====== 安裝 grype 弱點掃描工具 ====== * 安裝環境 : Alpine 3.18 ===== 安裝方式 ===== * curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin * ++看安裝結果| # curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin [info] checking github for the current release tag [info] fetching release script for tag='v0.73.4' [info] checking github for the current release tag [info] using release tag='v0.73.4' version='0.73.4' os='linux' arch='amd64' [info] installed /usr/local/bin/grype ++ ===== 使用方式 ===== * 查看使用版本 # grype --version grype 0.73.4 * 弱點資料庫管理 * 更新弱點資料庫 grype db update * 查看弱點資料庫資訊 grype db status Exp. # grype db status Location: /root/.cache/grype/db/5 Built: 2023-12-11 01:27:16 +0000 UTC Schema: 5 Checksum: sha256:90d933240a0b2a10e3b893d04951baecf2945bd7ce5c3ae2e81d8d6e803fe31b Status: valid * 掃描 Docker Image 的弱點 Exp. anchore/grype:latest grype anchore/grype:latest * ++查看掃描結果| # grype anchore/grype:latest ✔ Vulnerability DB [updated] ✔ Pulled image ✔ Loaded image anchore/grype:latest ✔ Parsed image sha256:7bd7209260255fa3c0c2aa38c3dd80614de046cda59944f298c1ad941839f7dc ✔ Cataloged packages [215 packages] ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored [0039] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none No vulnerabilities found ++ * ++結果改用 json 格式| # grype anchore/grype:latest -o json ✔ Vulnerability DB [no update available] ✔ Loaded image anchore/grype:latest ✔ Parsed image sha256:7bd7209260255fa3c0c2aa38c3dd80614de046cda59944f298c1ad941839f7dc ✔ Cataloged packages [215 packages] ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored [0001] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none { "matches": [], "source": { "type": "image", "target": { "userInput": "anchore/grype:latest", "imageID": "sha256:7bd7209260255fa3c0c2aa38c3dd80614de046cda59944f298c1ad941839f7dc", "manifestDigest": "sha256:8a0ac521fbc9c203bdaa748ab2eae171ceae17ae00f0067821a777c95e7a469a", "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "tags": [ "anchore/grype:latest" ], "imageSize": 50871929, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:131f16f7a73580d304c4502c3472a436c9025411b3ab1703757d41bc804612bb", "size": 200313 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:d5d92bdaeb8d3e4acc6064a63d5b8d0fded7c9ad1398c7eff17e066f3f5e279e", "size": 0 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:857304a0e6d76afa0e31d1c02b86377d6b68e147ac35e95a1a2df9d33323598d", "size": 50671616 } ], "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo0Mzk4LCJkaWdlc3QiOiJzaGEyNTY6N2JkNzIwOTI2MDI1NWZhM2MwYzJhYTM4YzNkZDgwNjE0ZGUwNDZjZGE1OTk0NGYyOThjMWFkOTQxODM5ZjdkYyJ9LCJsYXllcnMiOlt7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjoyMDM3NzYsImRpZ2VzdCI6InNoYTI1NjoxMzFmMTZmN2E3MzU4MGQzMDRjNDUwMmMzNDcyYTQzNmM5MDI1NDExYjNhYjE3MDM3NTdkNDFiYzgwNDYxMmJiIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MTUzNiwiZGlnZXN0Ijoic2hhMjU2OmQ1ZDkyYmRhZWI4ZDNlNGFjYzYwNjRhNjNkNWI4ZDBmZGVkN2M5YWQxMzk4YzdlZmYxN2UwNjZmM2Y1ZTI3OWUifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo1MDY3MzE1MiwiZGlnZXN0Ijoic2hhMjU2Ojg1NzMwNGEwZTZkNzZhZmEwZTMxZDFjMDJiODYzNzdkNmI2OGUxNDdhYzM1ZTk1YTFhMmRmOWQzMzMyMzU5OGQifV19", "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiRW50cnlwb2ludCI6WyIvZ3J5cGUiXSwiV29ya2luZ0RpciI6Ii90bXAiLCJMYWJlbHMiOnsiaW8uYXJ0aWZhY3RodWIucGFja2FnZS5saWNlbnNlIjoiQXBhY2hlLTIuMCIsImlvLmFydGlmYWN0aHViLnBhY2thZ2UubG9nby11cmwiOiJodHRwczovL3VzZXItaW1hZ2VzLmdpdGh1YnVzZXJjb250ZW50LmNvbS81MTk5Mjg5LzEzNjg1NTM5My1kMGE5ZWVmOS1jY2YxLTRlMmItOWQ3Yy03YWFkMTZhNTY3ZTUucG5nIiwiaW8uYXJ0aWZhY3RodWIucGFja2FnZS5yZWFkbWUtdXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2FuY2hvcmUvZ3J5cGUvbWFpbi9SRUFETUUubWQiLCJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UuY3JlYXRlZCI6IjIwMjMtMTEtMzBUMTQ6MzI6MTNaIiwib3JnLm9wZW5jb250YWluZXJzLmltYWdlLmRlc2NyaXB0aW9uIjoiQSB2dWxuZXJhYmlsaXR5IHNjYW5uZXIgZm9yIGNvbnRhaW5lciBpbWFnZXMgYW5kIGZpbGVzeXN0ZW1zIiwib3JnLm9wZW5jb250YWluZXJzLmltYWdlLmxpY2Vuc2VzIjoiQXBhY2hlLTIuMCIsIm9yZy5vcGVuY29udGFpbmVycy5pbWFnZS5yZXZpc2lvbiI6ImE0YmNlZDE2MDI5MWU4MWRiZGVhYTQxNWQyMGU2NGI4NzQxZWUwMGQiLCJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2Uuc291cmNlIjoiaHR0cHM6Ly9naXRodWIuY29tL2FuY2hvcmUvZ3J5cGUiLCJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudGl0bGUiOiJncnlwZSIsIm9yZy5vcGVuY29udGFpbmVycy5pbWFnZS52ZW5kb3IiOiJBbmNob3JlLCBJbmMuIiwib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnZlcnNpb24iOiIwLjczLjQifSwiT25CdWlsZCI6bnVsbH0sImNyZWF0ZWQiOiIyMDIzLTExLTMwVDE0OjM4OjE4LjUwMjkzMTY1N1oiLCJoaXN0b3J5IjpbeyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxNy4zNDA1MTI1MjVaIiwiY3JlYXRlZF9ieSI6IkNPUFkgL2V0Yy9zc2wvY2VydHMvY2EtY2VydGlmaWNhdGVzLmNydCAvZXRjL3NzbC9jZXJ0cy9jYS1jZXJ0aWZpY2F0ZXMuY3J0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjMtMTEtMzBUMTQ6Mzg6MTcuNDA4MjM4OTkzWiIsImNyZWF0ZWRfYnkiOiJXT1JLRElSIC90bXAiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjMtMTEtMzBUMTQ6Mzg6MTguNTAyOTMxNjU3WiIsImNyZWF0ZWRfYnkiOiJDT1BZIGdyeXBlIC8gIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkFSRyBCVUlMRF9EQVRFIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkFSRyBCVUlMRF9WRVJTSU9OIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkFSRyBWQ1NfUkVGIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkFSRyBWQ1NfVVJMIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkxBQkVMIG9yZy5vcGVuY29udGFpbmVycy5pbWFnZS5jcmVhdGVkPTIwMjMtMTEtMzBUMTQ6MzI6MTNaIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkxBQkVMIG9yZy5vcGVuY29udGFpbmVycy5pbWFnZS50aXRsZT1ncnlwZSIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjMtMTEtMzBUMTQ6Mzg6MTguNTAyOTMxNjU3WiIsImNyZWF0ZWRfYnkiOiJMQUJFTCBvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UuZGVzY3JpcHRpb249QSB2dWxuZXJhYmlsaXR5IHNjYW5uZXIgZm9yIGNvbnRhaW5lciBpbWFnZXMgYW5kIGZpbGVzeXN0ZW1zIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkxBQkVMIG9yZy5vcGVuY29udGFpbmVycy5pbWFnZS5zb3VyY2U9aHR0cHM6Ly9naXRodWIuY29tL2FuY2hvcmUvZ3J5cGUiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIzLTExLTMwVDE0OjM4OjE4LjUwMjkzMTY1N1oiLCJjcmVhdGVkX2J5IjoiTEFCRUwgb3JnLm9wZW5jb250YWluZXJzLmltYWdlLnJldmlzaW9uPWE0YmNlZDE2MDI5MWU4MWRiZGVhYTQxNWQyMGU2NGI4NzQxZWUwMGQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIzLTExLTMwVDE0OjM4OjE4LjUwMjkzMTY1N1oiLCJjcmVhdGVkX2J5IjoiTEFCRUwgb3JnLm9wZW5jb250YWluZXJzLmltYWdlLnZlbmRvcj1BbmNob3JlLCBJbmMuIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkxBQkVMIG9yZy5vcGVuY29udGFpbmVycy5pbWFnZS52ZXJzaW9uPTAuNzMuNCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjMtMTEtMzBUMTQ6Mzg6MTguNTAyOTMxNjU3WiIsImNyZWF0ZWRfYnkiOiJMQUJFTCBvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UubGljZW5zZXM9QXBhY2hlLTIuMCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjMtMTEtMzBUMTQ6Mzg6MTguNTAyOTMxNjU3WiIsImNyZWF0ZWRfYnkiOiJMQUJFTCBpby5hcnRpZmFjdGh1Yi5wYWNrYWdlLnJlYWRtZS11cmw9aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2FuY2hvcmUvZ3J5cGUvbWFpbi9SRUFETUUubWQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIzLTExLTMwVDE0OjM4OjE4LjUwMjkzMTY1N1oiLCJjcmVhdGVkX2J5IjoiTEFCRUwgaW8uYXJ0aWZhY3RodWIucGFja2FnZS5sb2dvLXVybD1odHRwczovL3VzZXItaW1hZ2VzLmdpdGh1YnVzZXJjb250ZW50LmNvbS81MTk5Mjg5LzEzNjg1NTM5My1kMGE5ZWVmOS1jY2YxLTRlMmItOWQ3Yy03YWFkMTZhNTY3ZTUucG5nIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkxBQkVMIGlvLmFydGlmYWN0aHViLnBhY2thZ2UubGljZW5zZT1BcGFjaGUtMi4wIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMy0xMS0zMFQxNDozODoxOC41MDI5MzE2NTdaIiwiY3JlYXRlZF9ieSI6IkVOVFJZUE9JTlQgW1wiL2dyeXBlXCJdIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6MTMxZjE2ZjdhNzM1ODBkMzA0YzQ1MDJjMzQ3MmE0MzZjOTAyNTQxMWIzYWIxNzAzNzU3ZDQxYmM4MDQ2MTJiYiIsInNoYTI1NjpkNWQ5MmJkYWViOGQzZTRhY2M2MDY0YTYzZDViOGQwZmRlZDdjOWFkMTM5OGM3ZWZmMTdlMDY2ZjNmNWUyNzllIiwic2hhMjU2Ojg1NzMwNGEwZTZkNzZhZmEwZTMxZDFjMDJiODYzNzdkNmI2OGUxNDdhYzM1ZTk1YTFhMmRmOWQzMzMyMzU5OGQiXX19", "repoDigests": [ "anchore/grype@sha256:12b3b56d62116200795d43e568162257e9518c479e5348cc5ac4bdd4ca0bf4e8" ], "architecture": "amd64", "os": "linux", "labels": { "io.artifacthub.package.license": "Apache-2.0", "io.artifacthub.package.logo-url": "https://user-images.githubusercontent.com/5199289/136855393-d0a9eef9-ccf1-4e2b-9d7c-7aad16a567e5.png", "io.artifacthub.package.readme-url": "https://raw.githubusercontent.com/anchore/grype/main/README.md", "org.opencontainers.image.created": "2023-11-30T14:32:13Z", "org.opencontainers.image.description": "A vulnerability scanner for container images and filesystems", "org.opencontainers.image.licenses": "Apache-2.0", "org.opencontainers.image.revision": "a4bced160291e81dbdeaa415d20e64b8741ee00d", "org.opencontainers.image.source": "https://github.com/anchore/grype", "org.opencontainers.image.title": "grype", "org.opencontainers.image.vendor": "Anchore, Inc.", "org.opencontainers.image.version": "0.73.4" } } }, "distro": { "name": "", "version": "", "idLike": null }, "descriptor": { "name": "grype", "version": "0.73.4", "configuration": { "output": [ "json" ], "file": "", "distro": "", "add-cpes-if-none": false, "output-template-file": "", "check-for-app-update": true, "only-fixed": false, "only-notfixed": false, "ignore-wontfix": "", "platform": "", "search": { "scope": "squashed", "unindexed-archives": false, "indexed-archives": true }, "ignore": null, "exclude": [], "db": { "cache-dir": "/root/.cache/grype/db", "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", "ca-cert": "", "auto-update": true, "validate-by-hash-on-start": false, "validate-age": true, "max-allowed-built-age": 432000000000000 }, "externalSources": { "enable": false, "maven": { "searchUpstreamBySha1": true, "baseUrl": "https://search.maven.org/solrsearch/select" } }, "match": { "java": { "using-cpes": false }, "dotnet": { "using-cpes": false }, "golang": { "using-cpes": false, "always-use-cpe-for-stdlib": true }, "javascript": { "using-cpes": false }, "python": { "using-cpes": false }, "ruby": { "using-cpes": false }, "rust": { "using-cpes": false }, "stock": { "using-cpes": true } }, "fail-on-severity": "", "registry": { "insecure-skip-tls-verify": false, "insecure-use-http": false, "auth": null, "ca-cert": "" }, "show-suppressed": false, "by-cve": false, "name": "", "default-image-pull-source": "", "vex-documents": [], "vex-add": [] }, "db": { "built": "2023-12-12T01:28:57Z", "schemaVersion": 5, "location": "/root/.cache/grype/db/5", "checksum": "sha256:5f2cb595bf332cff23fe0812819822e5292547f6a180c44a9e8675e9ab1be495", "error": null }, "timestamp": "2023-12-12T12:33:35.954856244+08:00" } } ++ * 掃描原始碼使用套件的弱點 Exp. https://github.com/iii-org/akasha git clone https://github.com/iii-org/akasha.git grype akasha * ++看結果| # grype akasha ✔ Vulnerability DB [no update available] ✔ Indexed file system akasha ✔ Cataloged packages [32 packages] ✔ Scanned for vulnerabilities [1 vulnerability matches] ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible └── by status: 1 fixed, 0 not-fixed, 0 ignored [0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY opencc 1.1.1 1.1.2 python GHSA-9qh2-6fxg-9m4g Medium ++ * ++結果以 json 格式呈現| # grype akasha -o json ✔ Indexed file system akasha ✔ Vulnerability DB [no update available] ✔ Cataloged packages [32 packages] ✔ Scanned for vulnerabilities [1 vulnerability matches] ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible └── by status: 1 fixed, 0 not-fixed, 0 ignored [0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) { "matches": [ { "vulnerability": { "id": "GHSA-9qh2-6fxg-9m4g", "dataSource": "https://github.com/advisories/GHSA-9qh2-6fxg-9m4g", "namespace": "github:language:python", "severity": "Medium", "urls": [ "https://github.com/advisories/GHSA-9qh2-6fxg-9m4g" ], "description": "Open Chinese Convert subject to Denial of Service via Out-of-bounds Read", "cvss": [ { "version": "3.0", "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6 }, "vendorMetadata": { "base_severity": "Medium", "status": "N/A" } } ], "fix": { "versions": [ "1.1.2" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2018-16982", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-16982", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/BYVoid/OpenCC/issues/303" ], "description": "Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a denial of service (segmentation fault) because BinaryDict::NewFromFile in BinaryDict.cpp may have out-of-bounds keyOffset and valueOffset values via a crafted .ocd file.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9 }, "vendorMetadata": {} }, { "source": "nvd@nist.gov", "type": "Primary", "version": "3.0", "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6 }, "vendorMetadata": {} } ] } ], "matchDetails": [ { "type": "exact-direct-match", "matcher": "python-matcher", "searchedBy": { "language": "python", "namespace": "github:language:python", "package": { "name": "opencc", "version": "1.1.1" } }, "found": { "versionConstraint": "<1.1.2 (python)", "vulnerabilityID": "GHSA-9qh2-6fxg-9m4g" } } ], "artifact": { "id": "dc27cd82392a6d54", "name": "opencc", "version": "1.1.1", "type": "python", "locations": [ { "path": "/setup.py" } ], "language": "python", "licenses": [], "cpes": [ "cpe:2.3:a:python-opencc:python-opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python-opencc:python_opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python_opencc:python-opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python_opencc:python_opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:opencc:python-opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:opencc:python_opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python-opencc:opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python-opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python_opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python_opencc:opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:opencc:opencc:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:opencc:1.1.1:*:*:*:*:*:*:*" ], "purl": "pkg:pypi/opencc@1.1.1", "upstreams": [] } } ], "source": { "type": "directory", "target": "akasha" }, "distro": { "name": "", "version": "", "idLike": null }, "descriptor": { "name": "grype", "version": "0.73.4", "configuration": { "output": [ "json" ], "file": "", "distro": "", "add-cpes-if-none": false, "output-template-file": "", "check-for-app-update": true, "only-fixed": false, "only-notfixed": false, "ignore-wontfix": "", "platform": "", "search": { "scope": "squashed", "unindexed-archives": false, "indexed-archives": true }, "ignore": null, "exclude": [], "db": { "cache-dir": "/root/.cache/grype/db", "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", "ca-cert": "", "auto-update": true, "validate-by-hash-on-start": false, "validate-age": true, "max-allowed-built-age": 432000000000000 }, "externalSources": { "enable": false, "maven": { "searchUpstreamBySha1": true, "baseUrl": "https://search.maven.org/solrsearch/select" } }, "match": { "java": { "using-cpes": false }, "dotnet": { "using-cpes": false }, "golang": { "using-cpes": false, "always-use-cpe-for-stdlib": true }, "javascript": { "using-cpes": false }, "python": { "using-cpes": false }, "ruby": { "using-cpes": false }, "rust": { "using-cpes": false }, "stock": { "using-cpes": true } }, "fail-on-severity": "", "registry": { "insecure-skip-tls-verify": false, "insecure-use-http": false, "auth": null, "ca-cert": "" }, "show-suppressed": false, "by-cve": false, "name": "", "default-image-pull-source": "", "vex-documents": [], "vex-add": [] }, "db": { "built": "2023-12-12T01:28:57Z", "schemaVersion": 5, "location": "/root/.cache/grype/db/5", "checksum": "sha256:5f2cb595bf332cff23fe0812819822e5292547f6a180c44a9e8675e9ab1be495", "error": null }, "timestamp": "2023-12-12T12:49:17.587473912+08:00" } } ++ ===== 參考網址 ===== * https://github.com/anchore/grype {{tag>資安}}