHog-Enterprise-Github-Action/main/Dockerfile'. 2024-10-08T07:22:02.5736912Z ##[command]/usr/bin/docker build -t 11c2e5:32e49691a9e445329b2219b5b949a33d -f "/home/runner/work/_actions/trufflesecurity/TruffleHog-Enterprise-Github-Action/main/Dockerfile" "/home/runner/work/_actions/trufflesecurity/TruffleHog-Enterprise-Github-Action/main" 2024-10-08T07:22:03.1633730Z #0 building with "default" instance using docker driver 2024-10-08T07:22:03.1634422Z 2024-10-08T07:22:03.1634803Z #1 [internal] load build definition from Dockerfile 2024-10-08T07:22:03.1635659Z #1 transferring dockerfile: 153B done 2024-10-08T07:22:03.1636210Z #1 DONE 0.0s 2024-10-08T07:22:03.1636428Z 2024-10-08T07:22:03.1636998Z #2 [internal] load metadata for us-docker.pkg.dev/thog-artifacts/public/scanner:latest 2024-10-08T07:22:03.9616202Z #2 DONE 0.9s 2024-10-08T07:22:04.0811224Z 2024-10-08T07:22:04.0812195Z #3 [internal] load .dockerignore 2024-10-08T07:22:04.0813364Z #3 transferring context: 2B done 2024-10-08T07:22:04.0813888Z #3 DONE 0.0s 2024-10-08T07:22:04.0814121Z 2024-10-08T07:22:04.0814275Z #4 [internal] load build context 2024-10-08T07:22:04.0814830Z #4 transferring context: 112B done 2024-10-08T07:22:04.0815260Z #4 DONE 0.0s 2024-10-08T07:22:04.0815478Z 2024-10-08T07:22:04.0816149Z #5 [1/2] FROM us-docker.pkg.dev/thog-artifacts/public/scanner:latest@sha256:3ddf1817b36313e28549c98fae955474c963929488c2762a3e17d8cd9ad7f7d1 2024-10-08T07:22:04.0818266Z #5 resolve us-docker.pkg.dev/thog-artifacts/public/scanner:latest@sha256:3ddf1817b36313e28549c98fae955474c963929488c2762a3e17d8cd9ad7f7d1 done 2024-10-08T07:22:04.0820201Z #5 sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 0B / 10.43MB 0.1s 2024-10-08T07:22:04.0821135Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 0B / 70.83MB 0.1s 2024-10-08T07:22:04.0822125Z #5 sha256:3ddf1817b36313e28549c98fae955474c963929488c2762a3e17d8cd9ad7f7d1 743B / 743B done 2024-10-08T07:22:04.0823215Z #5 sha256:6d9d40a1eb71b3a08e69ca6dff5dc75a671389eacefdb46fe572b48990c1777f 1.16kB / 1.16kB done 2024-10-08T07:22:04.0824109Z #5 sha256:73e5984d21eba9ed309a98a73bea0f5005954f47397b7ebf5ee5fdfe62c1b2b3 1.84kB / 1.84kB done 2024-10-08T07:22:04.0825131Z #5 sha256:32b772fa507186eddade1aa8a0f01f5ceacba1fa94a5bb968eb355ac417baca3 0B / 3.63MB 0.1s 2024-10-08T07:22:04.4131883Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 5.24MB / 70.83MB 0.4s 2024-10-08T07:22:04.4134771Z #5 sha256:32b772fa507186eddade1aa8a0f01f5ceacba1fa94a5bb968eb355ac417baca3 3.63MB / 3.63MB 0.4s done 2024-10-08T07:22:04.4137244Z #5 extracting sha256:32b772fa507186eddade1aa8a0f01f5ceacba1fa94a5bb968eb355ac417baca3 0.1s done 2024-10-08T07:22:04.4138808Z #5 sha256:0beab322d5169c30c34fd495071b4ecda5d29e324dfc70a397df0b13fcce9b61 0B / 184B 0.4s 2024-10-08T07:22:04.5803497Z #5 sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 1.05MB / 10.43MB 0.6s 2024-10-08T07:22:04.5804576Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 31.46MB / 70.83MB 0.6s 2024-10-08T07:22:04.5805719Z #5 sha256:0beab322d5169c30c34fd495071b4ecda5d29e324dfc70a397df0b13fcce9b61 184B / 184B 0.5s done 2024-10-08T07:22:04.7449714Z #5 sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 10.43MB / 10.43MB 0.7s done 2024-10-08T07:22:04.7451850Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 51.38MB / 70.83MB 0.7s 2024-10-08T07:22:04.7453436Z #5 extracting sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 0.1s 2024-10-08T07:22:04.8451050Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 70.83MB / 70.83MB 0.8s 2024-10-08T07:22:04.9834658Z #5 sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 70.83MB / 70.83MB 0.8s done 2024-10-08T07:22:04.9836901Z #5 extracting sha256:21ecfc38e68b3aeecee7c524fa165b63cf445f093e3c2197f8099ece79d61f2d 0.2s done 2024-10-08T07:22:04.9839594Z #5 extracting sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 2024-10-08T07:22:05.4731767Z #5 extracting sha256:168a6eafcab8a6ddbd4c7ffa6d817c1b68663a5288cc3e5b96e7a342759a067c 0.3s done 2024-10-08T07:22:05.5499899Z #5 extracting sha256:0beab322d5169c30c34fd495071b4ecda5d29e324dfc70a397df0b13fcce9b61 2024-10-08T07:22:05.7553161Z #5 extracting sha256:0beab322d5169c30c34fd495071b4ecda5d29e324dfc70a397df0b13fcce9b61 done 2024-10-08T07:22:05.7553969Z #5 DONE 1.6s 2024-10-08T07:22:05.7554148Z 2024-10-08T07:22:05.7554343Z #6 [2/2] COPY entrypoint.sh /entrypoint.sh 2024-10-08T07:22:05.7554905Z #6 DONE 0.0s 2024-10-08T07:22:05.7555072Z 2024-10-08T07:22:05.7555228Z #7 exporting to image 2024-10-08T07:22:05.7555538Z #7 exporting layers 2024-10-08T07:22:06.0046023Z #7 exporting layers 0.4s done 2024-10-08T07:22:06.0496137Z #7 writing image sha256:7d42ff61114804759733897b416c24ec8654b20ac3ce7fbe6d3fe3315bb9f080 done 2024-10-08T07:22:06.0497878Z #7 naming to docker.io/library/11c2e5:32e49691a9e445329b2219b5b949a33d done 2024-10-08T07:22:06.0498765Z #7 DONE 0.4s 2024-10-08T07:22:06.0554274Z ##[endgroup] 2024-10-08T07:22:06.0960376Z ##[group]Run actions/checkout@v3 2024-10-08T07:22:06.0960944Z with: 2024-10-08T07:22:06.0961286Z fetch-depth: 0 2024-10-08T07:22:06.0961616Z repository: itsarraj/PRBotCheck 2024-10-08T07:22:06.0962265Z token: *** 2024-10-08T07:22:06.0962846Z ssh-strict: true 2024-10-08T07:22:06.0963313Z persist-credentials: true 2024-10-08T07:22:06.0963744Z clean: true 2024-10-08T07:22:06.0964100Z sparse-checkout-cone-mode: true 2024-10-08T07:22:06.0964492Z fetch-tags: false 2024-10-08T07:22:06.0964860Z lfs: false 2024-10-08T07:22:06.0965174Z submodules: false 2024-10-08T07:22:06.0965519Z set-safe-directory: true 2024-10-08T07:22:06.0965930Z ##[endgroup] 2024-10-08T07:22:06.3735337Z Syncing repository: itsarraj/PRBotCheck 2024-10-08T07:22:06.3737029Z ##[group]Getting Git version info 2024-10-08T07:22:06.3737916Z Working directory is '/home/runner/work/PRBotCheck/PRBotCheck' 2024-10-08T07:22:06.3739169Z [command]/usr/bin/git version 2024-10-08T07:22:06.3739682Z git version 2.46.1 2024-10-08T07:22:06.3741106Z ##[endgroup] 2024-10-08T07:22:06.3753180Z Temporarily overriding HOME='/home/runner/work/_temp/dbc75818-dd74-4f10-bd59-18cfb844dfdc' before making global git config changes 2024-10-08T07:22:06.3754247Z Adding repository directory to the temporary git global config as a safe directory 2024-10-08T07:22:06.3755648Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:22:06.3776567Z Deleting the contents of '/home/runner/work/PRBotCheck/PRBotCheck' 2024-10-08T07:22:06.3779869Z ##[group]Initializing the repository 2024-10-08T07:22:06.3782929Z [command]/usr/bin/git init /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:22:06.3867858Z hint: Using 'master' as the name for the initial branch. This default branch name 2024-10-08T07:22:06.3868647Z hint: is subject to change. To configure the initial branch name to use in all 2024-10-08T07:22:06.3869439Z hint: of your new repositories, which will suppress this warning, call: 2024-10-08T07:22:06.3870064Z hint: 2024-10-08T07:22:06.3870538Z hint: git config --global init.defaultBranch 2024-10-08T07:22:06.3870969Z hint: 2024-10-08T07:22:06.3871543Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and 2024-10-08T07:22:06.3872415Z hint: 'development'. The just-created branch can be renamed via this command: 2024-10-08T07:22:06.3873231Z hint: 2024-10-08T07:22:06.3873681Z hint: git branch -m 2024-10-08T07:22:06.3878395Z Initialized empty Git repository in /home/runner/work/PRBotCheck/PRBotCheck/.git/ 2024-10-08T07:22:06.3886664Z [command]/usr/bin/git remote add origin https://github.com/itsarraj/PRBotCheck 2024-10-08T07:22:06.3918758Z ##[endgroup] 2024-10-08T07:22:06.3919397Z ##[group]Disabling automatic garbage collection 2024-10-08T07:22:06.3921703Z [command]/usr/bin/git config --local gc.auto 0 2024-10-08T07:22:06.3947286Z ##[endgroup] 2024-10-08T07:22:06.3947950Z ##[group]Setting up auth 2024-10-08T07:22:06.3952880Z [command]/usr/bin/git config --local --name-only --get-regexp core.sshCommand 2024-10-08T07:22:06.3978994Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 2024-10-08T07:22:06.4386520Z [command]/usr/bin/git config --local --name-only --get-regexp http.https://github.com/.extraheader 2024-10-08T07:22:06.4412816Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http.https://github.com/.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :" 2024-10-08T07:22:06.4638237Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic *** 2024-10-08T07:22:06.4671836Z ##[endgroup] 2024-10-08T07:22:06.4672954Z ##[group]Fetching the repository 2024-10-08T07:22:06.4681041Z [command]/usr/bin/git -c protocol.version=2 fetch --prune --progress --no-recurse-submodules origin +refs/heads/:refs/remotes/origin/ +refs/tags/:refs/tags/ 2024-10-08T07:22:06.9230708Z remote: Enumerating objects: 32, done. 2024-10-08T07:22:06.9232190Z remote: Counting objects: 3% (1/32) 2024-10-08T07:22:06.9233483Z remote: Counting objects: 6% (2/32) 2024-10-08T07:22:06.9239258Z remote: Counting objects: 9% (3/32) 2024-10-08T07:22:06.9240409Z remote: Counting objects: 12% (4/32) 2024-10-08T07:22:06.9241393Z remote: Counting objects: 15% (5/32) 2024-10-08T07:22:06.9242506Z remote: Counting objects: 18% (6/32) 2024-10-08T07:22:06.9243709Z remote: Counting objects: 21% (7/32) 2024-10-08T07:22:06.9244619Z remote: Counting objects: 25% (8/32) 2024-10-08T07:22:06.9245582Z remote: Counting objects: 28% (9/32) 2024-10-08T07:22:06.9246481Z remote: Counting objects: 31% (10/32) 2024-10-08T07:22:06.9247347Z remote: Counting objects: 34% (11/32) 2024-10-08T07:22:06.9248343Z remote: Counting objects: 37% (12/32) 2024-10-08T07:22:06.9249343Z remote: Counting objects: 40% (13/32) 2024-10-08T07:22:06.9250218Z remote: Counting objects: 43% (14/32) 2024-10-08T07:22:06.9251183Z remote: Counting objects: 46% (15/32) 2024-10-08T07:22:06.9252327Z remote: Counting objects: 50% (16/32) 2024-10-08T07:22:06.9253339Z remote: Counting objects: 53% (17/32) 2024-10-08T07:22:06.9254310Z remote: Counting objects: 56% (18/32) 2024-10-08T07:22:06.9255064Z remote: Counting objects: 59% (19/32) 2024-10-08T07:22:06.9255857Z remote: Counting objects: 62% (20/32) 2024-10-08T07:22:06.9256798Z remote: Counting objects: 65% (21/32) 2024-10-08T07:22:06.9257554Z remote: Counting objects: 68% (22/32) 2024-10-08T07:22:06.9258343Z remote: Counting objects: 71% (23/32) 2024-10-08T07:22:06.9259347Z remote: Counting objects: 75% (24/32) 2024-10-08T07:22:06.9260127Z remote: Counting objects: 78% (25/32) 2024-10-08T07:22:06.9261003Z remote: Counting objects: 81% (26/32) 2024-10-08T07:22:06.9261870Z remote: Counting objects: 84% (27/32) 2024-10-08T07:22:06.9262313Z remote: Counting objects: 87% (28/32) 2024-10-08T07:22:06.9263022Z remote: Counting objects: 90% (29/32) 2024-10-08T07:22:06.9263800Z remote: Counting objects: 93% (30/32) 2024-10-08T07:22:06.9264509Z remote: Counting objects: 96% (31/32) 2024-10-08T07:22:06.9265299Z remote: Counting objects: 100% (32/32) 2024-10-08T07:22:06.9266221Z remote: Counting objects: 100% (32/32), done. 2024-10-08T07:22:06.9266774Z remote: Compressing objects: 4% (1/22) 2024-10-08T07:22:06.9267280Z remote: Compressing objects: 9% (2/22) 2024-10-08T07:22:06.9267850Z remote: Compressing objects: 13% (3/22) 2024-10-08T07:22:06.9268328Z remote: Compressing objects: 18% (4/22) 2024-10-08T07:22:06.9268787Z remote: Compressing objects: 22% (5/22) 2024-10-08T07:22:06.9269343Z remote: Compressing objects: 27% (6/22) 2024-10-08T07:22:06.9269822Z remote: Compressing objects: 31% (7/22) 2024-10-08T07:22:06.9270272Z remote: Compressing objects: 36% (8/22) 2024-10-08T07:22:06.9270821Z remote: Compressing objects: 40% (9/22) 2024-10-08T07:22:06.9271323Z remote: Compressing objects: 45% (10/22) 2024-10-08T07:22:06.9271775Z remote: Compressing objects: 50% (11/22) 2024-10-08T07:22:06.9272317Z remote: Compressing objects: 54% (12/22) 2024-10-08T07:22:06.9273017Z remote: Compressing objects: 59% (13/22) 2024-10-08T07:22:06.9273457Z remote: Compressing objects: 63% (14/22) 2024-10-08T07:22:06.9274053Z remote: Compressing objects: 68% (15/22) 2024-10-08T07:22:06.9274547Z remote: Compressing objects: 72% (16/22) 2024-10-08T07:22:06.9274982Z remote: Compressing objects: 77% (17/22) 2024-10-08T07:22:06.9275525Z remote: Compressing objects: 81% (18/22) 2024-10-08T07:22:06.9276209Z remote: Compressing objects: 86% (19/22) 2024-10-08T07:22:06.9276661Z remote: Compressing objects: 90% (20/22) 2024-10-08T07:22:06.9277230Z remote: Compressing objects: 95% (21/22) 2024-10-08T07:22:06.9277705Z remote: Compressing objects: 100% (22/22) 2024-10-08T07:22:06.9278179Z remote: Compressing objects: 100% (22/22), done. 2024-10-08T07:22:06.9279146Z remote: Total 32 (delta 12), reused 25 (delta 5), pack-reused 0 (from 0) 2024-10-08T07:22:06.9359333Z From https://github.com/itsarraj/PRBotCheck 2024-10-08T07:22:06.9360458Z * [new branch] master -> origin/master 2024-10-08T07:22:06.9395384Z [command]/usr/bin/git branch --list --remote origin/master 2024-10-08T07:22:06.9418864Z origin/master 2024-10-08T07:22:06.9429921Z [command]/usr/bin/git rev-parse refs/remotes/origin/master 2024-10-08T07:22:06.9452581Z 62868f4 2024-10-08T07:22:06.9458315Z ##[endgroup] 2024-10-08T07:22:06.9459310Z ##[group]Determining the checkout info 2024-10-08T07:22:06.9460250Z ##[endgroup] 2024-10-08T07:22:06.9460852Z ##[group]Checking out the ref 2024-10-08T07:22:06.9463240Z [command]/usr/bin/git checkout --progress --force -B master refs/remotes/origin/master 2024-10-08T07:22:06.9510003Z Reset branch 'master' 2024-10-08T07:22:06.9513496Z branch 'master' set up to track 'origin/master'. 2024-10-08T07:22:06.9518736Z ##[endgroup] 2024-10-08T07:22:06.9550280Z [command]/usr/bin/git log -1 --format='%H' 2024-10-08T07:22:06.9570955Z '62868f47b40a795a4d99b3e3ddec9e6e76e772f0' 2024-10-08T07:22:06.9875380Z ##[group]Run trufflesecurity/TruffleHog-Enterprise-Github-Action@main 2024-10-08T07:22:06.9875940Z with: 2024-10-08T07:22:06.9876281Z args: --fail-verified master HEAD --json 2024-10-08T07:22:06.9876790Z ##[endgroup] 2024-10-08T07:22:07.0093522Z ##[command]/usr/bin/docker run --name c2e532e49691a9e445329b2219b5b949a33d_34340b --label 11c2e5 --workdir /github/workspace --rm -e "INPUT_ARGS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/PRBotCheck/PRBotCheck":"/github/workspace" 11c2e5:32e49691a9e445329b2219b5b949a33d "--fail-verified master HEAD --json" 2024-10-08T07:22:09.3562267Z {"level":"info-0","ts":"2024-10-08T07:22:09Z","logger":"thog/scanner","msg":"running trufflehog","pid":"AIE2h","version":"v1.90.20"} 2024-10-08T07:22:09.3563417Z 2024-10-08T07:22:09.3564921Z {"level":"info-0","ts":"2024-10-08T07:22:09Z","logger":"thog/scanner","msg":"log level set","pid":"AIE2h","version":"v1.90.20","level":0} 2024-10-08T07:22:09.3567205Z 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷 2024-10-08T07:22:09.3567790Z version: v1.90.20 2024-10-08T07:22:09.3568080Z 2024-10-08T07:22:09.3569409Z {"level":"info-0","ts":"2024-10-08T07:22:09Z","logger":"thog/scanner","msg":"resolved base reference","pid":"AIE2h","version":"v1.90.20","commit":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0"} 2024-10-08T07:22:09.3572325Z {"level":"info-0","ts":"2024-10-08T07:22:09Z","logger":"thog/scanner","msg":"resolved head reference","pid":"AIE2h","version":"v1.90.20","commit":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0"} 2024-10-08T07:22:09.3574295Z {"level":"info-0","ts":"2024-10-08T07:22:09Z","logger":"thog/scanner","msg":"resolved common merge base between references","pid":"AIE2h","version":"v1.90.20","commit":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0"} 2024-10-08T07:22:09.3576393Z {"level":"info-0","ts":"2024-10-08T07:22:09Z","logger":"thog/scanner","msg":"scanning repo","pid":"AIE2h","version":"v1.90.20","repo":"https://github.com/itsarraj/PRBotCheck","base":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0","head":"62868f47b40a795a4d99b3e3ddec9e6e76e772f0"} 2024-10-08T07:22:09.3619252Z {"level":"info-0","ts":"2024-10-08T07:22:09Z","logger":"thog/scanner","msg":"finished scanning commits","pid":"AIE2h","version":"v1.90.20","commits_scanned":0} 2024-10-08T07:22:09.3620987Z {"level":"info-0","ts":"2024-10-08T07:22:09Z","logger":"thog/scanner","msg":"no secrets found","pid":"AIE2h","version":"v1.90.20"} 2024-10-08T07:22:09.4592183Z Post job cleanup. 2024-10-08T07:22:09.5301024Z [command]/usr/bin/git version 2024-10-08T07:22:09.5334751Z git version 2.46.1 2024-10-08T07:22:09.5376791Z Temporarily overriding HOME='/home/runner/work/_temp/76d6e1e7-26b2-42ad-9a10-9fd09d9b37b5' before making global git config changes 2024-10-08T07:22:09.5380398Z Adding repository directory to the temporary git global config as a safe directory 2024-10-08T07:22:09.5381459Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:22:09.5410319Z [command]/usr/bin/git config --local --name-only --get-regexp core.sshCommand 2024-10-08T07:22:09.5438441Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 2024-10-08T07:22:09.5670257Z [command]/usr/bin/git config --local --name-only --get-regexp http.https://github.com/.extraheader 2024-10-08T07:22:09.5690120Z http.https://github.com/.extraheader 2024-10-08T07:22:09.5702268Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader 2024-10-08T07:22:09.5731929Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http.https://github.com/.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :" 2024-10-08T07:22:09.6152317Z Cleaning up orphan processes SCA Bot2024-10-08T07:22:00.2446774Z Current runner version: '2.320.0' 2024-10-08T07:22:00.2471311Z ##[group]Operating System 2024-10-08T07:22:00.2472111Z Ubuntu 2024-10-08T07:22:00.2472643Z 22.04.5 2024-10-08T07:22:00.2472975Z LTS 2024-10-08T07:22:00.2473394Z ##[endgroup] 2024-10-08T07:22:00.2473768Z ##[group]Runner Image 2024-10-08T07:22:00.2474193Z Image: ubuntu-22.04 2024-10-08T07:22:00.2474674Z Version: 20240922.1.0 2024-10-08T07:22:00.2475622Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240922.1/images/ubuntu/Ubuntu2204-Readme.md 2024-10-08T07:22:00.2477059Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240922.1 2024-10-08T07:22:00.2477994Z ##[endgroup] 2024-10-08T07:22:00.2478388Z ##[group]Runner Image Provisioner 2024-10-08T07:22:00.2478847Z 2.0.384.1 2024-10-08T07:22:00.2479239Z ##[endgroup] 2024-10-08T07:22:00.2495134Z ##[group]GITHUB_TOKEN Permissions 2024-10-08T07:22:00.2496814Z Issues: write 2024-10-08T07:22:00.2497263Z Metadata: read 2024-10-08T07:22:00.2497946Z PullRequests: write 2024-10-08T07:22:00.2498559Z ##[endgroup] 2024-10-08T07:22:00.2501662Z Secret source: Actions 2024-10-08T07:22:00.2502436Z Prepare workflow directory 2024-10-08T07:22:00.3160556Z Prepare all required actions 2024-10-08T07:22:00.3327262Z Getting action download info 2024-10-08T07:22:00.4662774Z Download action repository 'actions/checkout@v3' (SHA:f43a0e5ff2bd294095638e18286ca9a3d1956744) 2024-10-08T07:22:00.6894923Z Complete job name: Snyk Bot scan 2024-10-08T07:22:00.7866660Z ##[group]Run actions/checkout@v3 2024-10-08T07:22:00.7867296Z with: 2024-10-08T07:22:00.7867834Z repository: itsarraj/PRBotCheck 2024-10-08T07:22:00.7868581Z token: *** 2024-10-08T07:22:00.7868993Z ssh-strict: true 2024-10-08T07:22:00.7869531Z persist-credentials: true 2024-10-08T07:22:00.7869954Z clean: true 2024-10-08T07:22:00.7870376Z sparse-checkout-cone-mode: true 2024-10-08T07:22:00.7871005Z fetch-depth: 1 2024-10-08T07:22:00.7871356Z fetch-tags: false 2024-10-08T07:22:00.7871766Z lfs: false 2024-10-08T07:22:00.7872222Z submodules: false 2024-10-08T07:22:00.7872948Z set-safe-directory: true 2024-10-08T07:22:00.7873393Z ##[endgroup] 2024-10-08T07:22:01.0233202Z Syncing repository: itsarraj/PRBotCheck 2024-10-08T07:22:01.0236085Z ##[group]Getting Git version info 2024-10-08T07:22:01.0237407Z Working directory is '/home/runner/work/PRBotCheck/PRBotCheck' 2024-10-08T07:22:01.0238623Z [command]/usr/bin/git version 2024-10-08T07:22:01.0240330Z git version 2.46.1 2024-10-08T07:22:01.0267915Z ##[endgroup] 2024-10-08T07:22:01.0286735Z Temporarily overriding HOME='/home/runner/work/_temp/801fffff-fecf-4faf-90d6-67d6408682e3' before making global git config changes 2024-10-08T07:22:01.0288390Z Adding repository directory to the temporary git global config as a safe directory 2024-10-08T07:22:01.0290522Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:22:01.0330938Z Deleting the contents of '/home/runner/work/PRBotCheck/PRBotCheck' 2024-10-08T07:22:01.0335195Z ##[group]Initializing the repository 2024-10-08T07:22:01.0338459Z [command]/usr/bin/git init /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:22:01.0434318Z hint: Using 'master' as the name for the initial branch. This default branch name 2024-10-08T07:22:01.0435724Z hint: is subject to change. To configure the initial branch name to use in all 2024-10-08T07:22:01.0436999Z hint: of your new repositories, which will suppress this warning, call: 2024-10-08T07:22:01.0438413Z hint: 2024-10-08T07:22:01.0439022Z hint: git config --global init.defaultBranch 2024-10-08T07:22:01.0440096Z hint: 2024-10-08T07:22:01.0441386Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and 2024-10-08T07:22:01.0443464Z hint: 'development'. The just-created branch can be renamed via this command: 2024-10-08T07:22:01.0444723Z hint: 2024-10-08T07:22:01.0445642Z hint: git branch -m 2024-10-08T07:22:01.0446977Z Initialized empty Git repository in /home/runner/work/PRBotCheck/PRBotCheck/.git/ 2024-10-08T07:22:01.0451369Z [command]/usr/bin/git remote add origin https://github.com/itsarraj/PRBotCheck 2024-10-08T07:22:01.0489455Z ##[endgroup] 2024-10-08T07:22:01.0490711Z ##[group]Disabling automatic garbage collection 2024-10-08T07:22:01.0493278Z [command]/usr/bin/git config --local gc.auto 0 2024-10-08T07:22:01.0523501Z ##[endgroup] 2024-10-08T07:22:01.0524961Z ##[group]Setting up auth 2024-10-08T07:22:01.0530686Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand 2024-10-08T07:22:01.0562101Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 2024-10-08T07:22:01.0910251Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader 2024-10-08T07:22:01.0938205Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :" 2024-10-08T07:22:01.1172875Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic *** 2024-10-08T07:22:01.1207327Z ##[endgroup] 2024-10-08T07:22:01.1208335Z ##[group]Fetching the repository 2024-10-08T07:22:01.1216596Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +62868f47b40a795a4d99b3e3ddec9e6e76e772f0:refs/remotes/origin/master 2024-10-08T07:22:01.2905408Z remote: Enumerating objects: 12, done. 2024-10-08T07:22:01.2906478Z remote: Counting objects: 8% (1/12) 2024-10-08T07:22:01.2907799Z remote: Counting objects: 16% (2/12) 2024-10-08T07:22:01.2908787Z remote: Counting objects: 25% (3/12) 2024-10-08T07:22:01.2909501Z remote: Counting objects: 33% (4/12) 2024-10-08T07:22:01.2910298Z remote: Counting objects: 41% (5/12) 2024-10-08T07:22:01.2911019Z remote: Counting objects: 50% (6/12) 2024-10-08T07:22:01.2911824Z remote: Counting objects: 58% (7/12) 2024-10-08T07:22:01.2912912Z remote: Counting objects: 66% (8/12) 2024-10-08T07:22:01.2913584Z remote: Counting objects: 75% (9/12) 2024-10-08T07:22:01.2914316Z remote: Counting objects: 83% (10/12) 2024-10-08T07:22:01.2915179Z remote: Counting objects: 91% (11/12) 2024-10-08T07:22:01.2915956Z remote: Counting objects: 100% (12/12) 2024-10-08T07:22:01.2916721Z remote: Counting objects: 100% (12/12), done. 2024-10-08T07:22:01.2917697Z remote: Compressing objects: 9% (1/11) 2024-10-08T07:22:01.2918652Z remote: Compressing objects: 18% (2/11) 2024-10-08T07:22:01.2919626Z remote: Compressing objects: 27% (3/11) 2024-10-08T07:22:01.2920244Z remote: Compressing objects: 36% (4/11) 2024-10-08T07:22:01.2921000Z remote: Compressing objects: 45% (5/11) 2024-10-08T07:22:01.2921835Z remote: Compressing objects: 54% (6/11) 2024-10-08T07:22:01.2922844Z remote: Compressing objects: 63% (7/11) 2024-10-08T07:22:01.2923672Z remote: Compressing objects: 72% (8/11) 2024-10-08T07:22:01.2924508Z remote: Compressing objects: 81% (9/11) 2024-10-08T07:22:01.2925290Z remote: Compressing objects: 90% (10/11) 2024-10-08T07:22:01.2926040Z remote: Compressing objects: 100% (11/11) 2024-10-08T07:22:01.2926921Z remote: Compressing objects: 100% (11/11), done. 2024-10-08T07:22:01.2928284Z remote: Total 12 (delta 0), reused 10 (delta 0), pack-reused 0 (from 0) 2024-10-08T07:22:01.3006856Z From https://github.com/itsarraj/PRBotCheck 2024-10-08T07:22:01.3008075Z * [new ref] 62868f4 -> origin/master 2024-10-08T07:22:01.3035650Z ##[endgroup] 2024-10-08T07:22:01.3036395Z ##[group]Determining the checkout info 2024-10-08T07:22:01.3037817Z ##[endgroup] 2024-10-08T07:22:01.3038612Z ##[group]Checking out the ref 2024-10-08T07:22:01.3042594Z [command]/usr/bin/git checkout --progress --force -B master refs/remotes/origin/master 2024-10-08T07:22:01.3091033Z Reset branch 'master' 2024-10-08T07:22:01.3093150Z branch 'master' set up to track 'origin/master'. 2024-10-08T07:22:01.3101188Z ##[endgroup] 2024-10-08T07:22:01.3138546Z [command]/usr/bin/git log -1 --format='%H' 2024-10-08T07:22:01.3163712Z '62868f47b40a795a4d99b3e3ddec9e6e76e772f0' 2024-10-08T07:22:01.3585269Z ##[group]Run rm -rf node_modules 2024-10-08T07:22:01.3585954Z �[36;1mrm -rf node_modules�[0m 2024-10-08T07:22:01.3586443Z �[36;1mrm -f package-lock.json�[0m 2024-10-08T07:22:01.3587064Z �[36;1mnpm install�[0m 2024-10-08T07:22:01.3587639Z �[36;1mecho "Downloading and authenticating Snyk CLI..."�[0m 2024-10-08T07:22:01.3588742Z �[36;1mcurl -Lo ./snyk "https://github.com/snyk/snyk/releases/download/v1.1100.0/snyk-linux"�[0m 2024-10-08T07:22:01.3589674Z �[36;1mchmod +x snyk�[0m 2024-10-08T07:22:01.3590367Z �[36;1m./snyk auth ***�[0m 2024-10-08T07:22:01.3590923Z �[36;1mecho "Running Snyk test and monitor..."�[0m 2024-10-08T07:22:01.3591726Z �[36;1m./snyk test --all-projects --color --json || true�[0m 2024-10-08T07:22:01.3592651Z �[36;1m./snyk monitor --all-projects || true�[0m 2024-10-08T07:22:01.3620885Z shell: /usr/bin/bash -e {0} 2024-10-08T07:22:01.3621401Z ##[endgroup] 2024-10-08T07:22:07.6792984Z npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. 2024-10-08T07:22:07.7594785Z npm warn deprecated hoek@4.2.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). 2024-10-08T07:22:07.7743006Z npm warn deprecated formatio@1.1.1: This package is unmaintained. Use @sinonjs/formatio instead 2024-10-08T07:22:07.7846980Z npm warn deprecated samsam@1.1.2: This package has been deprecated in favour of @sinonjs/samsam 2024-10-08T07:22:07.7986992Z npm warn deprecated glob@7.1.1: Glob versions prior to v9 are no longer supported 2024-10-08T07:22:07.8049644Z npm warn deprecated json3@3.3.2: Please use the native JSON object instead of JSON 3 2024-10-08T07:22:07.8063406Z npm warn deprecated mkdirp@0.3.3: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) 2024-10-08T07:22:07.8231901Z npm warn deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) 2024-10-08T07:22:07.9955781Z npm warn deprecated formidable@1.0.11: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau 2024-10-08T07:22:08.0740761Z npm warn deprecated connect@2.6.0: connect 2.x series is deprecated 2024-10-08T07:22:08.0907394Z npm warn deprecated sinon@1.17.0: 16.1.1 2024-10-08T07:22:08.3448719Z 2024-10-08T07:22:08.3449599Z added 112 packages, and audited 113 packages in 7s 2024-10-08T07:22:08.3450581Z 2024-10-08T07:22:08.3450855Z 15 packages are looking for funding 2024-10-08T07:22:08.3451660Z run `npm fund` for details 2024-10-08T07:22:08.3649726Z 2024-10-08T07:22:08.3651016Z 22 vulnerabilities (1 low, 2 moderate, 12 high, 7 critical) 2024-10-08T07:22:08.3651757Z 2024-10-08T07:22:08.3652213Z To address all issues possible (including breaking changes), run: 2024-10-08T07:22:08.3653815Z npm audit fix --force 2024-10-08T07:22:08.3654260Z 2024-10-08T07:22:08.3654730Z Some issues need review, and may require choosing 2024-10-08T07:22:08.3655625Z a different dependency. 2024-10-08T07:22:08.3656032Z 2024-10-08T07:22:08.3656292Z Run `npm audit` for details. 2024-10-08T07:22:08.3832432Z Downloading and authenticating Snyk CLI... 2024-10-08T07:22:08.3918640Z % Total % Received % Xferd Average Speed Time Time Time Current 2024-10-08T07:22:08.3919895Z Dload Upload Total Spent Left Speed 2024-10-08T07:22:08.3920430Z 2024-10-08T07:22:08.5025280Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 2024-10-08T07:22:08.5026853Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 2024-10-08T07:22:08.5596759Z 2024-10-08T07:22:08.5598153Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 2024-10-08T07:22:08.7638800Z 2024-10-08T07:22:09.1467893Z 3 67.1M 3 2540k 0 0 6825k 0 0:00:10 --:--:-- 0:00:10 6825k 2024-10-08T07:22:09.1469244Z 100 67.1M 100 67.1M 0 0 88.9M 0 --:--:-- --:--:-- --:--:-- 169M 2024-10-08T07:22:10.4513010Z 2024-10-08T07:22:10.4514017Z Your account has been authenticated. Snyk is now ready to be used. 2024-10-08T07:22:10.4514814Z 2024-10-08T07:22:10.6364464Z Running Snyk test and monitor... 2024-10-08T07:22:24.0940860Z { 2024-10-08T07:22:24.0941645Z "vulnerabilities": [ 2024-10-08T07:22:24.0943005Z { 2024-10-08T07:22:24.0944275Z "id": "SNYK-JAVA-ORGAPACHEMAVEN-6144614", 2024-10-08T07:22:24.0945275Z "title": "Resources Downloaded over Insecure Protocol", 2024-10-08T07:22:24.0957697Z "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 2024-10-08T07:22:24.0958676Z "credit": [ 2024-10-08T07:22:24.0959222Z "Unknown" 2024-10-08T07:22:24.0959881Z ], 2024-10-08T07:22:24.0960406Z "semver": { 2024-10-08T07:22:24.0960955Z "vulnerable": [ 2024-10-08T07:22:24.0961603Z "[,3.8.1)" 2024-10-08T07:22:24.0962197Z ] 2024-10-08T07:22:24.0962909Z }, 2024-10-08T07:22:24.0963461Z "exploit": "Not Defined", 2024-10-08T07:22:24.0964143Z "fixedIn": [ 2024-10-08T07:22:24.0964637Z "3.8.1" 2024-10-08T07:22:24.0965276Z ], 2024-10-08T07:22:24.0965718Z "patches": [], 2024-10-08T07:22:24.0966340Z "insights": { 2024-10-08T07:22:24.0966958Z "triageAdvice": null 2024-10-08T07:22:24.0967542Z }, 2024-10-08T07:22:24.0968198Z "language": "java", 2024-10-08T07:22:24.0968874Z "severity": "high", 2024-10-08T07:22:24.0969508Z "cvssScore": 7.1, 2024-10-08T07:22:24.0970170Z "functions": [], 2024-10-08T07:22:24.0970953Z "malicious": false, 2024-10-08T07:22:24.0971630Z "isDisputed": false, 2024-10-08T07:22:24.0972738Z "moduleName": "org.apache.maven:maven-core", 2024-10-08T07:22:24.0973586Z "references": [ 2024-10-08T07:22:24.0974222Z { 2024-10-08T07:22:24.0975785Z "url": "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", 2024-10-08T07:22:24.0977355Z "title": "Apache Security Advisory" 2024-10-08T07:22:24.0978154Z }, 2024-10-08T07:22:24.0978684Z { 2024-10-08T07:22:24.0979631Z "url": "https://github.com/apache/maven/commit/28b4ea92d38365d0f27a5bd044ac4927580147f8", 2024-10-08T07:22:24.0980992Z "title": "GitHub Commit" 2024-10-08T07:22:24.0981657Z }, 2024-10-08T07:22:24.0982161Z { 2024-10-08T07:22:24.0983436Z "url": "https://github.com/apache/maven/commit/3b21386c3f1ab85060f6c950fb2fb17123df8647", 2024-10-08T07:22:24.0984559Z "title": "GitHub Commit" 2024-10-08T07:22:24.0985223Z }, 2024-10-08T07:22:24.0985826Z { 2024-10-08T07:22:24.0986807Z "url": "https://github.com/apache/maven/commit/907d53ad3264718f66ff15e1363d76b07dd0c05f", 2024-10-08T07:22:24.0987952Z "title": "GitHub Commit" 2024-10-08T07:22:24.0988783Z } 2024-10-08T07:22:24.0989300Z ], 2024-10-08T07:22:24.0989834Z "cvssDetails": [ 2024-10-08T07:22:24.0990518Z { 2024-10-08T07:22:24.0991182Z "assigner": "NVD", 2024-10-08T07:22:24.0991867Z "severity": "critical", 2024-10-08T07:22:24.0993084Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 2024-10-08T07:22:24.0994489Z "cvssV3BaseScore": 9.1, 2024-10-08T07:22:24.0995535Z "modificationTime": "2024-03-11T09:50:36.020732Z" 2024-10-08T07:22:24.0996457Z }, 2024-10-08T07:22:24.0996918Z { 2024-10-08T07:22:24.0997453Z "assigner": "Red Hat", 2024-10-08T07:22:24.0998236Z "severity": "high", 2024-10-08T07:22:24.0999383Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", 2024-10-08T07:22:24.1000282Z "cvssV3BaseScore": 7.4, 2024-10-08T07:22:24.1001353Z "modificationTime": "2024-03-11T09:53:46.595598Z" 2024-10-08T07:22:24.1002180Z } 2024-10-08T07:22:24.1003049Z ], 2024-10-08T07:22:24.1003535Z "cvssSources": [ 2024-10-08T07:22:24.1004135Z { 2024-10-08T07:22:24.1004778Z "type": "primary", 2024-10-08T07:22:24.1005614Z "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 2024-10-08T07:22:24.1006431Z "assigner": "Snyk", 2024-10-08T07:22:24.1007290Z "severity": "high", 2024-10-08T07:22:24.1007888Z "baseScore": 7.1, 2024-10-08T07:22:24.1008510Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1009483Z "modificationTime": "2024-03-06T14:09:37.073828Z" 2024-10-08T07:22:24.1010350Z }, 2024-10-08T07:22:24.1010877Z { 2024-10-08T07:22:24.1011498Z "type": "secondary", 2024-10-08T07:22:24.1012656Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 2024-10-08T07:22:24.1013470Z "assigner": "NVD", 2024-10-08T07:22:24.1014176Z "severity": "critical", 2024-10-08T07:22:24.1014691Z "baseScore": 9.1, 2024-10-08T07:22:24.1015228Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1016156Z "modificationTime": "2024-03-11T09:50:36.020732Z" 2024-10-08T07:22:24.1016900Z }, 2024-10-08T07:22:24.1017297Z { 2024-10-08T07:22:24.1017963Z "type": "secondary", 2024-10-08T07:22:24.1018793Z "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", 2024-10-08T07:22:24.1019722Z "assigner": "Red Hat", 2024-10-08T07:22:24.1020487Z "severity": "high", 2024-10-08T07:22:24.1021102Z "baseScore": 7.4, 2024-10-08T07:22:24.1021795Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1022995Z "modificationTime": "2024-03-11T09:53:46.595598Z" 2024-10-08T07:22:24.1023701Z } 2024-10-08T07:22:24.1024166Z ], 2024-10-08T07:22:24.1037631Z "description": "## Overview\n\nAffected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol. Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls.\r\n\r\nIf you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. For more information about repository management, visit [this page](https://maven.apache.org/repository-management.html).\n## Remediation\nUpgrade `org.apache.maven:maven-core` to version 3.8.1 or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E)\n- [GitHub Commit](https://github.com/apache/maven/commit/28b4ea92d38365d0f27a5bd044ac4927580147f8)\n- [GitHub Commit](https://github.com/apache/maven/commit/3b21386c3f1ab85060f6c950fb2fb17123df8647)\n- [GitHub Commit](https://github.com/apache/maven/commit/907d53ad3264718f66ff15e1363d76b07dd0c05f)\n", 2024-10-08T07:22:24.1050576Z "epssDetails": { 2024-10-08T07:22:24.1051139Z "percentile": "0.57700", 2024-10-08T07:22:24.1052058Z "probability": "0.00197", 2024-10-08T07:22:24.1053212Z "modelVersion": "v2023.03.01" 2024-10-08T07:22:24.1053850Z }, 2024-10-08T07:22:24.1054300Z "identifiers": { 2024-10-08T07:22:24.1054837Z "CVE": [ 2024-10-08T07:22:24.1055459Z "CVE-2021-26291" 2024-10-08T07:22:24.1055978Z ], 2024-10-08T07:22:24.1056645Z "CWE": [ 2024-10-08T07:22:24.1057242Z "CWE-494" 2024-10-08T07:22:24.1057749Z ], 2024-10-08T07:22:24.1058287Z "GHSA": [ 2024-10-08T07:22:24.1058827Z "GHSA-2f88-5hg8-9x2x" 2024-10-08T07:22:24.1059372Z ] 2024-10-08T07:22:24.1059899Z }, 2024-10-08T07:22:24.1060513Z "packageName": "org.apache.maven:maven-core", 2024-10-08T07:22:24.1061204Z "proprietary": false, 2024-10-08T07:22:24.1062002Z "creationTime": "2024-01-04T15:15:05.020423Z", 2024-10-08T07:22:24.1062892Z "functions_new": [], 2024-10-08T07:22:24.1063408Z "alternativeIds": [], 2024-10-08T07:22:24.1064228Z "disclosureTime": "2021-04-26T09:21:36Z", 2024-10-08T07:22:24.1064945Z "exploitDetails": { 2024-10-08T07:22:24.1065492Z "sources": [], 2024-10-08T07:22:24.1066551Z "maturityLevels": [ 2024-10-08T07:22:24.1067106Z { 2024-10-08T07:22:24.1067619Z "type": "secondary", 2024-10-08T07:22:24.1068220Z "level": "Not Defined", 2024-10-08T07:22:24.1068799Z "format": "CVSSv3" 2024-10-08T07:22:24.1069408Z }, 2024-10-08T07:22:24.1069843Z { 2024-10-08T07:22:24.1070279Z "type": "primary", 2024-10-08T07:22:24.1070935Z "level": "Not Defined", 2024-10-08T07:22:24.1071531Z "format": "CVSSv4" 2024-10-08T07:22:24.1072076Z } 2024-10-08T07:22:24.1072851Z ] 2024-10-08T07:22:24.1073351Z }, 2024-10-08T07:22:24.1073847Z "packageManager": "maven", 2024-10-08T07:22:24.1074551Z "mavenModuleName": { 2024-10-08T07:22:24.1075178Z "groupId": "org.apache.maven", 2024-10-08T07:22:24.1075970Z "artifactId": "maven-core" 2024-10-08T07:22:24.1076658Z }, 2024-10-08T07:22:24.1077278Z "publicationTime": "2024-01-04T15:16:41.308178Z", 2024-10-08T07:22:24.1078023Z "severityBasedOn": "CVSS", 2024-10-08T07:22:24.1078885Z "modificationTime": "2024-03-11T09:53:46.595598Z", 2024-10-08T07:22:24.1079668Z "socialTrendAlert": false, 2024-10-08T07:22:24.1080257Z "severityWithCritical": "high", 2024-10-08T07:22:24.1080980Z "from": [ 2024-10-08T07:22:24.1081632Z "jenkins.mvn.demo:mvnwebapp@0.0.1-SNAPSHOT", 2024-10-08T07:22:24.1082718Z "org.apache.maven:maven-embedder@2.0", 2024-10-08T07:22:24.1083648Z "org.apache.maven:maven-core@2.0" 2024-10-08T07:22:24.1084286Z ], 2024-10-08T07:22:24.1084814Z "upgradePath": [ 2024-10-08T07:22:24.1085315Z false, 2024-10-08T07:22:24.1085940Z "org.apache.maven:maven-embedder@3.8.1", 2024-10-08T07:22:24.1086818Z "org.apache.maven:maven-core@3.8.1" 2024-10-08T07:22:24.1087509Z ], 2024-10-08T07:22:24.1087925Z "isUpgradable": true, 2024-10-08T07:22:24.1088579Z "isPatchable": false, 2024-10-08T07:22:24.1089274Z "name": "org.apache.maven:maven-core", 2024-10-08T07:22:24.1089907Z "version": "2.0" 2024-10-08T07:22:24.1090488Z }, 2024-10-08T07:22:24.1090906Z { 2024-10-08T07:22:24.1091524Z "id": "SNYK-JAVA-ORGCODEHAUSPLEXUS-31521", 2024-10-08T07:22:24.1092484Z "title": "Directory Traversal", 2024-10-08T07:22:24.1093276Z "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:22:24.1094027Z "credit": [ 2024-10-08T07:22:24.1094609Z "Unknown" 2024-10-08T07:22:24.1095033Z ], 2024-10-08T07:22:24.1095492Z "semver": { 2024-10-08T07:22:24.1096043Z "vulnerable": [ 2024-10-08T07:22:24.1096514Z "[,3.0.24)" 2024-10-08T07:22:24.1097021Z ] 2024-10-08T07:22:24.1097513Z }, 2024-10-08T07:22:24.1097972Z "exploit": "Not Defined", 2024-10-08T07:22:24.1098794Z "fixedIn": [ 2024-10-08T07:22:24.1099347Z "3.0.24" 2024-10-08T07:22:24.1099840Z ], 2024-10-08T07:22:24.1100237Z "patches": [], 2024-10-08T07:22:24.1100806Z "insights": { 2024-10-08T07:22:24.1101343Z "triageAdvice": null 2024-10-08T07:22:24.1101884Z }, 2024-10-08T07:22:24.1102676Z "language": "java", 2024-10-08T07:22:24.1103523Z "severity": "medium", 2024-10-08T07:22:24.1104103Z "cvssScore": 5.3, 2024-10-08T07:22:24.1104713Z "functions": [ 2024-10-08T07:22:24.1105208Z { 2024-10-08T07:22:24.1105684Z "version": [ 2024-10-08T07:22:24.1106324Z "[,3.0.24)" 2024-10-08T07:22:24.1106790Z ], 2024-10-08T07:22:24.1107282Z "functionId": { 2024-10-08T07:22:24.1108501Z "filePath": "org/codehaus/plexus/util/Expand.java", 2024-10-08T07:22:24.1109334Z "className": "Expand", 2024-10-08T07:22:24.1109993Z "functionName": "extractFile" 2024-10-08T07:22:24.1110849Z } 2024-10-08T07:22:24.1111339Z } 2024-10-08T07:22:24.1111781Z ], 2024-10-08T07:22:24.1112700Z "malicious": false, 2024-10-08T07:22:24.1113316Z "isDisputed": false, 2024-10-08T07:22:24.1114246Z "moduleName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1115023Z "references": [ 2024-10-08T07:22:24.1115528Z { 2024-10-08T07:22:24.1116675Z "url": "https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef", 2024-10-08T07:22:24.1117795Z "title": "GitHub Commit" 2024-10-08T07:22:24.1118393Z }, 2024-10-08T07:22:24.1118892Z { 2024-10-08T07:22:24.1119610Z "url": "https://github.com/codehaus-plexus/plexus-utils/issues/4", 2024-10-08T07:22:24.1120467Z "title": "GitHub Issue" 2024-10-08T07:22:24.1121090Z } 2024-10-08T07:22:24.1121475Z ], 2024-10-08T07:22:24.1121942Z "cvssDetails": [ 2024-10-08T07:22:24.1122718Z { 2024-10-08T07:22:24.1123195Z "assigner": "NVD", 2024-10-08T07:22:24.1123707Z "severity": "high", 2024-10-08T07:22:24.1124518Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 2024-10-08T07:22:24.1125359Z "cvssV3BaseScore": 7.5, 2024-10-08T07:22:24.1126131Z "modificationTime": "2024-03-11T09:53:39.008801Z" 2024-10-08T07:22:24.1126849Z }, 2024-10-08T07:22:24.1127303Z { 2024-10-08T07:22:24.1127758Z "assigner": "Red Hat", 2024-10-08T07:22:24.1128370Z "severity": "high", 2024-10-08T07:22:24.1129122Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 2024-10-08T07:22:24.1129905Z "cvssV3BaseScore": 7.5, 2024-10-08T07:22:24.1130760Z "modificationTime": "2024-03-11T09:53:59.688096Z" 2024-10-08T07:22:24.1131387Z } 2024-10-08T07:22:24.1131815Z ], 2024-10-08T07:22:24.1132696Z "cvssSources": [ 2024-10-08T07:22:24.1133300Z { 2024-10-08T07:22:24.1133779Z "type": "primary", 2024-10-08T07:22:24.1134736Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:22:24.1135594Z "assigner": "Snyk", 2024-10-08T07:22:24.1136201Z "severity": "medium", 2024-10-08T07:22:24.1137068Z "baseScore": 5.3, 2024-10-08T07:22:24.1137650Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1138605Z "modificationTime": "2024-05-09T13:34:27.533160Z" 2024-10-08T07:22:24.1139267Z }, 2024-10-08T07:22:24.1139716Z { 2024-10-08T07:22:24.1140272Z "type": "secondary", 2024-10-08T07:22:24.1141024Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 2024-10-08T07:22:24.1141724Z "assigner": "NVD", 2024-10-08T07:22:24.1142771Z "severity": "high", 2024-10-08T07:22:24.1143355Z "baseScore": 7.5, 2024-10-08T07:22:24.1143885Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1144798Z "modificationTime": "2024-03-11T09:53:39.008801Z" 2024-10-08T07:22:24.1145755Z }, 2024-10-08T07:22:24.1146235Z { 2024-10-08T07:22:24.1146724Z "type": "secondary", 2024-10-08T07:22:24.1147435Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 2024-10-08T07:22:24.1148224Z "assigner": "Red Hat", 2024-10-08T07:22:24.1148881Z "severity": "high", 2024-10-08T07:22:24.1149600Z "baseScore": 7.5, 2024-10-08T07:22:24.1150179Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1151051Z "modificationTime": "2024-03-11T09:53:59.688096Z" 2024-10-08T07:22:24.1151791Z } 2024-10-08T07:22:24.1152171Z ], 2024-10-08T07:22:24.1159866Z "description": "## Overview\nAn attacker could access arbitrary files and directories stored on the file system by manipulating files with `dot-dot-slash (../)` sequences and their variations or by using absolute file paths. \r\n\r\n**Note:**\r\n\r\nThere is no indication that access to the filesystem beyond that of the application user can be achieved. So typical deployments will have only limited confidentiality impact from this vulnerability.\n\n## References\n- [https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef](https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef)\n- [https://github.com/codehaus-plexus/plexus-utils/issues/4](https://github.com/codehaus-plexus/plexus-utils/issues/4)\n", 2024-10-08T07:22:24.1166757Z "epssDetails": { 2024-10-08T07:22:24.1167300Z "percentile": "0.26522", 2024-10-08T07:22:24.1168014Z "probability": "0.00060", 2024-10-08T07:22:24.1168641Z "modelVersion": "v2023.03.01" 2024-10-08T07:22:24.1169203Z }, 2024-10-08T07:22:24.1169743Z "identifiers": { 2024-10-08T07:22:24.1170254Z "CVE": [ 2024-10-08T07:22:24.1170877Z "CVE-2022-4244" 2024-10-08T07:22:24.1171374Z ], 2024-10-08T07:22:24.1171811Z "CWE": [ 2024-10-08T07:22:24.1172687Z "CWE-22" 2024-10-08T07:22:24.1173223Z ] 2024-10-08T07:22:24.1173676Z }, 2024-10-08T07:22:24.1174472Z "packageName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1175262Z "proprietary": false, 2024-10-08T07:22:24.1175919Z "creationTime": "2017-09-20T00:00:00Z", 2024-10-08T07:22:24.1176677Z "functions_new": [ 2024-10-08T07:22:24.1177195Z { 2024-10-08T07:22:24.1177606Z "version": [ 2024-10-08T07:22:24.1178196Z "[,3.0.24)" 2024-10-08T07:22:24.1178696Z ], 2024-10-08T07:22:24.1179189Z "functionId": { 2024-10-08T07:22:24.1179881Z "className": "org.codehaus.plexus.util.Expand", 2024-10-08T07:22:24.1180680Z "functionName": "extractFile" 2024-10-08T07:22:24.1181336Z } 2024-10-08T07:22:24.1181827Z } 2024-10-08T07:22:24.1182211Z ], 2024-10-08T07:22:24.1182996Z "alternativeIds": [], 2024-10-08T07:22:24.1183784Z "disclosureTime": "2016-05-08T00:00:00Z", 2024-10-08T07:22:24.1184404Z "exploitDetails": { 2024-10-08T07:22:24.1184971Z "sources": [], 2024-10-08T07:22:24.1185566Z "maturityLevels": [ 2024-10-08T07:22:24.1186117Z { 2024-10-08T07:22:24.1186528Z "type": "secondary", 2024-10-08T07:22:24.1187158Z "level": "Not Defined", 2024-10-08T07:22:24.1187756Z "format": "CVSSv3" 2024-10-08T07:22:24.1188278Z }, 2024-10-08T07:22:24.1188736Z { 2024-10-08T07:22:24.1189207Z "type": "primary", 2024-10-08T07:22:24.1189764Z "level": "Not Defined", 2024-10-08T07:22:24.1190357Z "format": "CVSSv4" 2024-10-08T07:22:24.1190903Z } 2024-10-08T07:22:24.1191324Z ] 2024-10-08T07:22:24.1191826Z }, 2024-10-08T07:22:24.1192394Z "packageManager": "maven", 2024-10-08T07:22:24.1193004Z "mavenModuleName": { 2024-10-08T07:22:24.1193716Z "groupId": "org.codehaus.plexus", 2024-10-08T07:22:24.1194507Z "artifactId": "plexus-utils" 2024-10-08T07:22:24.1195371Z }, 2024-10-08T07:22:24.1196083Z "publicationTime": "2017-09-20T00:00:00Z", 2024-10-08T07:22:24.1196799Z "severityBasedOn": "CVSS", 2024-10-08T07:22:24.1197615Z "modificationTime": "2024-05-09T13:34:27.533160Z", 2024-10-08T07:22:24.1198463Z "socialTrendAlert": false, 2024-10-08T07:22:24.1199112Z "severityWithCritical": "medium", 2024-10-08T07:22:24.1200000Z "from": [ 2024-10-08T07:22:24.1200630Z "jenkins.mvn.demo:mvnwebapp@0.0.1-SNAPSHOT", 2024-10-08T07:22:24.1201484Z "org.apache.maven:maven-embedder@2.0", 2024-10-08T07:22:24.1202658Z "org.apache.maven:maven-core@2.0", 2024-10-08T07:22:24.1203599Z "org.codehaus.plexus:plexus-utils@1.0.4" 2024-10-08T07:22:24.1204252Z ], 2024-10-08T07:22:24.1204791Z "upgradePath": [ 2024-10-08T07:22:24.1205317Z false, 2024-10-08T07:22:24.1205929Z "org.apache.maven:maven-embedder@3.5.0", 2024-10-08T07:22:24.1206837Z "org.apache.maven:maven-core@3.5.0", 2024-10-08T07:22:24.1207690Z "org.codehaus.plexus:plexus-utils@3.0.24" 2024-10-08T07:22:24.1208401Z ], 2024-10-08T07:22:24.1208879Z "isUpgradable": true, 2024-10-08T07:22:24.1209472Z "isPatchable": false, 2024-10-08T07:22:24.1210177Z "name": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1210910Z "version": "1.0.4" 2024-10-08T07:22:24.1211401Z }, 2024-10-08T07:22:24.1211824Z { 2024-10-08T07:22:24.1212742Z "id": "SNYK-JAVA-ORGCODEHAUSPLEXUS-31522", 2024-10-08T07:22:24.1213514Z "title": "Shell Command Injection", 2024-10-08T07:22:24.1214281Z "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:22:24.1215106Z "credit": [ 2024-10-08T07:22:24.1215611Z "Charles Duffy" 2024-10-08T07:22:24.1216060Z ], 2024-10-08T07:22:24.1216594Z "semver": { 2024-10-08T07:22:24.1217067Z "vulnerable": [ 2024-10-08T07:22:24.1217534Z "[,3.0.16)" 2024-10-08T07:22:24.1218110Z ] 2024-10-08T07:22:24.1218534Z }, 2024-10-08T07:22:24.1218998Z "exploit": "Not Defined", 2024-10-08T07:22:24.1219639Z "fixedIn": [ 2024-10-08T07:22:24.1220121Z "3.0.16" 2024-10-08T07:22:24.1220768Z ], 2024-10-08T07:22:24.1221273Z "patches": [], 2024-10-08T07:22:24.1221771Z "insights": { 2024-10-08T07:22:24.1222576Z "triageAdvice": null 2024-10-08T07:22:24.1223227Z }, 2024-10-08T07:22:24.1223642Z "language": "java", 2024-10-08T07:22:24.1224194Z "severity": "critical", 2024-10-08T07:22:24.1224811Z "cvssScore": 9.8, 2024-10-08T07:22:24.1225322Z "functions": [ 2024-10-08T07:22:24.1225768Z { 2024-10-08T07:22:24.1226275Z "version": [ 2024-10-08T07:22:24.1226764Z "[,3.0.16)" 2024-10-08T07:22:24.1227218Z ], 2024-10-08T07:22:24.1227734Z "functionId": { 2024-10-08T07:22:24.1228453Z "filePath": "org/codehaus/plexus/util/cli/Commandline.java", 2024-10-08T07:22:24.1229316Z "className": "Commandline", 2024-10-08T07:22:24.1229919Z "functionName": "execute" 2024-10-08T07:22:24.1230519Z } 2024-10-08T07:22:24.1231014Z } 2024-10-08T07:22:24.1231396Z ], 2024-10-08T07:22:24.1231856Z "malicious": false, 2024-10-08T07:22:24.1232756Z "isDisputed": false, 2024-10-08T07:22:24.1233545Z "moduleName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1234267Z "references": [ 2024-10-08T07:22:24.1234834Z { 2024-10-08T07:22:24.1235969Z "url": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", 2024-10-08T07:22:24.1237070Z "title": "GitHub Commit" 2024-10-08T07:22:24.1237649Z }, 2024-10-08T07:22:24.1238099Z { 2024-10-08T07:22:24.1239118Z "url": "https://raw.githubusercontent.com/sonatype/plexus-utils/master/jira/PLXUTILS-161.json", 2024-10-08T07:22:24.1240423Z "title": "PLXUTILS-161 - Raw Jira Ticket JSON" 2024-10-08T07:22:24.1241620Z } 2024-10-08T07:22:24.1242507Z ], 2024-10-08T07:22:24.1243077Z "cvssDetails": [ 2024-10-08T07:22:24.1243540Z { 2024-10-08T07:22:24.1243989Z "assigner": "NVD", 2024-10-08T07:22:24.1244628Z "severity": "critical", 2024-10-08T07:22:24.1245392Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:22:24.1246132Z "cvssV3BaseScore": 9.8, 2024-10-08T07:22:24.1247230Z "modificationTime": "2024-03-11T09:46:36.869045Z" 2024-10-08T07:22:24.1247953Z }, 2024-10-08T07:22:24.1248403Z { 2024-10-08T07:22:24.1248889Z "assigner": "Red Hat", 2024-10-08T07:22:24.1249469Z "severity": "high", 2024-10-08T07:22:24.1250213Z "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:22:24.1251031Z "cvssV3BaseScore": 7.8, 2024-10-08T07:22:24.1251806Z "modificationTime": "2024-03-11T09:53:54.737412Z" 2024-10-08T07:22:24.1252891Z } 2024-10-08T07:22:24.1253432Z ], 2024-10-08T07:22:24.1253855Z "cvssSources": [ 2024-10-08T07:22:24.1254393Z { 2024-10-08T07:22:24.1254924Z "type": "primary", 2024-10-08T07:22:24.1255646Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:22:24.1256381Z "assigner": "Snyk", 2024-10-08T07:22:24.1257020Z "severity": "critical", 2024-10-08T07:22:24.1257656Z "baseScore": 9.8, 2024-10-08T07:22:24.1258180Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1259042Z "modificationTime": "2024-03-06T13:58:02.476253Z" 2024-10-08T07:22:24.1259768Z }, 2024-10-08T07:22:24.1260260Z { 2024-10-08T07:22:24.1260676Z "type": "secondary", 2024-10-08T07:22:24.1261426Z "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:22:24.1262506Z "assigner": "NVD", 2024-10-08T07:22:24.1263141Z "severity": "critical", 2024-10-08T07:22:24.1263695Z "baseScore": 9.8, 2024-10-08T07:22:24.1264328Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1265163Z "modificationTime": "2024-03-11T09:46:36.869045Z" 2024-10-08T07:22:24.1265871Z }, 2024-10-08T07:22:24.1266319Z { 2024-10-08T07:22:24.1266801Z "type": "secondary", 2024-10-08T07:22:24.1267505Z "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 2024-10-08T07:22:24.1268305Z "assigner": "Red Hat", 2024-10-08T07:22:24.1268924Z "severity": "high", 2024-10-08T07:22:24.1269491Z "baseScore": 7.8, 2024-10-08T07:22:24.1270134Z "cvssVersion": "3.0", 2024-10-08T07:22:24.1270867Z "modificationTime": "2024-03-11T09:53:54.737412Z" 2024-10-08T07:22:24.1271577Z } 2024-10-08T07:22:24.1272093Z ], 2024-10-08T07:22:24.1278549Z "description": "## Overview\r\n[`Codehaus Plexus`](https://codehaus-plexus.github.io/) is a collection of components used by Apache Maven.\r\n\r\nAffected versions of this package are vulnerable to Shell Command Injection. The Commandline class in plexus-utils does not correctly quote the contents of double-quoted strings.\r\n\r\n## Remediation\r\nUpgrade _Codehaus Plexus_ to version `3.0.16` or higher.\r\n\r\n## References\r\n- [Github Commit](https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41)\r\n- [PLXUTILS-161 - Raw Jira Ticket JSON](https://raw.githubusercontent.com/sonatype/plexus-utils/master/jira/PLXUTILS-161.json)", 2024-10-08T07:22:24.1284344Z "epssDetails": { 2024-10-08T07:22:24.1284966Z "percentile": "0.73724", 2024-10-08T07:22:24.1285569Z "probability": "0.00395", 2024-10-08T07:22:24.1286189Z "modelVersion": "v2023.03.01" 2024-10-08T07:22:24.1286833Z }, 2024-10-08T07:22:24.1287232Z "identifiers": { 2024-10-08T07:22:24.1287762Z "CVE": [ 2024-10-08T07:22:24.1288436Z "CVE-2017-1000487" 2024-10-08T07:22:24.1288939Z ], 2024-10-08T07:22:24.1289403Z "CWE": [ 2024-10-08T07:22:24.1289985Z "CWE-77" 2024-10-08T07:22:24.1290735Z ] 2024-10-08T07:22:24.1291116Z }, 2024-10-08T07:22:24.1291870Z "packageName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1293021Z "proprietary": false, 2024-10-08T07:22:24.1293831Z "creationTime": "2016-09-20T00:00:00Z", 2024-10-08T07:22:24.1294471Z "functions_new": [ 2024-10-08T07:22:24.1295022Z { 2024-10-08T07:22:24.1295751Z "version": [ 2024-10-08T07:22:24.1296265Z "[,3.0.16)" 2024-10-08T07:22:24.1296784Z ], 2024-10-08T07:22:24.1297348Z "functionId": { 2024-10-08T07:22:24.1298124Z "className": "org.codehaus.plexus.util.cli.Commandline", 2024-10-08T07:22:24.1298936Z "functionName": "execute" 2024-10-08T07:22:24.1299641Z } 2024-10-08T07:22:24.1300106Z } 2024-10-08T07:22:24.1300497Z ], 2024-10-08T07:22:24.1301066Z "alternativeIds": [], 2024-10-08T07:22:24.1301802Z "disclosureTime": "2016-05-08T00:00:00Z", 2024-10-08T07:22:24.1302806Z "exploitDetails": { 2024-10-08T07:22:24.1303444Z "sources": [], 2024-10-08T07:22:24.1303991Z "maturityLevels": [ 2024-10-08T07:22:24.1304528Z { 2024-10-08T07:22:24.1305096Z "type": "secondary", 2024-10-08T07:22:24.1305673Z "level": "Not Defined", 2024-10-08T07:22:24.1306409Z "format": "CVSSv3" 2024-10-08T07:22:24.1307063Z }, 2024-10-08T07:22:24.1307469Z { 2024-10-08T07:22:24.1307949Z "type": "primary", 2024-10-08T07:22:24.1308585Z "level": "Not Defined", 2024-10-08T07:22:24.1309185Z "format": "CVSSv4" 2024-10-08T07:22:24.1309702Z } 2024-10-08T07:22:24.1310199Z ] 2024-10-08T07:22:24.1310653Z }, 2024-10-08T07:22:24.1311189Z "packageManager": "maven", 2024-10-08T07:22:24.1311755Z "mavenModuleName": { 2024-10-08T07:22:24.1312630Z "groupId": "org.codehaus.plexus", 2024-10-08T07:22:24.1313485Z "artifactId": "plexus-utils" 2024-10-08T07:22:24.1314053Z }, 2024-10-08T07:22:24.1314665Z "publicationTime": "2016-09-20T00:00:00Z", 2024-10-08T07:22:24.1315449Z "severityBasedOn": "CVSS", 2024-10-08T07:22:24.1316235Z "modificationTime": "2024-03-11T09:53:54.737412Z", 2024-10-08T07:22:24.1316948Z "socialTrendAlert": false, 2024-10-08T07:22:24.1317650Z "severityWithCritical": "critical", 2024-10-08T07:22:24.1318323Z "from": [ 2024-10-08T07:22:24.1318997Z "jenkins.mvn.demo:mvnwebapp@0.0.1-SNAPSHOT", 2024-10-08T07:22:24.1319872Z "org.apache.maven:maven-embedder@2.0", 2024-10-08T07:22:24.1320693Z "org.apache.maven:maven-core@2.0", 2024-10-08T07:22:24.1321481Z "org.codehaus.plexus:plexus-utils@1.0.4" 2024-10-08T07:22:24.1322209Z ], 2024-10-08T07:22:24.1322933Z "upgradePath": [ 2024-10-08T07:22:24.1323454Z false, 2024-10-08T07:22:24.1324173Z "org.apache.maven:maven-embedder@3.2.1", 2024-10-08T07:22:24.1324983Z "org.apache.maven:maven-core@3.2.1", 2024-10-08T07:22:24.1325800Z "org.codehaus.plexus:plexus-utils@3.0.17" 2024-10-08T07:22:24.1326567Z ], 2024-10-08T07:22:24.1327024Z "isUpgradable": true, 2024-10-08T07:22:24.1327545Z "isPatchable": false, 2024-10-08T07:22:24.1328356Z "name": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1329066Z "version": "1.0.4" 2024-10-08T07:22:24.1329531Z }, 2024-10-08T07:22:24.1330046Z { 2024-10-08T07:22:24.1330653Z "id": "SNYK-JAVA-ORGCODEHAUSPLEXUS-461102", 2024-10-08T07:22:24.1331435Z "title": "XML External Entity (XXE) Injection", 2024-10-08T07:22:24.1332651Z "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:U", 2024-10-08T07:22:24.1333545Z "credit": [ 2024-10-08T07:22:24.1334056Z "Florian Weimer" 2024-10-08T07:22:24.1334656Z ], 2024-10-08T07:22:24.1335099Z "semver": { 2024-10-08T07:22:24.1335633Z "vulnerable": [ 2024-10-08T07:22:24.1336236Z "[,3.0.24)" 2024-10-08T07:22:24.1336676Z ] 2024-10-08T07:22:24.1337402Z }, 2024-10-08T07:22:24.1337942Z "exploit": "Unproven", 2024-10-08T07:22:24.1338517Z "fixedIn": [ 2024-10-08T07:22:24.1338944Z "3.0.24" 2024-10-08T07:22:24.1339488Z ], 2024-10-08T07:22:24.1339974Z "patches": [], 2024-10-08T07:22:24.1340436Z "insights": { 2024-10-08T07:22:24.1341045Z "triageAdvice": null 2024-10-08T07:22:24.1341898Z }, 2024-10-08T07:22:24.1342678Z "language": "java", 2024-10-08T07:22:24.1343258Z "severity": "medium", 2024-10-08T07:22:24.1343836Z "cvssScore": 4.3, 2024-10-08T07:22:24.1344438Z "functions": [ 2024-10-08T07:22:24.1344962Z { 2024-10-08T07:22:24.1345363Z "version": [ 2024-10-08T07:22:24.1345978Z "(1.5.3,3.0.24)" 2024-10-08T07:22:24.1346555Z ], 2024-10-08T07:22:24.1346993Z "functionId": { 2024-10-08T07:22:24.1347852Z "filePath": "org/codehaus/plexus/util/xml/XmlWriterUtil.java", 2024-10-08T07:22:24.1348795Z "className": "XmlWriterUtil", 2024-10-08T07:22:24.1349493Z "functionName": "writeComment" 2024-10-08T07:22:24.1350193Z } 2024-10-08T07:22:24.1350682Z } 2024-10-08T07:22:24.1351142Z ], 2024-10-08T07:22:24.1351676Z "malicious": false, 2024-10-08T07:22:24.1352517Z "isDisputed": false, 2024-10-08T07:22:24.1353396Z "moduleName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1354319Z "references": [ 2024-10-08T07:22:24.1354777Z { 2024-10-08T07:22:24.1355973Z "url": "https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de", 2024-10-08T07:22:24.1357287Z "title": "GitHub Commit" 2024-10-08T07:22:24.1357910Z }, 2024-10-08T07:22:24.1358340Z { 2024-10-08T07:22:24.1359276Z "url": "https://github.com/codehaus-plexus/plexus-utils/issues/3", 2024-10-08T07:22:24.1360183Z "title": "GitHub Issue" 2024-10-08T07:22:24.1360797Z } 2024-10-08T07:22:24.1361287Z ], 2024-10-08T07:22:24.1361749Z "cvssDetails": [ 2024-10-08T07:22:24.1362568Z { 2024-10-08T07:22:24.1363157Z "assigner": "NVD", 2024-10-08T07:22:24.1363682Z "severity": "medium", 2024-10-08T07:22:24.1364201Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:22:24.1364788Z "cvssV3BaseScore": 4.3, 2024-10-08T07:22:24.1365321Z "modificationTime": "2024-03-11T09:53:38.966298Z" 2024-10-08T07:22:24.1365780Z }, 2024-10-08T07:22:24.1366124Z { 2024-10-08T07:22:24.1366450Z "assigner": "Red Hat", 2024-10-08T07:22:24.1366800Z "severity": "medium", 2024-10-08T07:22:24.1367344Z "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:22:24.1367888Z "cvssV3BaseScore": 4.3, 2024-10-08T07:22:24.1368362Z "modificationTime": "2024-03-11T09:53:59.734097Z" 2024-10-08T07:22:24.1368856Z } 2024-10-08T07:22:24.1369160Z ], 2024-10-08T07:22:24.1369512Z "cvssSources": [ 2024-10-08T07:22:24.1369827Z { 2024-10-08T07:22:24.1370132Z "type": "primary", 2024-10-08T07:22:24.1370679Z "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:U", 2024-10-08T07:22:24.1371232Z "assigner": "Snyk", 2024-10-08T07:22:24.1371571Z "severity": "medium", 2024-10-08T07:22:24.1372000Z "baseScore": 4.3, 2024-10-08T07:22:24.1372653Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1373189Z "modificationTime": "2024-03-06T14:09:20.690133Z" 2024-10-08T07:22:24.1373710Z }, 2024-10-08T07:22:24.1374022Z { 2024-10-08T07:22:24.1374327Z "type": "secondary", 2024-10-08T07:22:24.1374813Z "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:22:24.1375322Z "assigner": "NVD", 2024-10-08T07:22:24.1375692Z "severity": "medium", 2024-10-08T07:22:24.1376134Z "baseScore": 4.3, 2024-10-08T07:22:24.1376668Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1377195Z "modificationTime": "2024-03-11T09:53:38.966298Z" 2024-10-08T07:22:24.1377715Z }, 2024-10-08T07:22:24.1377977Z { 2024-10-08T07:22:24.1378303Z "type": "secondary", 2024-10-08T07:22:24.1378815Z "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 2024-10-08T07:22:24.1379451Z "assigner": "Red Hat", 2024-10-08T07:22:24.1379813Z "severity": "medium", 2024-10-08T07:22:24.1380253Z "baseScore": 4.3, 2024-10-08T07:22:24.1380642Z "cvssVersion": "3.1", 2024-10-08T07:22:24.1381142Z "modificationTime": "2024-03-11T09:53:59.734097Z" 2024-10-08T07:22:24.1381605Z } 2024-10-08T07:22:24.1381910Z ], 2024-10-08T07:22:24.1387326Z "description": "## Overview\n[org.codehaus.plexus:plexus-utils](https://mvnrepository.com/artifact/org.codehaus.plexus/plexus-utils) is a collection of various utility classes to ease working with strings, files, command lines, XML and more.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `-->` sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.\n## Remediation\nUpgrade `org.codehaus.plexus:plexus-utils` to version 3.0.24 or higher.\n## References\n- [GitHub Commit](https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de)\n- [GitHub Issue](https://github.com/codehaus-plexus/plexus-utils/issues/3)\n", 2024-10-08T07:22:24.1394241Z "epssDetails": { 2024-10-08T07:22:24.1394826Z "percentile": "0.30216", 2024-10-08T07:22:24.1395509Z "probability": "0.00067", 2024-10-08T07:22:24.1396109Z "modelVersion": "v2023.03.01" 2024-10-08T07:22:24.1396713Z }, 2024-10-08T07:22:24.1397227Z "identifiers": { 2024-10-08T07:22:24.1397718Z "CVE": [ 2024-10-08T07:22:24.1398288Z "CVE-2022-4245" 2024-10-08T07:22:24.1398872Z ], 2024-10-08T07:22:24.1399328Z "CWE": [ 2024-10-08T07:22:24.1399791Z "CWE-91" 2024-10-08T07:22:24.1400319Z ] 2024-10-08T07:22:24.1400771Z }, 2024-10-08T07:22:24.1401382Z "packageName": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1402544Z "proprietary": false, 2024-10-08T07:22:24.1403307Z "creationTime": "2019-09-06T15:46:47.546130Z", 2024-10-08T07:22:24.1403997Z "functions_new": [ 2024-10-08T07:22:24.1404564Z { 2024-10-08T07:22:24.1405013Z "version": [ 2024-10-08T07:22:24.1405537Z "(1.5.3,3.0.24)" 2024-10-08T07:22:24.1406178Z ], 2024-10-08T07:22:24.1406598Z "functionId": { 2024-10-08T07:22:24.1407327Z "className": "org.codehaus.plexus.util.xml.XmlWriterUtil", 2024-10-08T07:22:24.1408283Z "functionName": "writeComment" 2024-10-08T07:22:24.1408873Z } 2024-10-08T07:22:24.1409329Z } 2024-10-08T07:22:24.1409828Z ], 2024-10-08T07:22:24.1410281Z "alternativeIds": [], 2024-10-08T07:22:24.1410947Z "disclosureTime": "2015-09-21T15:48:37Z", 2024-10-08T07:22:24.1411679Z "exploitDetails": { 2024-10-08T07:22:24.1412213Z "sources": [ 2024-10-08T07:22:24.1412927Z "Snyk" 2024-10-08T07:22:24.1413420Z ], 2024-10-08T07:22:24.1413888Z "maturityLevels": [ 2024-10-08T07:22:24.1414438Z { 2024-10-08T07:22:24.1414918Z "type": "secondary", 2024-10-08T07:22:24.1415532Z "level": "Not Defined", 2024-10-08T07:22:24.1416138Z "format": "CVSSv3" 2024-10-08T07:22:24.1416742Z }, 2024-10-08T07:22:24.1417160Z { 2024-10-08T07:22:24.1417610Z "type": "primary", 2024-10-08T07:22:24.1418283Z "level": "Proof of Concept", 2024-10-08T07:22:24.1418890Z "format": "CVSSv4" 2024-10-08T07:22:24.1419428Z } 2024-10-08T07:22:24.1419923Z ] 2024-10-08T07:22:24.1420602Z }, 2024-10-08T07:22:24.1421019Z "packageManager": "maven", 2024-10-08T07:22:24.1421707Z "mavenModuleName": { 2024-10-08T07:22:24.1422580Z "groupId": "org.codehaus.plexus", 2024-10-08T07:22:24.1423482Z "artifactId": "plexus-utils" 2024-10-08T07:22:24.1424096Z }, 2024-10-08T07:22:24.1424719Z "publicationTime": "2019-09-06T15:46:00Z", 2024-10-08T07:22:24.1425719Z "severityBasedOn": "CVSS", 2024-10-08T07:22:24.1426484Z "modificationTime": "2024-03-11T09:53:59.734097Z", 2024-10-08T07:22:24.1427219Z "socialTrendAlert": false, 2024-10-08T07:22:24.1427908Z "severityWithCritical": "medium", 2024-10-08T07:22:24.1428496Z "from": [ 2024-10-08T07:22:24.1429071Z "jenkins.mvn.demo:mvnwebapp@0.0.1-SNAPSHOT", 2024-10-08T07:22:24.1429963Z "org.apache.maven:maven-embedder@2.0", 2024-10-08T07:22:24.1430722Z "org.apache.maven:maven-core@2.0", 2024-10-08T07:22:24.1431517Z "org.codehaus.plexus:plexus-utils@1.0.4" 2024-10-08T07:22:24.1432619Z ], 2024-10-08T07:22:24.1433136Z "upgradePath": [ 2024-10-08T07:22:24.1433693Z false, 2024-10-08T07:22:24.1434399Z "org.apache.maven:maven-embedder@3.5.0", 2024-10-08T07:22:24.1435216Z "org.apache.maven:maven-core@3.5.0", 2024-10-08T07:22:24.1436063Z "org.codehaus.plexus:plexus-utils@3.0.24" 2024-10-08T07:22:24.1436807Z ], 2024-10-08T07:22:24.1437247Z "isUpgradable": true, 2024-10-08T07:22:24.1437834Z "isPatchable": false, 2024-10-08T07:22:24.1438576Z "name": "org.codehaus.plexus:plexus-utils", 2024-10-08T07:22:24.1439244Z "version": "1.0.4" 2024-10-08T07:22:24.1439679Z } 2024-10-08T07:22:24.1440150Z ], 2024-10-08T07:22:24.1440580Z "ok": false, 2024-10-08T07:22:24.1441002Z "dependencyCount": 28, 2024-10-08T07:22:24.1441585Z "org": "itsarraj", 2024-10-08T07:22:24.1442960Z "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", 2024-10-08T07:22:24.1444210Z "isPrivate": true, 2024-10-08T07:22:24.1444766Z "licensesPolicy": { 2024-10-08T07:22:24.1445302Z "severities": {}, 2024-10-08T07:22:24.1445811Z "orgLicenseRules": { 2024-10-08T07:22:24.1446494Z "AGPL-1.0": { 2024-10-08T07:22:24.1447017Z "licenseType": "AGPL-1.0", 2024-10-08T07:22:24.1447586Z "severity": "high", 2024-10-08T07:22:24.1448191Z "instructions": "" 2024-10-08T07:22:24.1448622Z }, 2024-10-08T07:22:24.1449071Z "AGPL-3.0": { 2024-10-08T07:22:24.1449719Z "licenseType": "AGPL-3.0", 2024-10-08T07:22:24.1450269Z "severity": "high", 2024-10-08T07:22:24.1450736Z "instructions": "" 2024-10-08T07:22:24.1451337Z }, 2024-10-08T07:22:24.1451903Z "Artistic-1.0": { 2024-10-08T07:22:24.1452629Z "licenseType": "Artistic-1.0", 2024-10-08T07:22:24.1453341Z "severity": "medium", 2024-10-08T07:22:24.1453876Z "instructions": "" 2024-10-08T07:22:24.1454487Z }, 2024-10-08T07:22:24.1454952Z "Artistic-2.0": { 2024-10-08T07:22:24.1455611Z "licenseType": "Artistic-2.0", 2024-10-08T07:22:24.1456448Z "severity": "medium", 2024-10-08T07:22:24.1457044Z "instructions": "" 2024-10-08T07:22:24.1457532Z }, 2024-10-08T07:22:24.1458122Z "CDDL-1.0": { 2024-10-08T07:22:24.1458701Z "licenseType": "CDDL-1.0", 2024-10-08T07:22:24.1459299Z "severity": "medium", 2024-10-08T07:22:24.1459934Z "instructions": "" 2024-10-08T07:22:24.1460454Z }, 2024-10-08T07:22:24.1460958Z "CPOL-1.02": { 2024-10-08T07:22:24.1461572Z "licenseType": "CPOL-1.02", 2024-10-08T07:22:24.1462190Z "severity": "high", 2024-10-08T07:22:24.1463075Z "instructions": "" 2024-10-08T07:22:24.1463683Z }, 2024-10-08T07:22:24.1464134Z "EPL-1.0": { 2024-10-08T07:22:24.1464722Z "licenseType": "EPL-1.0", 2024-10-08T07:22:24.1465385Z "severity": "medium", 2024-10-08T07:22:24.1465930Z "instructions": "" 2024-10-08T07:22:24.1466681Z }, 2024-10-08T07:22:24.1467253Z "GPL-2.0": { 2024-10-08T07:22:24.1467849Z "licenseType": "GPL-2.0", 2024-10-08T07:22:24.1468404Z "severity": "high", 2024-10-08T07:22:24.1469064Z "instructions": "" 2024-10-08T07:22:24.1469582Z }, 2024-10-08T07:22:24.1470007Z "GPL-3.0": { 2024-10-08T07:22:24.1470847Z "licenseType": "GPL-3.0", 2024-10-08T07:22:24.1471463Z "severity": "high", 2024-10-08T07:22:24.1472068Z "instructions": "" 2024-10-08T07:22:24.1473009Z }, 2024-10-08T07:22:24.1473556Z "LGPL-2.0": { 2024-10-08T07:22:24.1474163Z "licenseType": "LGPL-2.0", 2024-10-08T07:22:24.1474843Z "severity": "medium", 2024-10-08T07:22:24.1475442Z "instructions": "" 2024-10-08T07:22:24.1475983Z }, 2024-10-08T07:22:24.1476555Z "LGPL-2.1": { 2024-10-08T07:22:24.1476914Z "licenseType": "LGPL-2.1", 2024-10-08T07:22:24.1477332Z "severity": "medium", 2024-10-08T07:22:24.1478049Z "instructions": "" 2024-10-08T07:22:24.1478568Z }, 2024-10-08T07:22:24.1478987Z "LGPL-3.0": { 2024-10-08T07:22:24.1479609Z "licenseType": "LGPL-3.0", 2024-10-08T07:22:24.1480199Z "severity": "medium", 2024-10-08T07:22:24.1480678Z "instructions": "" 2024-10-08T07:22:24.1481241Z }, 2024-10-08T07:22:24.1481718Z "MPL-1.1": { 2024-10-08T07:22:24.1482683Z "licenseType": "MPL-1.1", 2024-10-08T07:22:24.1483252Z "severity": "medium", 2024-10-08T07:22:24.1483811Z "instructions": "" 2024-10-08T07:22:24.1484376Z }, 2024-10-08T07:22:24.1484809Z "MPL-2.0": { 2024-10-08T07:22:24.1485370Z "licenseType": "MPL-2.0", 2024-10-08T07:22:24.1486054Z "severity": "medium", 2024-10-08T07:22:24.1486610Z "instructions": "" 2024-10-08T07:22:24.1487056Z }, 2024-10-08T07:22:24.1488494Z "MS-RL": { 2024-10-08T07:22:24.1489037Z "licenseType": "MS-RL", 2024-10-08T07:22:24.1489578Z "severity": "medium", 2024-10-08T07:22:24.1490137Z "instructions": "" 2024-10-08T07:22:24.1490646Z }, 2024-10-08T07:22:24.1491111Z "SimPL-2.0": { 2024-10-08T07:22:24.1491683Z "licenseType": "SimPL-2.0", 2024-10-08T07:22:24.1492431Z "severity": "high", 2024-10-08T07:22:24.1492955Z "instructions": "" 2024-10-08T07:22:24.1493543Z } 2024-10-08T07:22:24.1493900Z } 2024-10-08T07:22:24.1494319Z }, 2024-10-08T07:22:24.1494882Z "packageManager": "maven", 2024-10-08T07:22:24.1495634Z "projectId": "585b6b28-57da-4dbb-bda8-0387c1c59e27", 2024-10-08T07:22:24.1496395Z "ignoreSettings": { 2024-10-08T07:22:24.1497032Z "adminOnly": false, 2024-10-08T07:22:24.1497579Z "reasonRequired": false, 2024-10-08T07:22:24.1498159Z "disregardFilesystemIgnores": false 2024-10-08T07:22:24.1498891Z }, 2024-10-08T07:22:24.1499422Z "summary": "4 vulnerable dependency paths", 2024-10-08T07:22:24.1500161Z "remediation": { 2024-10-08T07:22:24.1500713Z "unresolved": [], 2024-10-08T07:22:24.1501264Z "upgrade": { 2024-10-08T07:22:24.1501982Z "org.apache.maven:maven-embedder@2.0": { 2024-10-08T07:22:24.1503187Z "upgradeTo": "org.apache.maven:maven-embedder@3.8.1", 2024-10-08T07:22:24.1504017Z "upgrades": [ 2024-10-08T07:22:24.1504766Z "org.apache.maven:maven-core@2.0", 2024-10-08T07:22:24.1505786Z "org.codehaus.plexus:plexus-utils@1.0.4", 2024-10-08T07:22:24.1506659Z "org.codehaus.plexus:plexus-utils@1.0.4", 2024-10-08T07:22:24.1507607Z "org.codehaus.plexus:plexus-utils@1.0.4" 2024-10-08T07:22:24.1508398Z ], 2024-10-08T07:22:24.1508870Z "vulns": [ 2024-10-08T07:22:24.1509515Z "SNYK-JAVA-ORGAPACHEMAVEN-6144614", 2024-10-08T07:22:24.1510520Z "SNYK-JAVA-ORGCODEHAUSPLEXUS-31521", 2024-10-08T07:22:24.1511445Z "SNYK-JAVA-ORGCODEHAUSPLEXUS-461102", 2024-10-08T07:22:24.1512676Z "SNYK-JAVA-ORGCODEHAUSPLEXUS-31522" 2024-10-08T07:22:24.1513356Z ] 2024-10-08T07:22:24.1514082Z } 2024-10-08T07:22:24.1514639Z }, 2024-10-08T07:22:24.1515070Z "patch": {}, 2024-10-08T07:22:24.1515585Z "ignore": {}, 2024-10-08T07:22:24.1516150Z "pin": {} 2024-10-08T07:22:24.1516624Z }, 2024-10-08T07:22:24.1517040Z "filesystemPolicy": false, 2024-10-08T07:22:24.1517690Z "filtered": { 2024-10-08T07:22:24.1518195Z "ignore": [], 2024-10-08T07:22:24.1518798Z "patch": [] 2024-10-08T07:22:24.1519365Z }, 2024-10-08T07:22:24.1519811Z "uniqueCount": 4, 2024-10-08T07:22:24.1520410Z "projectName": "jenkins.mvn.demo:mvnwebapp", 2024-10-08T07:22:24.1521173Z "foundProjectCount": 1, 2024-10-08T07:22:24.1521764Z "displayTargetFile": "pom.xml", 2024-10-08T07:22:24.1522668Z "hasUnknownVersions": false, 2024-10-08T07:22:24.1523425Z "path": "/home/runner/work/PRBotCheck/PRBotCheck" 2024-10-08T07:22:24.1524145Z } 2024-10-08T07:22:27.9774893Z 2024-10-08T07:22:27.9776057Z Monitoring /home/runner/work/PRBotCheck/PRBotCheck/package-lock.json... 2024-10-08T07:22:27.9776727Z 2024-10-08T07:22:27.9777830Z Dependency express was not found in package-lock.json. Your package.json and package-lock.json are probably out of sync. Please run "npm install" and try again. 2024-10-08T07:22:27.9778865Z 2024-10-08T07:22:27.9779349Z ------------------------------------------------------- 2024-10-08T07:22:27.9779753Z 2024-10-08T07:22:27.9780209Z Monitoring /home/runner/work/PRBotCheck/PRBotCheck (jenkins.mvn.demo:mvnwebapp)... 2024-10-08T07:22:27.9780856Z 2024-10-08T07:22:27.9781843Z Explore this snapshot at https://app.snyk.io/org/itsarraj/project/585b6b28-57da-4dbb-bda8-0387c1c59e27/history/bba8fbeb-688a-404d-94ad-f0ba34d55c71 2024-10-08T07:22:27.9783410Z 2024-10-08T07:22:27.9783941Z Notifications about newly disclosed issues related to these dependencies will be emailed to you. 2024-10-08T07:22:27.9784641Z 2024-10-08T07:22:27.9798308Z 2024-10-08T07:22:27.9798916Z You have reached your monthly limit of 200 private tests for your itsarraj org. 2024-10-08T07:22:27.9800008Z To learn more about our plans and increase your tests limit visit https://snyk.io/plans. 2024-10-08T07:22:28.2985740Z Post job cleanup. 2024-10-08T07:22:28.3744506Z [command]/usr/bin/git version 2024-10-08T07:22:28.3779561Z git version 2.46.1 2024-10-08T07:22:28.3830020Z Temporarily overriding HOME='/home/runner/work/_temp/d27301e4-b822-4639-a9ee-eaf1adb7ce50' before making global git config changes 2024-10-08T07:22:28.3831776Z Adding repository directory to the temporary git global config as a safe directory 2024-10-08T07:22:28.3833870Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/PRBotCheck/PRBotCheck 2024-10-08T07:22:28.3867301Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand 2024-10-08T07:22:28.3896585Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 2024-10-08T07:22:28.4132627Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader 2024-10-08T07:22:28.4153866Z http.https://github.com/.extraheader 2024-10-08T07:22:28.4166416Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader 2024-10-08T07:22:28.4197895Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :" 2024-10-08T07:22:28.4649007Z Cleaning up orphan processesPlease consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components. |
AppSec Wiki Pull Request
Change Description:
Changes Made:
Reason for Change:
Checklist: