chore(findings): big-bang/devops-tester
Summary
big-bang/devops-tester has 170 new findings discovered during continuous monitoring.
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=big-bang/devops-tester&tag=1.1&branch=master
EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.
KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.
| id | source | severity | package | impact | workaround | epss_score | kev |
|---|---|---|---|---|---|---|---|
| CVE-2026-7168 | Anchore CVE | Medium | curl-8.19.0-r0 | 0.00079 | false | ||
| CVE-2026-39829 | Twistlock CVE | Low | golang.org/x/crypto/ssh-v0.49.0 | 0.00074 | false | ||
| CVE-2026-41506 | Twistlock CVE | Medium | github.com/go-git/go-git/v5-v5.17.2 | 0.00057 | false | ||
| CVE-2026-39820 | Twistlock CVE | High | net/mail-1.26.0 | 0.00054 | false | ||
| CVE-2026-39820 | Twistlock CVE | High | net/mail-1.25.9 | 0.00054 | false | ||
| CVE-2026-39820 | Anchore CVE | High | stdlib-go1.25.9 | 0.00054 | false | ||
| CVE-2026-39820 | Anchore CVE | High | stdlib-go1.24.11 | 0.00054 | false | ||
| CVE-2026-39820 | Anchore CVE | High | stdlib-go1.26.0 | 0.00054 | false | ||
| CVE-2026-39820 | Anchore CVE | High | stdlib-go1.24.6 | 0.00054 | false | ||
| CVE-2026-39821 | Twistlock CVE | Low | golang.org/x/net/idna-v0.52.0 | 0.00045 | false | ||
| CVE-2026-39821 | Twistlock CVE | Low | golang.org/x/net/idna-v0.53.0 | 0.00045 | false | ||
| CVE-2026-25680 | Twistlock CVE | Low | golang.org/x/net/html-v0.38.0 | 0.00043 | false | ||
| CVE-2026-46597 | Twistlock CVE | Low | golang.org/x/crypto/ssh-v0.49.0 | 0.00042 | false | ||
| CVE-2026-39834 | Twistlock CVE | Low | golang.org/x/crypto/ssh-v0.49.0 | 0.00042 | false | ||
| CVE-2026-39830 | Twistlock CVE | Low | golang.org/x/crypto/ssh-v0.49.0 | 0.00042 | false | ||
| CVE-2026-39827 | Twistlock CVE | Low | golang.org/x/crypto/ssh-v0.49.0 | 0.00041 | false | ||
| CVE-2026-5545 | Anchore CVE | Medium | curl-8.19.0-r0 | 0.00037 | false | ||
| CVE-2026-44245 | Anchore CVE | Medium | github.com/kyverno/kyverno-v1.17.2+dirty | 0.00031 | false | ||
| CVE-2026-42506 | Twistlock CVE | Low | golang.org/x/net/html-v0.38.0 | 0.00031 | false | ||
| CVE-2026-42502 | Twistlock CVE | Low | golang.org/x/net/html-v0.38.0 | 0.00031 | false | ||
| CVE-2026-27136 | Twistlock CVE | Low | golang.org/x/net/html-v0.38.0 | 0.00031 | false | ||
| CVE-2026-25681 | Twistlock CVE | Low | golang.org/x/net/html-v0.38.0 | 0.00031 | false | ||
| CVE-2026-6253 | Anchore CVE | Medium | curl-8.19.0-r0 | 0.00030 | false | ||
| CVE-2026-39832 | Twistlock CVE | Low | golang.org/x/crypto/ssh/agent-v0.49.0 | 0.00030 | false | ||
| CVE-2026-35469 | Twistlock CVE | High | github.com/moby/spdystream-v0.5.0 | 0.00029 | false | ||
| CVE-2026-27138 | Twistlock CVE | Medium | crypto/x509-1.26.0 | 0.00029 | false | ||
| CVE-2026-27138 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00029 | false | ||
| CVE-2026-42499 | Twistlock CVE | High | net/mail-1.25.9 | 0.00022 | false | ||
| CVE-2026-42499 | Twistlock CVE | High | net/mail-1.26.0 | 0.00022 | false | ||
| CVE-2026-42499 | Anchore CVE | High | stdlib-go1.24.11 | 0.00022 | false | ||
| CVE-2026-42499 | Anchore CVE | High | stdlib-go1.26.0 | 0.00022 | false | ||
| CVE-2026-42499 | Anchore CVE | High | stdlib-go1.24.6 | 0.00022 | false | ||
| CVE-2026-42499 | Anchore CVE | High | stdlib-go1.25.9 | 0.00022 | false | ||
| CVE-2026-39831 | Twistlock CVE | Low | golang.org/x/crypto/ssh-v0.49.0 | 0.00022 | false | ||
| CVE-2026-32281 | Twistlock CVE | High | crypto/x509-1.24.6 | 0.00022 | false | ||
| CVE-2026-32281 | Twistlock CVE | High | crypto/x509-1.24.11 | 0.00022 | false | ||
| CVE-2026-32281 | Anchore CVE | High | stdlib-go1.24.6 | 0.00022 | false | ||
| CVE-2026-32281 | Anchore CVE | High | stdlib-go1.24.11 | 0.00022 | false | ||
| CVE-2026-32281 | Twistlock CVE | High | crypto/x509-1.26.0 | 0.00022 | false | ||
| CVE-2026-32281 | Anchore CVE | High | stdlib-go1.26.0 | 0.00022 | false | ||
| CVE-2026-27143 | Anchore CVE | Critical | stdlib-go1.24.6 | 0.00022 | false | ||
| CVE-2026-27143 | Anchore CVE | Critical | stdlib-go1.24.11 | 0.00022 | false | ||
| CVE-2026-27143 | Anchore CVE | Critical | stdlib-go1.26.0 | 0.00022 | false | ||
| CVE-2026-6429 | Anchore CVE | Medium | curl-8.19.0-r0 | 0.00021 | false | ||
| CVE-2026-32280 | Twistlock CVE | High | crypto/x509-1.24.11 | 0.00021 | false | ||
| CVE-2026-32280 | Twistlock CVE | High | crypto/x509-1.24.6 | 0.00021 | false | ||
| CVE-2026-32280 | Anchore CVE | High | stdlib-go1.24.11 | 0.00021 | false | ||
| CVE-2026-32280 | Anchore CVE | High | stdlib-go1.24.6 | 0.00021 | false | ||
| CVE-2026-32280 | Twistlock CVE | High | crypto/x509-1.26.0 | 0.00021 | false | ||
| CVE-2026-32280 | Anchore CVE | High | stdlib-go1.26.0 | 0.00021 | false | ||
| CVE-2026-42154 | Twistlock CVE | High | github.com/prometheus/prometheus-v0.303.0 | 0.00020 | false | ||
| CVE-2026-39836 | Twistlock CVE | High | net-1.24.6 | 0.00020 | false | ||
| CVE-2026-39836 | Twistlock CVE | High | net-1.24.11 | 0.00020 | false | ||
| CVE-2026-39836 | Twistlock CVE | High | net-1.26.0 | 0.00020 | false | ||
| CVE-2026-39836 | Twistlock CVE | High | net-1.25.9 | 0.00020 | false | ||
| CVE-2026-39836 | Anchore CVE | High | stdlib-go1.24.6 | 0.00020 | false | ||
| CVE-2026-39836 | Anchore CVE | High | stdlib-go1.25.9 | 0.00020 | false | ||
| CVE-2026-39836 | Anchore CVE | High | stdlib-go1.24.11 | 0.00020 | false | ||
| CVE-2026-39836 | Anchore CVE | High | stdlib-go1.26.0 | 0.00020 | false | ||
| CVE-2026-5773 | Anchore CVE | High | curl-8.19.0-r0 | 0.00019 | false | ||
| CVE-2026-39835 | Twistlock CVE | Low | golang.org/x/crypto/ssh-v0.49.0 | 0.00019 | false | ||
| CVE-2026-32283 | Twistlock CVE | High | crypto/tls-1.24.6 | 0.00019 | false | ||
| CVE-2026-32283 | Twistlock CVE | High | crypto/tls-1.24.11 | 0.00019 | false | ||
| CVE-2026-32283 | Anchore CVE | High | stdlib-go1.24.6 | 0.00019 | false | ||
| CVE-2026-32283 | Anchore CVE | High | stdlib-go1.24.11 | 0.00019 | false | ||
| CVE-2026-32283 | Twistlock CVE | High | crypto/tls-1.26.0 | 0.00019 | false | ||
| CVE-2026-32283 | Anchore CVE | High | stdlib-go1.26.0 | 0.00019 | false | ||
| CVE-2026-33814 | Twistlock CVE | High | golang.org/x/net/http2-v0.38.0 | 0.00018 | false | ||
| CVE-2026-33814 | Twistlock CVE | High | net/http-1.24.6 | 0.00018 | false | ||
| CVE-2026-33814 | Twistlock CVE | High | golang.org/x/net/http2-v0.42.0 | 0.00018 | false | ||
| CVE-2026-33814 | Twistlock CVE | High | golang.org/x/net/http2-v0.52.0 | 0.00018 | false | ||
| CVE-2026-33814 | Twistlock CVE | High | net/http-1.26.0 | 0.00018 | false | ||
| CVE-2026-33814 | Twistlock CVE | High | net/http-1.25.9 | 0.00018 | false | ||
| CVE-2026-33814 | Twistlock CVE | High | net/http-1.24.11 | 0.00018 | false | ||
| CVE-2026-33814 | Anchore CVE | High | stdlib-go1.26.0 | 0.00018 | false | ||
| CVE-2026-33814 | Anchore CVE | High | stdlib-go1.25.9 | 0.00018 | false | ||
| CVE-2026-33814 | Anchore CVE | High | stdlib-go1.24.6 | 0.00018 | false | ||
| CVE-2026-33814 | Anchore CVE | High | stdlib-go1.24.11 | 0.00018 | false | ||
| CVE-2026-33811 | Twistlock CVE | High | net-1.24.6 | 0.00017 | false | ||
| CVE-2026-33811 | Twistlock CVE | High | net-1.24.11 | 0.00017 | false | ||
| CVE-2026-33811 | Twistlock CVE | High | net-1.26.0 | 0.00017 | false | ||
| CVE-2026-33811 | Twistlock CVE | High | net-1.25.9 | 0.00017 | false | ||
| CVE-2026-33811 | Anchore CVE | High | stdlib-go1.24.6 | 0.00017 | false | ||
| CVE-2026-33811 | Anchore CVE | High | stdlib-go1.25.9 | 0.00017 | false | ||
| CVE-2026-33811 | Anchore CVE | High | stdlib-go1.24.11 | 0.00017 | false | ||
| CVE-2026-33811 | Anchore CVE | High | stdlib-go1.26.0 | 0.00017 | false | ||
| CVE-2026-27137 | Twistlock CVE | High | crypto/x509-1.26.0 | 0.00016 | false | ||
| CVE-2026-27137 | Anchore CVE | High | stdlib-go1.26.0 | 0.00016 | false | ||
| CVE-2026-27140 | Anchore CVE | High | stdlib-go1.24.6 | 0.00015 | false | ||
| CVE-2026-27140 | Anchore CVE | High | stdlib-go1.24.11 | 0.00015 | false | ||
| CVE-2026-27140 | Anchore CVE | High | stdlib-go1.26.0 | 0.00015 | false | ||
| CVE-2026-4873 | Anchore CVE | Medium | curl-8.19.0-r0 | 0.00014 | false | ||
| CVE-2026-7009 | Anchore CVE | Medium | curl-8.19.0-r0 | 0.00013 | false | ||
| CVE-2026-6276 | Anchore CVE | High | curl-8.19.0-r0 | 0.00013 | false | ||
| CVE-2026-39826 | Twistlock CVE | Medium | html/template-1.25.9 | 0.00013 | false | ||
| CVE-2026-39826 | Twistlock CVE | Medium | html/template-1.24.6 | 0.00013 | false | ||
| CVE-2026-39826 | Twistlock CVE | Medium | html/template-1.26.0 | 0.00013 | false | ||
| CVE-2026-39826 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00013 | false | ||
| CVE-2026-39826 | Anchore CVE | Medium | stdlib-go1.25.9 | 0.00013 | false | ||
| CVE-2026-39826 | Anchore CVE | Medium | stdlib-go1.24.11 | 0.00013 | false | ||
| CVE-2026-39826 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00013 | false | ||
| CVE-2026-33810 | Twistlock CVE | High | crypto/x509-1.26.0 | 0.00013 | false | ||
| CVE-2026-33810 | Anchore CVE | High | stdlib-go1.26.0 | 0.00013 | false | ||
| CVE-2026-40179 | Twistlock CVE | Medium | github.com/prometheus/prometheus-v0.303.0 | 0.00012 | false | ||
| CVE-2026-39825 | Twistlock CVE | Medium | net/http/httputil-1.26.0 | 0.00012 | false | ||
| CVE-2026-39825 | Twistlock CVE | Medium | net/http/httputil-1.24.11 | 0.00012 | false | ||
| CVE-2026-39825 | Twistlock CVE | Medium | net/http/httputil-1.24.6 | 0.00012 | false | ||
| CVE-2026-39825 | Anchore CVE | Medium | stdlib-go1.24.11 | 0.00012 | false | ||
| CVE-2026-39825 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00012 | false | ||
| CVE-2026-39825 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00012 | false | ||
| CVE-2026-39825 | Anchore CVE | Medium | stdlib-go1.25.9 | 0.00012 | false | ||
| CVE-2026-32289 | Twistlock CVE | Medium | html/template-1.24.6 | 0.00011 | false | ||
| CVE-2026-32289 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00011 | false | ||
| CVE-2026-32289 | Anchore CVE | Medium | stdlib-go1.24.11 | 0.00011 | false | ||
| CVE-2026-32289 | Twistlock CVE | Medium | html/template-1.26.0 | 0.00011 | false | ||
| CVE-2026-32289 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00011 | false | ||
| CVE-2026-42151 | Twistlock CVE | High | github.com/prometheus/prometheus-v0.303.0 | 0.00010 | false | ||
| CVE-2026-39823 | Twistlock CVE | Medium | html/template-1.26.0 | 0.00010 | false | ||
| CVE-2026-39823 | Twistlock CVE | Medium | html/template-1.24.6 | 0.00010 | false | ||
| CVE-2026-39823 | Twistlock CVE | Medium | html/template-1.25.9 | 0.00010 | false | ||
| CVE-2026-39823 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00010 | false | ||
| CVE-2026-39823 | Anchore CVE | Medium | stdlib-go1.25.9 | 0.00010 | false | ||
| CVE-2026-39823 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00010 | false | ||
| CVE-2026-39823 | Anchore CVE | Medium | stdlib-go1.24.11 | 0.00010 | false | ||
| CVE-2026-32282 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00010 | false | ||
| CVE-2026-32282 | Anchore CVE | Medium | stdlib-go1.24.11 | 0.00010 | false | ||
| CVE-2026-32282 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00010 | false | ||
| CVE-2026-39984 | Twistlock CVE | Medium | github.com/sigstore/timestamp-authority/v2-v2.0.4 | 0.00009 | false | ||
| CVE-2026-39819 | Anchore CVE | Medium | stdlib-go1.24.11 | 0.00009 | false | ||
| CVE-2026-39819 | Anchore CVE | Medium | stdlib-go1.25.9 | 0.00009 | false | ||
| CVE-2026-39819 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00009 | false | ||
| CVE-2026-39819 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00009 | false | ||
| CVE-2026-42501 | Anchore CVE | High | stdlib-go1.24.6 | 0.00008 | false | ||
| CVE-2026-42501 | Anchore CVE | High | stdlib-go1.25.9 | 0.00008 | false | ||
| CVE-2026-42501 | Anchore CVE | High | stdlib-go1.24.11 | 0.00008 | false | ||
| CVE-2026-42501 | Anchore CVE | High | stdlib-go1.26.0 | 0.00008 | false | ||
| CVE-2026-27144 | Anchore CVE | High | stdlib-go1.24.11 | 0.00006 | false | ||
| CVE-2026-27144 | Anchore CVE | High | stdlib-go1.24.6 | 0.00006 | false | ||
| CVE-2026-27144 | Anchore CVE | High | stdlib-go1.26.0 | 0.00006 | false | ||
| CVE-2026-39817 | Anchore CVE | Medium | stdlib-go1.24.11 | 0.00005 | false | ||
| CVE-2026-39817 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00005 | false | ||
| CVE-2026-39817 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00005 | false | ||
| CVE-2026-39817 | Anchore CVE | Medium | stdlib-go1.25.9 | 0.00005 | false | ||
| CVE-2026-32288 | Twistlock CVE | Medium | archive/tar-1.24.11 | 0.00004 | false | ||
| CVE-2026-32288 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00004 | false | ||
| CVE-2026-32288 | Anchore CVE | Medium | stdlib-go1.24.11 | 0.00004 | false | ||
| CVE-2026-32288 | Twistlock CVE | Medium | archive/tar-1.24.6 | 0.00004 | false | ||
| CVE-2026-32288 | Twistlock CVE | Medium | archive/tar-1.26.0 | 0.00004 | false | ||
| CVE-2026-32288 | Anchore CVE | Medium | stdlib-go1.26.0 | 0.00004 | false | ||
| CVE-2026-45571 | Twistlock CVE | Medium | github.com/go-git/go-git/v5-v5.17.2 | N/A | false | ||
| CVE-2026-45570 | Twistlock CVE | Low | github.com/go-git/go-git/v5-v5.17.2 | N/A | false | ||
| CVE-2026-45022 | Twistlock CVE | High | github.com/go-git/go-git/v5-v5.17.2 | N/A | false | ||
| CVE-2026-44973 | Twistlock CVE | High | github.com/go-git/go-billy/v5-v5.8.0 | N/A | false | ||
| CVE-2026-44903 | Twistlock CVE | Medium | github.com/prometheus/prometheus-v0.303.0 | N/A | false | ||
| CVE-2026-44740 | Twistlock CVE | Medium | github.com/go-git/go-billy/v5-v5.8.0 | N/A | false | ||
| GHSA-xm5m-wgh2-rrg3 | Anchore CVE | Medium | github.com/sigstore/timestamp-authority/v2-v2.0.4 | N/A | N/A | ||
| GHSA-wg65-39gg-5wfj | Anchore CVE | High | github.com/prometheus/prometheus-v0.303.0 | N/A | N/A | ||
| GHSA-vffh-x6r8-xx99 | Anchore CVE | Medium | github.com/prometheus/prometheus-v0.303.0 | N/A | N/A | ||
| GHSA-qw64-3x98-g7q2 | Anchore CVE | High | github.com/go-git/go-billy/v5-v5.8.0 | N/A | N/A | ||
| GHSA-pmwq-pjrm-6p5r | Anchore CVE | Medium | github.com/in-toto/in-toto-golang-v0.10.0 | N/A | N/A | ||
| GHSA-pmwq-pjrm-6p5r | Twistlock CVE | Medium | github.com/in-toto/in-toto-golang-v0.10.0 | N/A | N/A | ||
| GHSA-pjcq-xvwq-hhpj | Anchore CVE | Medium | github.com/Azure/go-ntlmssp-v0.0.0-20221128193559-754e69321358 | N/A | N/A | ||
| GHSA-pc3f-x583-g7j2 | Anchore CVE | High | github.com/moby/spdystream-v0.5.0 | N/A | N/A | ||
| GHSA-m7cr-m3pv-hgrp | Anchore CVE | Low | github.com/go-git/go-git/v5-v5.17.2 | N/A | N/A | ||
| GHSA-m3xc-h892-ggx6 | Anchore CVE | Medium | github.com/go-git/go-billy/v5-v5.8.0 | N/A | N/A | ||
| GHSA-fw8g-cg8f-9j28 | Anchore CVE | Medium | github.com/prometheus/prometheus-v0.303.0 | N/A | N/A | ||
| GHSA-crhj-59gh-8x96 | Anchore CVE | Medium | github.com/go-git/go-git/v5-v5.17.2 | N/A | N/A | ||
| GHSA-8rm2-7qqf-34qm | Anchore CVE | High | github.com/prometheus/prometheus-v0.303.0 | N/A | N/A | ||
| GHSA-3xc5-wrhm-f963 | Anchore CVE | Medium | github.com/go-git/go-git/v5-v5.17.2 | N/A | N/A | ||
| GHSA-389r-gv7p-r3rp | Anchore CVE | High | github.com/go-git/go-git/v5-v5.17.2 | N/A | N/A |
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=big-bang/devops-tester&tag=1.1&branch=master
Tasks
Contributor:
- Apply the StatusReview label to this issue for a
merge request reviewand wait for feedback
OR
- Provide justifications for findings in the VAT (docs)
- Apply the StatusVerification label to this issue for a
VAT justifications reviewand wait for feedback
Iron Bank:
- Review findings and justifications
Note: If the above process is rejected for any reason, the
RevieworVerificationlabel will be removed and the issue will be sent back toTo-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theRevieworVerificationlabel.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.
Edited by CHORE_TOKEN