[0KRunning with gitlab-runner 13.8.0 (775dd39d)
[0;m[0K  on dsop-shared-gitlab-runner-f887cbcbd-srgz6 E82_g8RG
[0;msection_start:1630368450:resolve_secrets[0K[0K[36;1mResolving secrets[0;m
[0;msection_end:1630368450:resolve_secrets[0Ksection_start:1630368450:prepare_executor[0K[0K[36;1mPreparing the "kubernetes" executor[0;m
[0;m[0K"ServiceAccount" overwritten with "vat"
[0;m[0KUsing Kubernetes namespace: gitlab-runner-ironbank-dsop
[0;m[0;33mWARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom
[0;m[0KUsing Kubernetes executor with image registry1.dso.mil/ironbank/ironbank-pipelines/pipeline-runner:0.3 ...
[0;msection_end:1630368450:prepare_executor[0Ksection_start:1630368450:prepare_script[0K[0K[36;1mPreparing environment[0;m
[0;mWaiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-2410-concurrent-0kcjpq to be running, status is Pending
Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-2410-concurrent-0kcjpq to be running, status is Pending
	ContainersNotInitialized: "containers with incomplete status: [istio-init]"
	ContainersNotReady: "containers with unready status: [build helper istio-proxy]"
	ContainersNotReady: "containers with unready status: [build helper istio-proxy]"
Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-2410-concurrent-0kcjpq to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper istio-proxy]"
	ContainersNotReady: "containers with unready status: [build helper istio-proxy]"
Running on runner-e82g8rg-project-2410-concurrent-0kcjpq via dsop-shared-gitlab-runner-f887cbcbd-srgz6...
section_end:1630368460:prepare_script[0Ksection_start:1630368460:get_sources[0K[0K[36;1mGetting source from Git repository[0;m
[0;m[32;1m$ until [ $(curl --fail --silent --output /dev/stderr --write-out "%{http_code}" localhost:15020/healthz/ready) -eq 200 ]; do echo Waiting for Sidecar; sleep 3 ; done ; echo Sidecar available;[0;m
Waiting for Sidecar
Sidecar available
[32;1mFetching changes with git depth set to 50...[0;m
Initialized empty Git repository in /builds/dsop/kubeflow/katib/suggestion-nasrl-57c6abf76193/.git/
[32;1mCreated fresh repository.[0;m
[32;1mChecking out d572d935 as development...[0;m
Skipping object checkout, Git LFS is not installed.

[32;1mSkipping Git submodules setup[0;m
section_end:1630368464:get_sources[0Ksection_start:1630368464:download_artifacts[0K[0K[36;1mDownloading artifacts[0;m
[0;m[32;1mDownloading artifacts for anchore-scan (6087034)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=6087034 responseStatus[0;m=200 OK token[0;m=zMuLePCE
[0;33mWARNING: ci-artifacts/scan-results/anchore/: lchown ci-artifacts/scan-results/anchore/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for build (6087032)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=6087032 responseStatus[0;m=200 OK token[0;m=byutD3NS
[0;33mWARNING: ci-artifacts/build/: lchown ci-artifacts/build/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for hardening-manifest (6087028)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=6087028 responseStatus[0;m=200 OK token[0;m=iw2GbLwy
[0;33mWARNING: ci-artifacts/preflight/: lchown ci-artifacts/preflight/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for load-scripts (6087025)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=6087025 responseStatus[0;m=200 OK token[0;m=L2j13Tmt
[32;1mDownloading artifacts for openscap-compliance (6087035)...[0;m
[0;33mWARNING: ci-artifacts/[MASKED]/: lchown ci-artifacts/[MASKED]/: operation not permitted (suppressing repeats)[0;m 
Downloading artifacts from coordinator... ok      [0;m  id[0;m=6087035 responseStatus[0;m=200 OK token[0;m=a3jT54oi
[32;1mDownloading artifacts for twistlock-scan (6087036)...[0;m
[0;33mWARNING: ci-artifacts/scan-results/openscap/: lchown ci-artifacts/scan-results/openscap/: operation not permitted (suppressing repeats)[0;m 
Downloading artifacts from coordinator... ok      [0;m  id[0;m=6087036 responseStatus[0;m=200 OK token[0;m=VTJFb4a1
[0;33mWARNING: ci-artifacts/scan-results/twistlock/: lchown ci-artifacts/scan-results/twistlock/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for wl-compare-lint (6087029)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=6087029 responseStatus[0;m=200 OK token[0;m=zfBP92u-
[0;33mWARNING: ci-artifacts/lint/: lchown ci-artifacts/lint/: operation not permitted (suppressing repeats)[0;m 
section_end:1630368465:download_artifacts[0Ksection_start:1630368465:step_script[0K[0K[36;1mExecuting "step_script" stage of the job script[0;m
[0;m[32;1m$ "${PIPELINE_REPO_DIR}/stages/vat/vat-run-api.sh"[0;m
INFO: Log level set to info
INFO: Gathering list of all justifications...
INFO: API Response:
{"imageName":"kubeflow/katib/suggestion-nasrl-57c6abf76193","imageTag":"57c6abf76193","vatUrl":"https://vat.dso.mil/vat/container/1480","accreditation":"Conditionally Approved","containerState":"Under Review","earliestExpiration":"2022-05-21T04:00:00.000Z","findings":[{"identifier":"41cb7cdf04850e33a11f80c42bf660b3","source":"anchore_comp","description":"Dockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' check\n Gate: dockerfile\n Trigger: instruction\n Policy ID: DoDDockerfileChecks","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T17:00:57.000Z","justification":"No exposed port to run healthcheck on.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T17:08:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-22T02:21:30.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-80935-0","source":"oscap_comp","description":"Configure System Cryptography Policy","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. FIPS enablement requires the host node to have FIPS enabled at the kernel level which is inherited into the container.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-80938-4","source":"oscap_comp","description":"Configure OpenSSL library to use System Crypto Policy","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. /etc/pki/tls/openssl.cnf contains: [ crypto_policy ] .include /etc/crypto-policies/back-ends/openssl.config .include /etc/crypto-policies/back-ends/opensslcnf.config","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82168-6","source":"oscap_comp","description":"Log USBGuard daemon audit events using Linux Audit","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82214-8","source":"oscap_comp","description":"Install sudo Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2021-01-27T17:54:16.000Z","justification":"Sudo is not installed by default since most images are unprivileged and do not require any super user permissions. Removing the package removes the risk of any privilege escalation exploits within sudo.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-01-27T17:57:21.000Z","comment":"This finding is approved.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82220-5","source":"oscap_comp","description":"Install openscap-scanner Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. SCAP scanning occurs during the build pipeline.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82267-6","source":"oscap_comp","description":"Configure dnf-automatic to Install Only Security Updates","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82360-9","source":"oscap_comp","description":"Enable dnf-automatic Timer","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82368-2","source":"oscap_comp","description":"Authorize Human Interface Devices and USB hubs in USBGuard daemon","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82395-5","source":"oscap_comp","description":"Ensure gnutls-utils is installed","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-13T21:13:21.000Z","justification":"Package not available in UBI repos. This package only contains command line TLS client and server and certificate manipulation tools.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2020-11-13T21:16:30.000Z","comment":"This finding is approved.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82472-2","source":"oscap_comp","description":"Set Existing Passwords Minimum Age","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. No users other than root exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82473-0","source":"oscap_comp","description":"Set Existing Passwords Maximum Age","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. No users other than root exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82474-8","source":"oscap_comp","description":"Assign Expiration Date to Temporary Accounts","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. No temporary accounts exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82494-6","source":"oscap_comp","description":"Configure dnf-automatic to Install Available Updates Automatically","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82880-6","source":"oscap_comp","description":"Configure session renegotiation for SSH client","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-03T18:36:51.000Z","justification":"Not applicable. openssh-clients is not installed in the base image by default.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-02-03T18:37:31.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-02-03T20:13:01.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82949-9","source":"oscap_comp","description":"Install scap-security-guide Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. SCAP scanning occurs during the build pipeline.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82959-8","source":"oscap_comp","description":"Install usbguard Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82979-6","source":"oscap_comp","description":"Install libcap-ng-utils Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82985-3","source":"oscap_comp","description":"Install dnf-automatic Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. Package performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-83401-0","source":"oscap_comp","description":"Enforce pam_faillock for Local Accounts Only","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-03T18:36:51.000Z","justification":"False positive. local_users_only is set in /etc/security/faillock.conf ","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-02-03T18:37:31.000Z","comment":"This finding was reviewed.","designator":"False Positive","falsePositive":true,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-02-03T20:13:02.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2019-20838","source":"anchore_cve","description":"libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched on 9/21/2018. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:02.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2019-20838","source":"twistlock_cve","description":"libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\\\X or \\\\R has more than one fixed quantifier, a related issue to CVE-2019-20454.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:28.000Z","justification":"Upstream patched on 9/21/2018. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-14155","source":"anchore_cve","description":"libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 8.44 on 2/10/2020. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:02.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-14155","source":"twistlock_cve","description":"libpcre in PCRE before 8.44 allows an integer overflow via a large number after a ","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 8.44 on 2/10/2020. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-15265","source":"twistlock_cve","description":"In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.","package":"tensorflow-1.15.5","findingsState":"needs_justification"},{"identifier":"CVE-2020-15266","source":"twistlock_cve","description":"In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.","package":"tensorflow-1.15.5","findingsState":"needs_justification"},{"identifier":"CVE-2020-16135","source":"anchore_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-16135","source":"twistlock_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:13:07.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:13:50.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:25:13.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-16135","source":"anchore_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-config-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-24370","source":"anchore_cve","description":"ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).","package":"lua-libs-5.3.4-11.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Published 2020-07-23. Fix available upstream in lua master branch 2020-07-27. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-20231","source":"anchore_cve","description":"A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20231","source":"twistlock_cve","description":"A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20232","source":"anchore_cve","description":"A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20232","source":"twistlock_cve","description":"A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"twistlock_cve","description":"A flaw was found in RPM\\'s hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"anchore_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"twistlock_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \\\"Exposure of Private Personal Information to an Unauthorized Actor\\\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:16.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"anchore_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"anchore_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-11T13:30:57.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-11T13:31:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T13:32:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"twistlock_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-22T21:11:58.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-22T21:14:01.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-22T21:14:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"anchore_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-11T13:30:57.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-11T13:31:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T13:32:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"anchore_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"twistlock_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"anchore_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"anchore_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"twistlock_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user\\'s expectations and intentions and without telling the user it happened.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"anchore_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"anchore_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"twistlock_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take \\'issuercert\\' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn\\'t include the \\'issuer cert\\' which a transfer can setto qualify how to verify the server certificate.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"anchore_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"anchore_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"twistlock_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-16T21:12:09.000Z","justification":"Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-16T21:12:09.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-16T21:16:24.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"anchore_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23840","source":"anchore_cve","description":"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-03-31T17:41:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-03-31T17:41:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-03-31T17:46:26.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23841","source":"anchore_cve","description":"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-03-31T17:41:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-03-31T17:41:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-03-31T17:46:26.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"anchore_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T14:31:51.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"twistlock_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T14:31:51.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29513","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++ array(https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L113-L169) is vulnerable to a type confusion. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29513","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++ array(https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L113-L169) is vulnerable to a type confusion. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29515","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixDiag*` operations(https://github.com/tensorflow/tensorflow/blob/4c4f420e68f1cfaf8f4b6e8e3eb857e9e4c3ff33/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L195-L197) does not validate that the tensor arguments are non-empty. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:22.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29516","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.RaggedTensorToVariant` with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of `RaggedTensorToVariant` operations(https://github.com/tensorflow/tensorflow/blob/904b3926ed1c6c70380d5313d282d248a776baa1/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L39-L40) does not validate that the ragged tensor argument is non-empty. Since `batched_ragged` contains no elements, `batched_ragged.splits` is a null vector, thus `batched_ragged.splits(0)` will result in dereferencing `nullptr`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29517","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. A malicious user could trigger a division by 0 in `Conv3D` implementation. The implementation(https://github.com/tensorflow/tensorflow/blob/42033603003965bffac51ae171b51801565e002d/tensorflow/core/kernels/conv_ops_3d.cc#L143-L145) does a modulo operation based on user controlled input. Thus, when `filter` has a 0 as the fifth element, this results in a division by 0. Additionally, if the shape of the two tensors is not valid, an Eigen assertion can be triggered, resulting in a program crash. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29518","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. In eager mode (default in TF 2.0 and later), session operations are invalid. However, users could still call the raw ops associated with them and trigger a null pointer dereference. The implementation(https://github.com/tensorflow/tensorflow/blob/eebb96c2830d48597d055d247c0e9aebaea94cd5/tensorflow/core/kernels/session_ops.cc#L104) dereferences the session state pointer without checking if it is valid. Thus, in eager mode, `ctx->session_state()` is nullptr and the call of the member function is undefined behavior. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:22.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29519","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The API of `tf.raw_ops.SparseCross` allows combinations which would result in a `CHECK`-failure and denial of service. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1bf2ed32bd4a246d6d6cadc4c903d/tensorflow/core/kernels/sparse_cross_op.cc#L114-L116) is tricked to consider a tensor of type `tstring` which in fact contains integral elements. Fixing the type confusion by preventing mixing `DT_STRING` and `DT_INT64` types solves this issue. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29520","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Missing validation between arguments to `tf.raw_ops.Conv3DBackprop*` operations can result in heap buffer overflows. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/4814fafb0ca6b5ab58a09411523b2193fed23fed/tensorflow/core/kernels/conv_grad_shape_utils.cc#L94-L153) assumes that the `input`, `filter_sizes` and `out_backprop` tensors have the same shape, as they are accessed in parallel. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29520","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Missing validation between arguments to `tf.raw_ops.Conv3DBackprop*` operations can result in heap buffer overflows. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/4814fafb0ca6b5ab58a09411523b2193fed23fed/tensorflow/core/kernels/conv_grad_shape_utils.cc#L94-L153) assumes that the `input`, `filter_sizes` and `out_backprop` tensors have the same shape, as they are accessed in parallel. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29522","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The `tf.raw_ops.Conv3DBackprop*` operations fail to validate that the input tensors are not empty. In turn, this would result in a division by 0. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a91bb59769f19146d5a0c20060244378e878f140/tensorflow/core/kernels/conv_grad_ops_3d.cc#L430-L450) does not check that the divisor used in computing the shard size is not zero. Thus, if attacker controls the input sizes, they can trigger a denial of service via a division by zero error. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29523","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.AddManySparseToTensorsMap`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/kernels/sparse_tensors_map_ops.cc#L257) takes the values specified in `sparse_shape` as dimensions for the output shape. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29524","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/496c2630e51c1a478f095b084329acedb253db6b/tensorflow/core/kernels/conv_grad_shape_utils.cc#L130) does a modulus operation where the divisor is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29525","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.Conv2DBackpropInput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b40060c9f697b044e3107917c797ba052f4506ab/tensorflow/core/kernels/conv_grad_input_ops.h#L625-L655) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29525","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.Conv2DBackpropInput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b40060c9f697b044e3107917c797ba052f4506ab/tensorflow/core/kernels/conv_grad_input_ops.h#L625-L655) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29526","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.Conv2D`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/988087bd83f144af14087fe4fecee2d250d93737/tensorflow/core/kernels/conv_ops.cc#L261-L263) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29527","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.QuantizedConv2D`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/00e9a4d67d76703fa1aee33dac582acf317e0e81/tensorflow/core/kernels/quantized_conv_ops.cc#L257-L259) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29527","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.QuantizedConv2D`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/00e9a4d67d76703fa1aee33dac582acf317e0e81/tensorflow/core/kernels/quantized_conv_ops.cc#L257-L259) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29528","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.QuantizedMul`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55900e961ed4a23b438392024912154a2c2f5e85/tensorflow/core/kernels/quantized_mul_op.cc#L188-L198) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29529","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in `tf.raw_ops.QuantizedResizeBilinear` by manipulating input values so that float rounding results in off-by-one error in accessing image elements. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/44b7f486c0143f68b56c34e2d01e146ee445134a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L62-L66) computes two integers (representing the upper and lower bounds for interpolation) by ceiling and flooring a floating point value. For some values of `in`, `interpolation->upper[i]` might be smaller than `interpolation->lower[i]`. This is an issue if `interpolation->upper[i]` is capped at `in_size-1` as it means that `interpolation->lower[i]` points outside of the image. Then, in the interpolation code(https://github.com/tensorflow/tensorflow/blob/44b7f486c0143f68b56c34e2d01e146ee445134a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L245-L264), this would result in heap buffer overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:23.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29530","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference by providing an invalid `permutation` to `tf.raw_ops.SparseMatrixSparseCholesky`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/kernels/sparse/sparse_cholesky_op.cc#L85-L86) fails to properly validate the input arguments. Although `ValidateInputs` is called and there are checks in the body of this function, the code proceeds to the next line in `ValidateInputs` since `OP_REQUIRES`(https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/framework/op_requires.h#L41-L48) is a macro that only exits the current function. Thus, the first validation condition that fails in `ValidateInputs` will cause an early return from that function. However, the caller will continue execution from the next line. The fix is to either explicitly check `context->status()` or to convert `ValidateInputs` to return a `Status`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29530","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference by providing an invalid `permutation` to `tf.raw_ops.SparseMatrixSparseCholesky`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/kernels/sparse/sparse_cholesky_op.cc#L85-L86) fails to properly validate the input arguments. Although `ValidateInputs` is called and there are checks in the body of this function, the code proceeds to the next line in `ValidateInputs` since `OP_REQUIRES`(https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/framework/op_requires.h#L41-L48) is a macro that only exits the current function. Thus, the first validation condition that fails in `ValidateInputs` will cause an early return from that function. However, the caller will continue execution from the next line. The fix is to either explicitly check `context->status()` or to convert `ValidateInputs` to return a `Status`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29531","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a `CHECK` fail in PNG encoding by providing an empty input tensor as the pixel data. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L57-L60) only validates that the total number of pixels in the image does not overflow. Thus, an attacker can send an empty matrix for encoding. However, if the tensor is empty, then the associated buffer is `nullptr`. Hence, when calling `png::WriteImageToBuffer`(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L79-L93), the first argument (i.e., `image.flat<T>().data()`) is `NULL`. This then triggers the `CHECK_NOTNULL` in the first line of `png::WriteImageToBuffer`(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/lib/png/png_io.cc#L345-L349). Since `image` is null, this results in `abort` being called after printing the stacktrace. Effectively, this allows an attacker to mount a denial of service attack. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and stil","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29531","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a `CHECK` fail in PNG encoding by providing an empty input tensor as the pixel data. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L57-L60) only validates that the total number of pixels in the image does not overflow. Thus, an attacker can send an empty matrix for encoding. However, if the tensor is empty, then the associated buffer is `nullptr`. Hence, when calling `png::WriteImageToBuffer`(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L79-L93), the first argument (i.e., `image.flat<T>().data()`) is `NULL`. This then triggers the `CHECK_NOTNULL` in the first line of `png::WriteImageToBuffer`(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/lib/png/png_io.cc#L345-L349). Since `image` is null, this results in `abort` being called after printing the stacktrace. Effectively, this allows an attacker to mount a denial of service attack. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and stil","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29532","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to `tf.raw_ops.RaggedCross`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efea03b38fb8d3b81762237dc85e579cc5fc6e87/tensorflow/core/kernels/ragged_cross_op.cc#L456-L487) lacks validation for the user supplied arguments. Each of the above branches call a helper function after accessing array elements via a `*_list[next_*]` pattern, followed by incrementing the `next_*` index. However, as there is no validation that the `next_*` values are in the valid range for the corresponding `*_list` arrays, this results in heap OOB reads. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29532","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to `tf.raw_ops.RaggedCross`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efea03b38fb8d3b81762237dc85e579cc5fc6e87/tensorflow/core/kernels/ragged_cross_op.cc#L456-L487) lacks validation for the user supplied arguments. Each of the above branches call a helper function after accessing array elements via a `*_list[next_*]` pattern, followed by incrementing the `next_*` index. However, as there is no validation that the `next_*` values are in the valid range for the corresponding `*_list` arrays, this results in heap OOB reads. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29533","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK` failure by passing an empty image to `tf.raw_ops.DrawBoundingBoxes`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80a40ccca1404f343b5d55f91/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L148-L165) uses `CHECK_*` assertions instead of `OP_REQUIRES` to validate user controlled inputs. Whereas `OP_REQUIRES` allows returning an error condition back to the user, the `CHECK_*` macros result in a crash if the condition is false, similar to `assert`. In this case, `height` is 0 from the `images` input. This results in `max_box_row_clamp` being negative and the assertion being falsified, followed by aborting program execution. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29533","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK` failure by passing an empty image to `tf.raw_ops.DrawBoundingBoxes`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80a40ccca1404f343b5d55f91/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L148-L165) uses `CHECK_*` assertions instead of `OP_REQUIRES` to validate user controlled inputs. Whereas `OP_REQUIRES` allows returning an error condition back to the user, the `CHECK_*` macros result in a crash if the condition is false, similar to `assert`. In this case, `height` is 0 from the `images` input. This results in `max_box_row_clamp` being negative and the assertion being falsified, followed by aborting program execution. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29534","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.SparseConcat`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76) takes the values specified in `shapes[0]` as dimensions for the output shape. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29534","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.SparseConcat`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76) takes the values specified in `shapes[0]` as dimensions for the output shape. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29535","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedMul` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/87cf4d3ea9949051e50ca3f071fc909538a51cd0/tensorflow/core/kernels/quantized_mul_op.cc#L287-L290) assumes that the 4 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29535","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedMul` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/87cf4d3ea9949051e50ca3f071fc909538a51cd0/tensorflow/core/kernels/quantized_mul_op.cc#L287-L290) assumes that the 4 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29536","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedReshape` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a324ac84e573fba362a5e53d4e74d5de6729933e/tensorflow/core/kernels/quantized_reshape_op.cc#L38-L55) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29536","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedReshape` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a324ac84e573fba362a5e53d4e74d5de6729933e/tensorflow/core/kernels/quantized_reshape_op.cc#L38-L55) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29537","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedResizeBilinear` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/50711818d2e61ccce012591eeb4fdf93a8496726/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L705-L706) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29537","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedResizeBilinear` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/50711818d2e61ccce012591eeb4fdf93a8496726/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L705-L706) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29538","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a division by zero to occur in `Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L513-L522) computes a divisor based on user provided data (i.e., the shape of the tensors given as arguments). If all shapes are empty then `work_unit_size` is 0. Since there is no check for this case before division, this results in a runtime exception, with potential to be abused for a denial of service. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29538","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a division by zero to occur in `Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L513-L522) computes a divisor based on user provided data (i.e., the shape of the tensors given as arguments). If all shapes are empty then `work_unit_size` is 0. Since there is no check for this case before division, this results in a runtime exception, with potential to be abused for a denial of service. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29539","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.ImmutableConst`(https://www.tensorflow.org/api_docs/python/tf/raw_ops/ImmutableConst) with a `dtype` of `tf.resource` or `tf.variant` results in a segfault in the implementation as code assumes that the tensor contents are pure scalars. We have patched the issue in 4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release TensorFlow 2.5.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. If using `tf.raw_ops.ImmutableConst` in code, you can prevent the segfault by inserting a filter for the `dtype` argument.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29539","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.ImmutableConst`(https://www.tensorflow.org/api_docs/python/tf/raw_ops/ImmutableConst) with a `dtype` of `tf.resource` or `tf.variant` results in a segfault in the implementation as code assumes that the tensor contents are pure scalars. We have patched the issue in 4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release TensorFlow 2.5.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. If using `tf.raw_ops.ImmutableConst` in code, you can prevent the segfault by inserting a filter for the `dtype` argument.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29540","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow to occur in `Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L495-L497) computes the size of the filter tensor but does not validate that it matches the number of elements in `filter_sizes`. Later, when reading/writing to this buffer, code uses the value computed here, instead of the number of elements in the tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29540","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow to occur in `Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L495-L497) computes the size of the filter tensor but does not validate that it matches the number of elements in `filter_sizes`. Later, when reading/writing to this buffer, code uses the value computed here, instead of the number of elements in the tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29541","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null pointer in `tf.raw_ops.StringNGrams`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L67-L74) does not fully validate the `data_splits` argument. This would result in `ngrams_data`(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L106-L110) to be a null pointer when the output would be computed to have 0 or negative size. Later writes to the output tensor would then cause a null pointer dereference. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29542","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow by passing crafted inputs to `tf.raw_ops.StringNGrams`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L171-L185) fails to consider corner cases where input would be split in such a way that the generated tokens should only contain padding elements. If input is such that `num_tokens` is 0, then, for `data_start_index=0` (when left padding is present), the marked line would result in reading `data[-1]`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29542","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow by passing crafted inputs to `tf.raw_ops.StringNGrams`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L171-L185) fails to consider corner cases where input would be split in such a way that the generated tokens should only contain padding elements. If input is such that `num_tokens` is 0, then, for `data_start_index=0` (when left padding is present), the marked line would result in reading `data[-1]`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29543","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.CTCGreedyDecoder`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1615440b17b364b875eb06f43d087381f1460a65/tensorflow/core/kernels/ctc_decoder_ops.cc#L37-L50) has a `CHECK_LT` inserted to validate some invariants. When this condition is false, the program aborts, instead of returning a valid error to the user. This abnormal termination can be weaponized in denial of service attacks. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29543","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.CTCGreedyDecoder`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1615440b17b364b875eb06f43d087381f1460a65/tensorflow/core/kernels/ctc_decoder_ops.cc#L37-L50) has a `CHECK_LT` inserted to validate some invariants. When this condition is false, the program aborts, instead of returning a valid error to the user. This abnormal termination can be weaponized in denial of service attacks. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29545","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in converting sparse tensors to CSR Sparse matrices. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/800346f2c03a27e182dd4fba48295f65e7790739/tensorflow/core/kernels/sparse/kernels.cc#L66) does a double redirection to access an element of an array allocated on the heap. If the value at `indices(i, 0)` is such that `indices(i, 0) + 1` is outside the bounds of `csr_row_ptr`, this results in writing outside of bounds of heap allocated data. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29545","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in converting sparse tensors to CSR Sparse matrices. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/800346f2c03a27e182dd4fba48295f65e7790739/tensorflow/core/kernels/sparse/kernels.cc#L66) does a double redirection to access an element of an array allocated on the heap. If the value at `indices(i, 0)` is such that `indices(i, 0) + 1` is outside the bounds of `csr_row_ptr`, this results in writing outside of bounds of heap allocated data. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29546","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger an integer division by zero undefined behavior in `tf.raw_ops.QuantizedBiasAdd`. This is because the implementation of the Eigen kernel(https://github.com/tensorflow/tensorflow/blob/61bca8bd5ba8a68b2d97435ddfafcdf2b85672cd/tensorflow/core/kernels/quantization_utils.h#L812-L849) does a division by the number of elements of the smaller input (based on shape) without checking that this is not zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29546","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger an integer division by zero undefined behavior in `tf.raw_ops.QuantizedBiasAdd`. This is because the implementation of the Eigen kernel(https://github.com/tensorflow/tensorflow/blob/61bca8bd5ba8a68b2d97435ddfafcdf2b85672cd/tensorflow/core/kernels/quantization_utils.h#L812-L849) does a division by the number of elements of the smaller input (based on shape) without checking that this is not zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29547","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a segfault and denial of service via accessing data outside of bounds in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc#L176-L189) assumes the inputs are not empty. If any of these inputs is empty, `.flat<T>()` is an empty buffer, so accessing the element at index 0 is accessing data outside of bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29547","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a segfault and denial of service via accessing data outside of bounds in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc#L176-L189) assumes the inputs are not empty. If any of these inputs is empty, `.flat<T>()` is an empty buffer, so accessing the element at index 0 is accessing data outside of bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29548","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc) does not validate all constraints specified in the op\\'s contract(https://www.tensorflow.org/api_docs/python/tf/raw_ops/QuantizedBatchNormWithGlobalNormalization). The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29548","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc) does not validate all constraints specified in the op\\'s contract(https://www.tensorflow.org/api_docs/python/tf/raw_ops/QuantizedBatchNormWithGlobalNormalization). The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29549","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L289-L295) computes a modulo operation without validating that the divisor is not zero. Since `vector_num_elements` is determined based on input shapes(https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L522-L544), a user can trigger scenarios where this quantity is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29549","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L289-L295) computes a modulo operation without validating that the divisor is not zero. Since `vector_num_elements` is determined based on input shapes(https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L522-L544), a user can trigger scenarios where this quantity is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29550","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.FractionalAvgPool`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L85-L89) computes a divisor quantity by dividing two user controlled values. The user controls the values of `input_size[i]` and `pooling_ratio_[i]` (via the `value.shape()` and `pooling_ratio` arguments). If the value in `input_size[i]` is smaller than the `pooling_ratio_[i]`, then the floor operation results in `output_size[i]` being 0. The `DCHECK_GT` line is a no-op outside of debug mode, so in released versions of TF this does not trigger. Later, these computed values are used as arguments(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L96-L99) to `GeneratePoolingSequence`(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_pool_common.cc#L100-L108). There, the first computation is a division in a modulo operation. Since `output_length` can be 0, this results in runtime crashing. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on Tens","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29550","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.FractionalAvgPool`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L85-L89) computes a divisor quantity by dividing two user controlled values. The user controls the values of `input_size[i]` and `pooling_ratio_[i]` (via the `value.shape()` and `pooling_ratio` arguments). If the value in `input_size[i]` is smaller than the `pooling_ratio_[i]`, then the floor operation results in `output_size[i]` being 0. The `DCHECK_GT` line is a no-op outside of debug mode, so in released versions of TF this does not trigger. Later, these computed values are used as arguments(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L96-L99) to `GeneratePoolingSequence`(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_pool_common.cc#L100-L108). There, the first computation is a division in a modulo operation. Since `output_length` can be 0, this results in runtime crashing. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on Tens","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29551","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixTriangularSolve`(https://github.com/tensorflow/tensorflow/blob/8cae746d8449c7dda5298327353d68613f16e798/tensorflow/core/kernels/linalg/matrix_triangular_solve_op_impl.h#L160-L240) fails to terminate kernel execution if one validation condition fails. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29551","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixTriangularSolve`(https://github.com/tensorflow/tensorflow/blob/8cae746d8449c7dda5298327353d68613f16e798/tensorflow/core/kernels/linalg/matrix_triangular_solve_op_impl.h#L160-L240) fails to terminate kernel execution if one validation condition fails. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29552","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by controlling the values of `num_segments` tensor argument for `UnsortedSegmentJoin`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a2a607db15c7cd01d754d37e5448d72a13491bdb/tensorflow/core/kernels/unsorted_segment_join_op.cc#L92-L93) assumes that the `num_segments` tensor is a valid scalar. Since the tensor is empty the `CHECK` involved in `.scalar<T>()()` that checks that the number of elements is exactly 1 will be invalidated and this would result in process termination. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29552","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by controlling the values of `num_segments` tensor argument for `UnsortedSegmentJoin`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a2a607db15c7cd01d754d37e5448d72a13491bdb/tensorflow/core/kernels/unsorted_segment_join_op.cc#L92-L93) assumes that the `num_segments` tensor is a valid scalar. Since the tensor is empty the `CHECK` involved in `.scalar<T>()()` that checks that the number of elements is exactly 1 will be invalidated and this would result in process termination. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29553","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can read data outside of bounds of heap allocated buffer in `tf.raw_ops.QuantizeAndDequantizeV3`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/11ff7f80667e6490d7b5174aa6bf5e01886e770f/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L237) does not validate the value of user supplied `axis` attribute before using it to index in the array backing the `input` argument. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29553","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can read data outside of bounds of heap allocated buffer in `tf.raw_ops.QuantizeAndDequantizeV3`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/11ff7f80667e6490d7b5174aa6bf5e01886e770f/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L237) does not validate the value of user supplied `axis` attribute before using it to index in the array backing the `input` argument. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29554","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.DenseCountSparseOutput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/tensorflow/core/kernels/count_ops.cc#L123-L127) computes a divisor value from user data but does not check that the result is 0 before doing the division. Since `data` is given by the `values` argument, `num_batch_elements` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, and TensorFlow 2.3.3, as these are also affected.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29555","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.FusedBatchNorm`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/828f346274841fa7505f7020e88ca36c22e557ab/tensorflow/core/kernels/fused_batch_norm_op.cc#L295-L297) performs a division based on the last dimension of the `x` tensor. Since this is controlled by the user, an attacker can trigger a denial of service. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29555","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.FusedBatchNorm`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/828f346274841fa7505f7020e88ca36c22e557ab/tensorflow/core/kernels/fused_batch_norm_op.cc#L295-L297) performs a division based on the last dimension of the `x` tensor. Since this is controlled by the user, an attacker can trigger a denial of service. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29556","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.Reverse`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/36229ea9e9451dac14a8b1f4711c435a1d84a594/tensorflow/core/kernels/reverse_op.cc#L75-L76) performs a division based on the first dimension of the tensor argument. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29556","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.Reverse`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/36229ea9e9451dac14a8b1f4711c435a1d84a594/tensorflow/core/kernels/reverse_op.cc#L75-L76) performs a division based on the first dimension of the tensor argument. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29557","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.SparseMatMul`. The division by 0 occurs deep in Eigen code because the `b` tensor is empty. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29557","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.SparseMatMul`. The division by 0 occurs deep in Eigen code because the `b` tensor is empty. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29558","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `tf.raw_ops.SparseSplit`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/699bff5d961f0abfde8fa3f876e6d241681fbef8/tensorflow/core/util/sparse/sparse_tensor.h#L528-L530) accesses an array element based on a user controlled offset. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29558","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `tf.raw_ops.SparseSplit`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/699bff5d961f0abfde8fa3f876e6d241681fbef8/tensorflow/core/util/sparse/sparse_tensor.h#L528-L530) accesses an array element based on a user controlled offset. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29559","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can access data outside of bounds of heap allocated array in `tf.raw_ops.UnicodeEncode`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/472c1f12ad9063405737679d4f6bd43094e1d36d/tensorflow/core/kernels/unicode_ops.cc) assumes that the `input_value`/`input_splits` pair specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29559","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can access data outside of bounds of heap allocated array in `tf.raw_ops.UnicodeEncode`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/472c1f12ad9063405737679d4f6bd43094e1d36d/tensorflow/core/kernels/unicode_ops.cc) assumes that the `input_value`/`input_splits` pair specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29560","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `tf.raw_ops.RaggedTensorToTensor`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222) uses the same index to access two arrays in parallel. Since the user controls the shape of the input arguments, an attacker could trigger a heap OOB access when `parent_output_index` is shorter than `row_split`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29560","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `tf.raw_ops.RaggedTensorToTensor`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222) uses the same index to access two arrays in parallel. Since the user controls the shape of the input arguments, an attacker could trigger a heap OOB access when `parent_output_index` is shorter than `row_split`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29561","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from `tf.raw_ops.LoadAndRemapMatrix`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222) assumes that the `ckpt_path` is always a valid scalar. However, an attacker can send any other tensor as the first argument of `LoadAndRemapMatrix`. This would cause the rank `CHECK` in `scalar<T>()()` to trigger and terminate the process. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29561","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from `tf.raw_ops.LoadAndRemapMatrix`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222) assumes that the `ckpt_path` is always a valid scalar. However, an attacker can send any other tensor as the first argument of `LoadAndRemapMatrix`. This would cause the rank `CHECK` in `scalar<T>()()` to trigger and terminate the process. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29562","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from the implementation of `tf.raw_ops.IRFFT`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29562","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from the implementation of `tf.raw_ops.IRFFT`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29563","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from the implementation of `tf.raw_ops.RFFT`. Eigen code operating on an empty matrix can trigger on an assertion and will cause program termination. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29563","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from the implementation of `tf.raw_ops.RFFT`. Eigen code operating on an empty matrix can trigger on an assertion and will cause program termination. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29564","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference in the implementation of `tf.raw_ops.EditDistance`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/79865b542f9ffdc9caeb255631f7c56f1d4b6517/tensorflow/core/kernels/edit_distance_op.cc#L103-L159) has incomplete validation of the input parameters. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29565","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference in the implementation of `tf.raw_ops.SparseFillEmptyRows`. This is because of missing validation(https://github.com/tensorflow/tensorflow/blob/fdc82089d206e281c628a93771336bf87863d5e8/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L230-L231) that was covered under a `TODO`. If the `dense_shape` tensor is empty, then `dense_shape_t.vec<>()` would cause a null pointer dereference in the implementation of the op. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29566","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can write outside the bounds of heap allocated arrays by passing invalid arguments to `tf.raw_ops.Dilation2DBackpropInput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/afd954e65f15aea4d438d0a219136fc4a63a573d/tensorflow/core/kernels/dilation_ops.cc#L321-L322) does not validate before writing to the output array. The values for `h_out` and `w_out` are guaranteed to be in range for `out_backprop` (as they are loop indices bounded by the size of the array). However, there are no similar guarantees relating `h_in_max`/`w_in_max` and `in_backprop`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29566","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can write outside the bounds of heap allocated arrays by passing invalid arguments to `tf.raw_ops.Dilation2DBackpropInput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/afd954e65f15aea4d438d0a219136fc4a63a573d/tensorflow/core/kernels/dilation_ops.cc#L321-L322) does not validate before writing to the output array. The values for `h_out` and `w_out` are guaranteed to be in range for `out_backprop` (as they are loop indices bounded by the size of the array). However, there are no similar guarantees relating `h_in_max`/`w_in_max` and `in_backprop`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29567","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.SparseDenseCwiseMul`, an attacker can trigger denial of service via `CHECK`-fails or accesses to outside the bounds of heap allocated data. Since the implementation(https://github.com/tensorflow/tensorflow/blob/38178a2f7a681a7835bb0912702a134bfe3b4d84/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc#L68-L80) only validates the rank of the input arguments but no constraints between dimensions(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SparseDenseCwiseMul), an attacker can abuse them to trigger internal `CHECK` assertions (and cause program termination, denial of service) or to write to memory outside of bounds of heap allocated tensor buffers. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29567","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.SparseDenseCwiseMul`, an attacker can trigger denial of service via `CHECK`-fails or accesses to outside the bounds of heap allocated data. Since the implementation(https://github.com/tensorflow/tensorflow/blob/38178a2f7a681a7835bb0912702a134bfe3b4d84/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc#L68-L80) only validates the rank of the input arguments but no constraints between dimensions(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SparseDenseCwiseMul), an attacker can abuse them to trigger internal `CHECK` assertions (and cause program termination, denial of service) or to write to memory outside of bounds of heap allocated tensor buffers. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29568","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger undefined behavior by binding to null pointer in `tf.raw_ops.ParameterizedTruncatedNormal`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/3f6fe4dfef6f57e768260b48166c27d148f3015f/tensorflow/core/kernels/parameterized_truncated_normal_op.cc#L630) does not validate input arguments before accessing the first element of `shape`. If `shape` argument is empty, then `shape_tensor.flat<T>()` is an empty array. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29568","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger undefined behavior by binding to null pointer in `tf.raw_ops.ParameterizedTruncatedNormal`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/3f6fe4dfef6f57e768260b48166c27d148f3015f/tensorflow/core/kernels/parameterized_truncated_normal_op.cc#L630) does not validate input arguments before accessing the first element of `shape`. If `shape` argument is empty, then `shape_tensor.flat<T>()` is an empty array. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29569","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/ac328eaa3870491ababc147822cd04e91a790643/tensorflow/core/kernels/requantization_range_op.cc#L49-L50) assumes that the `input_min` and `input_max` tensors have at least one element, as it accesses the first element in two arrays. If the tensors are empty, `.flat<T>()` is an empty object, backed by an empty array. Hence, accesing even the 0th element is a read outside the bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29569","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/ac328eaa3870491ababc147822cd04e91a790643/tensorflow/core/kernels/requantization_range_op.cc#L49-L50) assumes that the `input_min` and `input_max` tensors have at least one element, as it accesses the first element in two arrays. If the tensors are empty, `.flat<T>()` is an empty object, backed by an empty array. Hence, accesing even the 0th element is a read outside the bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29570","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/ef0c008ee84bad91ec6725ddc42091e19a30cf0e/tensorflow/core/kernels/maxpooling_op.cc#L1016-L1017) uses the same value to index in two different arrays but there is no guarantee that the sizes are identical. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29570","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/ef0c008ee84bad91ec6725ddc42091e19a30cf0e/tensorflow/core/kernels/maxpooling_op.cc#L1016-L1017) uses the same value to index in two different arrays but there is no guarantee that the sizes are identical. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29571","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/31bd5026304677faa8a0b77602c6154171b9aec1/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L116-L130) assumes that the last element of `boxes` input is 4, as required by [the op](https://www.tensorflow.org/api_docs/python/tf/raw_ops/DrawBoundingBoxesV2). Since this is not checked attackers passing values less than 4 can write outside of bounds of heap allocated objects and cause memory corruption. If the last dimension in `boxes` is less than 4, accesses similar to `tboxes(b, bb, 3)` will access data outside of bounds. Further during code execution there are also writes to these indices. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29571","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/31bd5026304677faa8a0b77602c6154171b9aec1/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L116-L130) assumes that the last element of `boxes` input is 4, as required by [the op](https://www.tensorflow.org/api_docs/python/tf/raw_ops/DrawBoundingBoxesV2). Since this is not checked attackers passing values less than 4 can write outside of bounds of heap allocated objects and cause memory corruption. If the last dimension in `boxes` is less than 4, accesses similar to `tboxes(b, bb, 3)` will access data outside of bounds. Further during code execution there are also writes to these indices. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29572","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.SdcaOptimizer` triggers undefined behavior due to dereferencing a null pointer. The implementation(https://github.com/tensorflow/tensorflow/blob/60a45c8b6192a4699f2e2709a2645a751d435cc3/tensorflow/core/kernels/sdca_internal.cc) does not validate that the user supplied arguments satisfy all constraints expected by the op(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SdcaOptimizer). The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29572","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.SdcaOptimizer` triggers undefined behavior due to dereferencing a null pointer. The implementation(https://github.com/tensorflow/tensorflow/blob/60a45c8b6192a4699f2e2709a2645a751d435cc3/tensorflow/core/kernels/sdca_internal.cc) does not validate that the user supplied arguments satisfy all constraints expected by the op(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SdcaOptimizer). The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29573","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` is vulnerable to a division by 0. The implementation(https://github.com/tensorflow/tensorflow/blob/279bab6efa22752a2827621b7edb56a730233bd8/tensorflow/core/kernels/maxpooling_op.cc#L1033-L1034) fails to validate that the batch dimension of the tensor is non-zero, before dividing by this quantity. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29573","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` is vulnerable to a division by 0. The implementation(https://github.com/tensorflow/tensorflow/blob/279bab6efa22752a2827621b7edb56a730233bd8/tensorflow/core/kernels/maxpooling_op.cc#L1033-L1034) fails to validate that the batch dimension of the tensor is non-zero, before dividing by this quantity. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29574","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPool3DGradGrad` exhibits undefined behavior by dereferencing null pointers backing attacker-supplied empty tensors. The implementation(https://github.com/tensorflow/tensorflow/blob/72fe792967e7fd25234342068806707bbc116618/tensorflow/core/kernels/pooling_ops_3d.cc#L679-L703) fails to validate that the 3 tensor inputs are not empty. If any of them is empty, then accessing the elements in the tensor results in dereferencing a null pointer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29574","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPool3DGradGrad` exhibits undefined behavior by dereferencing null pointers backing attacker-supplied empty tensors. The implementation(https://github.com/tensorflow/tensorflow/blob/72fe792967e7fd25234342068806707bbc116618/tensorflow/core/kernels/pooling_ops_3d.cc#L679-L703) fails to validate that the 3 tensor inputs are not empty. If any of them is empty, then accessing the elements in the tensor results in dereferencing a null pointer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29575","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.ReverseSequence` allows for stack overflow and/or `CHECK`-fail based denial of service. The implementation(https://github.com/tensorflow/tensorflow/blob/5b3b071975e01f0d250c928b2a8f901cd53b90a7/tensorflow/core/kernels/reverse_sequence_op.cc#L114-L118) fails to validate that `seq_dim` and `batch_dim` arguments are valid. Negative values for `seq_dim` can result in stack overflow or `CHECK`-failure, depending on the version of Eigen code used to implement the operation. Similar behavior can be exhibited by invalid values of `batch_dim`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29575","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.ReverseSequence` allows for stack overflow and/or `CHECK`-fail based denial of service. The implementation(https://github.com/tensorflow/tensorflow/blob/5b3b071975e01f0d250c928b2a8f901cd53b90a7/tensorflow/core/kernels/reverse_sequence_op.cc#L114-L118) fails to validate that `seq_dim` and `batch_dim` arguments are valid. Negative values for `seq_dim` can result in stack overflow or `CHECK`-failure, depending on the version of Eigen code used to implement the operation. Similar behavior can be exhibited by invalid values of `batch_dim`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29576","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPool3DGradGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/596c05a159b6fbb9e39ca10b3f7753b7244fa1e9/tensorflow/core/kernels/pooling_ops_3d.cc#L694-L696) does not check that the initialization of `Pool3dParameters` completes successfully. Since the constructor(https://github.com/tensorflow/tensorflow/blob/596c05a159b6fbb9e39ca10b3f7753b7244fa1e9/tensorflow/core/kernels/pooling_ops_3d.cc#L48-L88) uses `OP_REQUIRES` to validate conditions, the first assertion that fails interrupts the initialization of `params`, making it contain invalid data. In turn, this might cause a heap buffer overflow, depending on default initialized values. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29576","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPool3DGradGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/596c05a159b6fbb9e39ca10b3f7753b7244fa1e9/tensorflow/core/kernels/pooling_ops_3d.cc#L694-L696) does not check that the initialization of `Pool3dParameters` completes successfully. Since the constructor(https://github.com/tensorflow/tensorflow/blob/596c05a159b6fbb9e39ca10b3f7753b7244fa1e9/tensorflow/core/kernels/pooling_ops_3d.cc#L48-L88) uses `OP_REQUIRES` to validate conditions, the first assertion that fails interrupts the initialization of `params`, making it contain invalid data. In turn, this might cause a heap buffer overflow, depending on default initialized values. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29577","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.AvgPool3DGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/d80ffba9702dc19d1fac74fc4b766b3fa1ee976b/tensorflow/core/kernels/pooling_ops_3d.cc#L376-L450) assumes that the `orig_input_shape` and `grad` tensors have similar first and last dimensions but does not check that this assumption is validated. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29577","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.AvgPool3DGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/d80ffba9702dc19d1fac74fc4b766b3fa1ee976b/tensorflow/core/kernels/pooling_ops_3d.cc#L376-L450) assumes that the `orig_input_shape` and `grad` tensors have similar first and last dimensions but does not check that this assumption is validated. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29578","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.FractionalAvgPoolGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/dcba796a28364d6d7f003f6fe733d82726dda713/tensorflow/core/kernels/fractional_avg_pool_op.cc#L216) fails to validate that the pooling sequence arguments have enough elements as required by the `out_backprop` tensor shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29578","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.FractionalAvgPoolGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/dcba796a28364d6d7f003f6fe733d82726dda713/tensorflow/core/kernels/fractional_avg_pool_op.cc#L216) fails to validate that the pooling sequence arguments have enough elements as required by the `out_backprop` tensor shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29579","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/ab1e644b48c82cb71493f4362b4dd38f4577a1cf/tensorflow/core/kernels/maxpooling_op.cc#L194-L203) fails to validate that indices used to access elements of input/output arrays are valid. Whereas accesses to `input_backprop_flat` are guarded by `FastBoundsCheck`, the indexing in `out_backprop_flat` can result in OOB access. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29579","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/ab1e644b48c82cb71493f4362b4dd38f4577a1cf/tensorflow/core/kernels/maxpooling_op.cc#L194-L203) fails to validate that indices used to access elements of input/output arrays are valid. Whereas accesses to `input_backprop_flat` are guarded by `FastBoundsCheck`, the indexing in `out_backprop_flat` can result in OOB access. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29580","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.FractionalMaxPoolGrad` triggers an undefined behavior if one of the input tensors is empty. The code is also vulnerable to a denial of service attack as a `CHECK` condition becomes false and aborts the process. The implementation(https://github.com/tensorflow/tensorflow/blob/169054888d50ce488dfde9ca55d91d6325efbd5b/tensorflow/core/kernels/fractional_max_pool_op.cc#L215) fails to validate that input and output tensors are not empty and are of the same rank. Each of these unchecked assumptions is responsible for the above issues. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29580","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.FractionalMaxPoolGrad` triggers an undefined behavior if one of the input tensors is empty. The code is also vulnerable to a denial of service attack as a `CHECK` condition becomes false and aborts the process. The implementation(https://github.com/tensorflow/tensorflow/blob/169054888d50ce488dfde9ca55d91d6325efbd5b/tensorflow/core/kernels/fractional_max_pool_op.cc#L215) fails to validate that input and output tensors are not empty and are of the same rank. Each of these unchecked assumptions is responsible for the above issues. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29581","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.CTCBeamSearchDecoder`, an attacker can trigger denial of service via segmentation faults. The implementation(https://github.com/tensorflow/tensorflow/blob/a74768f8e4efbda4def9f16ee7e13cf3922ac5f7/tensorflow/core/kernels/ctc_decoder_ops.cc#L68-L79) fails to detect cases when the input tensor is empty and proceeds to read data from a null buffer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29581","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.CTCBeamSearchDecoder`, an attacker can trigger denial of service via segmentation faults. The implementation(https://github.com/tensorflow/tensorflow/blob/a74768f8e4efbda4def9f16ee7e13cf3922ac5f7/tensorflow/core/kernels/ctc_decoder_ops.cc#L68-L79) fails to detect cases when the input tensor is empty and proceeds to read data from a null buffer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29582","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.Dequantize`, an attacker can trigger a read from outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/26003593aa94b1742f34dc22ce88a1e17776a67d/tensorflow/core/kernels/dequantize_op.cc#L106-L131) accesses the `min_range` and `max_range` tensors in parallel but fails to check that they have the same shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29582","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.Dequantize`, an attacker can trigger a read from outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/26003593aa94b1742f34dc22ce88a1e17776a67d/tensorflow/core/kernels/dequantize_op.cc#L106-L131) accesses the `min_range` and `max_range` tensors in parallel but fails to check that they have the same shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29583","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.FusedBatchNorm` is vulnerable to a heap buffer overflow. If the tensors are empty, the same implementation can trigger undefined behavior by dereferencing null pointers. The implementation(https://github.com/tensorflow/tensorflow/blob/57d86e0db5d1365f19adcce848dfc1bf89fdd4c7/tensorflow/core/kernels/fused_batch_norm_op.cc) fails to validate that `scale`, `offset`, `mean` and `variance` (the last two only when required) all have the same number of elements as the number of channels of `x`. This results in heap out of bounds reads when the buffers backing these tensors are indexed past their boundary. If the tensors are empty, the validation mentioned in the above paragraph would also trigger and prevent the undefined behavior. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:23.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29584","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in caused by an integer overflow in constructing a new tensor shape. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/0908c2f2397c099338b901b067f6495a5b96760b/tensorflow/core/kernels/sparse_split_op.cc#L66-L70) builds a dense shape without checking that the dimensions would not result in overflow. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29584","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in caused by an integer overflow in constructing a new tensor shape. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/0908c2f2397c099338b901b067f6495a5b96760b/tensorflow/core/kernels/sparse_split_op.cc#L66-L70) builds a dense shape without checking that the dimensions would not result in overflow. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29585","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The TFLite computation for size of output after padding, `ComputeOutSize`(https://github.com/tensorflow/tensorflow/blob/0c9692ae7b1671c983569e5d3de5565843d500cf/tensorflow/lite/kernels/padding.h#L43-L55), does not check that the `stride` argument is not 0 before doing the division. Users can craft special models such that `ComputeOutSize` is called with `stride` set to 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29585","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The TFLite computation for size of output after padding, `ComputeOutSize`(https://github.com/tensorflow/tensorflow/blob/0c9692ae7b1671c983569e5d3de5565843d500cf/tensorflow/lite/kernels/padding.h#L43-L55), does not check that the `stride` argument is not 0 before doing the division. Users can craft special models such that `ComputeOutSize` is called with `stride` set to 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29586","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Optimized pooling implementations in TFLite fail to check that the stride arguments are not 0 before calling `ComputePaddingHeightWidth`(https://github.com/tensorflow/tensorflow/blob/3f24ccd932546416ec906a02ddd183b48a1d2c83/tensorflow/lite/kernels/pooling.cc#L90). Since users can craft special models which will have `params->stride_{height,width}` be zero, this will result in a division by zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29586","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Optimized pooling implementations in TFLite fail to check that the stride arguments are not 0 before calling `ComputePaddingHeightWidth`(https://github.com/tensorflow/tensorflow/blob/3f24ccd932546416ec906a02ddd183b48a1d2c83/tensorflow/lite/kernels/pooling.cc#L90). Since users can craft special models which will have `params->stride_{height,width}` be zero, this will result in a division by zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29587","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The `Prepare` step of the `SpaceToDepth` TFLite operator does not check for 0 before division(https://github.com/tensorflow/tensorflow/blob/5f7975d09eac0f10ed8a17dbb6f5964977725adc/tensorflow/lite/kernels/space_to_depth.cc#L63-L67). An attacker can craft a model such that `params->block_size` would be zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29587","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The `Prepare` step of the `SpaceToDepth` TFLite operator does not check for 0 before division(https://github.com/tensorflow/tensorflow/blob/5f7975d09eac0f10ed8a17dbb6f5964977725adc/tensorflow/lite/kernels/space_to_depth.cc#L63-L67). An attacker can craft a model such that `params->block_size` would be zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29588","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The optimized implementation of the `TransposeConv` TFLite operator is [vulnerable to a division by zero error](https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L5221-L5222). An attacker can craft a model such that `stride_{h,w}` values are 0. Code calling this function must validate these arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29588","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The optimized implementation of the `TransposeConv` TFLite operator is [vulnerable to a division by zero error](https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L5221-L5222). An attacker can craft a model such that `stride_{h,w}` values are 0. Code calling this function must validate these arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29589","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The reference implementation of the `GatherNd` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/reference_ops.h#L966). An attacker can craft a model such that `params` input would be an empty tensor. In turn, `params_shape.Dims(.)` would be zero, in at least one dimension. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29589","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The reference implementation of the `GatherNd` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/reference_ops.h#L966). An attacker can craft a model such that `params` input would be an empty tensor. In turn, `params_shape.Dims(.)` would be zero, in at least one dimension. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29590","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementations of the `Minimum` and `Maximum` TFLite operators can be used to read data outside of bounds of heap allocated objects, if any of the two input tensor arguments are empty. This is because the broadcasting implementation(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/maximum_minimum.h#L52-L56) indexes in both tensors with the same index but does not validate that the index is within bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29590","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementations of the `Minimum` and `Maximum` TFLite operators can be used to read data outside of bounds of heap allocated objects, if any of the two input tensor arguments are empty. This is because the broadcasting implementation(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/maximum_minimum.h#L52-L56) indexes in both tensors with the same index but does not validate that the index is within bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29591","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be replaced by stack overflow due to too many recursive calls. For example, the `While` implementation(https://github.com/tensorflow/tensorflow/blob/106d8f4fb89335a2c52d7c895b7a7485465ca8d9/tensorflow/lite/kernels/while.cc) could be tricked into a scneario where both the body and the loop subgraphs are the same. Evaluating one of the subgraphs means calling the `Eval` function for the other and this quickly exhaust all stack space. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range. Please consult our security guide(https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29591","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be replaced by stack overflow due to too many recursive calls. For example, the `While` implementation(https://github.com/tensorflow/tensorflow/blob/106d8f4fb89335a2c52d7c895b7a7485465ca8d9/tensorflow/lite/kernels/while.cc) could be tricked into a scneario where both the body and the loop subgraphs are the same. Evaluating one of the subgraphs means calling the `Eval` function for the other and this quickly exhaust all stack space. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range. Please consult our security guide(https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29592","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The fix for CVE-2020-15209(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15209) missed the case when the target shape of `Reshape` operator is given by the elements of a 1-D tensor. As such, the fix for the vulnerability(https://github.com/tensorflow/tensorflow/blob/9c1dc920d8ffb4893d6c9d27d1f039607b326743/tensorflow/lite/core/subgraph.cc#L1062-L1074) allowed passing a null-buffer-backed tensor with a 1D shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29592","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The fix for CVE-2020-15209(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15209) missed the case when the target shape of `Reshape` operator is given by the elements of a 1-D tensor. As such, the fix for the vulnerability(https://github.com/tensorflow/tensorflow/blob/9c1dc920d8ffb4893d6c9d27d1f039607b326743/tensorflow/lite/core/subgraph.cc#L1062-L1074) allowed passing a null-buffer-backed tensor with a 1D shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29593","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `BatchToSpaceNd` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/b5ed552fe55895aee8bd8b191f744a069957d18d/tensorflow/lite/kernels/batch_to_space_nd.cc#L81-L82). An attacker can craft a model such that one dimension of the `block` input is 0. Hence, the corresponding value in `block_shape` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29593","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `BatchToSpaceNd` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/b5ed552fe55895aee8bd8b191f744a069957d18d/tensorflow/lite/kernels/batch_to_space_nd.cc#L81-L82). An attacker can craft a model such that one dimension of the `block` input is 0. Hence, the corresponding value in `block_shape` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29594","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. TFLite\\'s convolution code(https://github.com/tensorflow/tensorflow/blob/09c73bca7d648e961dd05898292d91a8322a9d45/tensorflow/lite/kernels/conv.cc) has multiple division where the divisor is controlled by the user and not checked to be non-zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29594","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. TFLite\\'s convolution code(https://github.com/tensorflow/tensorflow/blob/09c73bca7d648e961dd05898292d91a8322a9d45/tensorflow/lite/kernels/conv.cc) has multiple division where the divisor is controlled by the user and not checked to be non-zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29595","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `DepthToSpace` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/depth_to_space.cc#L63-L69). An attacker can craft a model such that `params->block_size` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29595","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `DepthToSpace` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/depth_to_space.cc#L63-L69). An attacker can craft a model such that `params->block_size` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29596","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `EmbeddingLookup` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/e4b29809543b250bc9b19678ec4776299dd569ba/tensorflow/lite/kernels/embedding_lookup.cc#L73-L74). An attacker can craft a model such that the first dimension of the `value` input is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29596","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `EmbeddingLookup` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/e4b29809543b250bc9b19678ec4776299dd569ba/tensorflow/lite/kernels/embedding_lookup.cc#L73-L74). An attacker can craft a model such that the first dimension of the `value` input is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29597","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `SpaceToBatchNd` TFLite operator is [vulnerable to a division by zero error](https://github.com/tensorflow/tensorflow/blob/412c7d9bb8f8a762c5b266c9e73bfa165f29aac8/tensorflow/lite/kernels/space_to_batch_nd.cc#L82-L83). An attacker can craft a model such that one dimension of the `block` input is 0. Hence, the corresponding value in `block_shape` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29597","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `SpaceToBatchNd` TFLite operator is [vulnerable to a division by zero error](https://github.com/tensorflow/tensorflow/blob/412c7d9bb8f8a762c5b266c9e73bfa165f29aac8/tensorflow/lite/kernels/space_to_batch_nd.cc#L82-L83). An attacker can craft a model such that one dimension of the `block` input is 0. Hence, the corresponding value in `block_shape` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29598","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `SVDF` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/7f283ff806b2031f407db64c4d3edcda8fb9f9f5/tensorflow/lite/kernels/svdf.cc#L99-L102). An attacker can craft a model such that `params->rank` would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29598","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `SVDF` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/7f283ff806b2031f407db64c4d3edcda8fb9f9f5/tensorflow/lite/kernels/svdf.cc#L99-L102). An attacker can craft a model such that `params->rank` would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29599","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `Split` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/e2752089ef7ce9bcf3db0ec618ebd23ea119d0c7/tensorflow/lite/kernels/split.cc#L63-L65). An attacker can craft a model such that `num_splits` would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29599","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `Split` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/e2752089ef7ce9bcf3db0ec618ebd23ea119d0c7/tensorflow/lite/kernels/split.cc#L63-L65). An attacker can craft a model such that `num_splits` would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29600","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `OneHot` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/f61c57bd425878be108ec787f4d96390579fb83e/tensorflow/lite/kernels/one_hot.cc#L68-L72). An attacker can craft a model such that at least one of the dimensions of `indices` would be 0. In turn, the `prefix_dim_size` value would become 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29600","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `OneHot` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/f61c57bd425878be108ec787f4d96390579fb83e/tensorflow/lite/kernels/one_hot.cc#L68-L72). An attacker can craft a model such that at least one of the dimensions of `indices` would be 0. In turn, the `prefix_dim_size` value would become 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:46.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29601","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of concatenation is vulnerable to an integer overflow issue(https://github.com/tensorflow/tensorflow/blob/7b7352a724b690b11bfaae2cd54bc3907daf6285/tensorflow/lite/kernels/concatenation.cc#L70-L76). An attacker can craft a model such that the dimensions of one of the concatenation input overflow the values of `int`. TFLite uses `int` to represent tensor dimensions, whereas TF uses `int64`. Hence, valid TF models can trigger an integer overflow when converted to TFLite format. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:22.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29602","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `DepthwiseConv` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/depthwise_conv.cc#L287-L288). An attacker can craft a model such that `input`\\'s fourth dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29602","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `DepthwiseConv` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/depthwise_conv.cc#L287-L288). An attacker can craft a model such that `input`\\'s fourth dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29603","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB write on heap in the TFLite implementation of `ArgMin`/`ArgMax`(https://github.com/tensorflow/tensorflow/blob/102b211d892f3abc14f845a72047809b39cc65ab/tensorflow/lite/kernels/arg_min_max.cc#L52-L59). If `axis_value` is not a value between 0 and `NumDimensions(input)`, then the condition in the `if` is never true, so code writes past the last valid element of `output_dims->data`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29603","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB write on heap in the TFLite implementation of `ArgMin`/`ArgMax`(https://github.com/tensorflow/tensorflow/blob/102b211d892f3abc14f845a72047809b39cc65ab/tensorflow/lite/kernels/arg_min_max.cc#L52-L59). If `axis_value` is not a value between 0 and `NumDimensions(input)`, then the condition in the `if` is never true, so code writes past the last valid element of `output_dims->data`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29604","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of hashtable lookup is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/hashtable_lookup.cc#L114-L115) An attacker can craft a model such that `values`\\'s first dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29604","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of hashtable lookup is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/hashtable_lookup.cc#L114-L115) An attacker can craft a model such that `values`\\'s first dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29605","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The TFLite code for allocating `TFLiteIntArray`s is vulnerable to an integer overflow issue(https://github.com/tensorflow/tensorflow/blob/4ceffae632721e52bf3501b736e4fe9d1221cdfa/tensorflow/lite/c/common.c#L24-L27). An attacker can craft a model such that the `size` multiplier is so large that the return value overflows the `int` datatype and becomes negative. In turn, this results in invalid value being given to `malloc`(https://github.com/tensorflow/tensorflow/blob/4ceffae632721e52bf3501b736e4fe9d1221cdfa/tensorflow/lite/c/common.c#L47-L52). In this case, `ret->size` would dereference an invalid pointer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29605","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The TFLite code for allocating `TFLiteIntArray`s is vulnerable to an integer overflow issue(https://github.com/tensorflow/tensorflow/blob/4ceffae632721e52bf3501b736e4fe9d1221cdfa/tensorflow/lite/c/common.c#L24-L27). An attacker can craft a model such that the `size` multiplier is so large that the return value overflows the `int` datatype and becomes negative. In turn, this results in invalid value being given to `malloc`(https://github.com/tensorflow/tensorflow/blob/4ceffae632721e52bf3501b736e4fe9d1221cdfa/tensorflow/lite/c/common.c#L47-L52). In this case, `ret->size` would dereference an invalid pointer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29606","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB read on heap in the TFLite implementation of `Split_V`(https://github.com/tensorflow/tensorflow/blob/c59c37e7b2d563967da813fa50fe20b21f4da683/tensorflow/lite/kernels/split_v.cc#L99). If `axis_value` is not a value between 0 and `NumDimensions(input)`, then the `SizeOfDimension` function(https://github.com/tensorflow/tensorflow/blob/102b211d892f3abc14f845a72047809b39cc65ab/tensorflow/lite/kernels/kernel_util.h#L148-L150) will access data outside the bounds of the tensor shape array. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29606","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB read on heap in the TFLite implementation of `Split_V`(https://github.com/tensorflow/tensorflow/blob/c59c37e7b2d563967da813fa50fe20b21f4da683/tensorflow/lite/kernels/split_v.cc#L99). If `axis_value` is not a value between 0 and `NumDimensions(input)`, then the `SizeOfDimension` function(https://github.com/tensorflow/tensorflow/blob/102b211d892f3abc14f845a72047809b39cc65ab/tensorflow/lite/kernels/kernel_util.h#L148-L150) will access data outside the bounds of the tensor shape array. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29607","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseAdd` results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as well as write outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/sparse_sparse_binary_op_shared.cc) has a large set of validation for the two sparse tensor inputs (6 tensors in total), but does not validate that the tensors are not empty or that the second dimension of `*_indices` matches the size of corresponding `*_shape`. This allows attackers to send tensor triples that represent invalid sparse tensors to abuse code assumptions that are not protected by validation. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29607","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseAdd` results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as well as write outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/sparse_sparse_binary_op_shared.cc) has a large set of validation for the two sparse tensor inputs (6 tensors in total), but does not validate that the tensors are not empty or that the second dimension of `*_indices` matches the size of corresponding `*_shape`. This allows attackers to send tensor triples that represent invalid sparse tensors to abuse code assumptions that are not protected by validation. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29608","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.RaggedTensorToTensor`, an attacker can exploit an undefined behavior if input arguments are empty. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L356-L360) only checks that one of the tensors is not empty, but does not check for the other ones. There are multiple `DCHECK` validations to prevent heap OOB, but these are no-op in release builds, hence they don\\'t prevent anything. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29608","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.RaggedTensorToTensor`, an attacker can exploit an undefined behavior if input arguments are empty. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L356-L360) only checks that one of the tensors is not empty, but does not check for the other ones. There are multiple `DCHECK` validations to prevent heap OOB, but these are no-op in release builds, hence they don\\'t prevent anything. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29609","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseAdd` results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as well as write outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/sparse_add_op.cc) has a large set of validation for the two sparse tensor inputs (6 tensors in total), but does not validate that the tensors are not empty or that the second dimension of `*_indices` matches the size of corresponding `*_shape`. This allows attackers to send tensor triples that represent invalid sparse tensors to abuse code assumptions that are not protected by validation. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:22.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29610","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The validation in `tf.raw_ops.QuantizeAndDequantizeV2` allows invalid values for `axis` argument:. The validation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74-L77) uses `||` to mix two different conditions. If `axis_ < -1` the condition in `OP_REQUIRES` will still be true, but this value of `axis_` results in heap underflow. This allows attackers to read/write to other data on the heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29610","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The validation in `tf.raw_ops.QuantizeAndDequantizeV2` allows invalid values for `axis` argument:. The validation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74-L77) uses `||` to mix two different conditions. If `axis_ < -1` the condition in `OP_REQUIRES` will still be true, but this value of `axis_` results in heap underflow. This allows attackers to read/write to other data on the heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29611","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29611","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29612","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in Eigen implementation of `tf.raw_ops.BandedTriangularSolve`. The implementation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/linalg/banded_triangular_solve_op.cc#L269-L278) calls `ValidateInputTensors` for input validation but fails to validate that the two tensors are not empty. Furthermore, since `OP_REQUIRES` macro only stops execution of current function after setting `ctx->status()` to a non-OK value, callers of helper functions that use `OP_REQUIRES` must check value of `ctx->status()` before continuing. This doesn\\'t happen in this op\\'s implementation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/linalg/banded_triangular_solve_op.cc#L219), hence the validation that is present is also not effective. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29612","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in Eigen implementation of `tf.raw_ops.BandedTriangularSolve`. The implementation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/linalg/banded_triangular_solve_op.cc#L269-L278) calls `ValidateInputTensors` for input validation but fails to validate that the two tensors are not empty. Furthermore, since `OP_REQUIRES` macro only stops execution of current function after setting `ctx->status()` to a non-OK value, callers of helper functions that use `OP_REQUIRES` must check value of `ctx->status()` before continuing. This doesn\\'t happen in this op\\'s implementation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/linalg/banded_triangular_solve_op.cc#L219), hence the validation that is present is also not effective. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29613","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `tf.raw_ops.CTCLoss` allows an attacker to trigger an OOB read from heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29613","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `tf.raw_ops.CTCLoss` allows an attacker to trigger an OOB read from heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29614","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.io.decode_raw` produces incorrect results and crashes the Python interpreter when combining `fixed_length` and wider datatypes. The implementation of the padded version(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc) is buggy due to a confusion about pointer arithmetic rules. First, the code computes(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L61) the width of each output element by dividing the `fixed_length` value to the size of the type argument. The `fixed_length` argument is also used to determine the size needed for the output tensor(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L63-L79). This is followed by reencoding code(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L85-L94). The erroneous code is the last line above: it is moving the `out_data` pointer by `fixed_length * sizeof(T)` bytes whereas it only copied at most `fixed_length` bytes from the input. This results in parts of the input not being decoded into the output","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:22.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29615","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `ParseAttrValue`(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/framework/attr_value_util.cc#L397-L453) can be tricked into stack overflow due to recursion by giving in a specially crafted input. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29615","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of `ParseAttrValue`(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/framework/attr_value_util.cc#L397-L453) can be tricked into stack overflow due to recursion by giving in a specially crafted input. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29616","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of TrySimplify(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/grappler/optimizers/arithmetic_optimizer.cc#L390-L401) has undefined behavior due to dereferencing a null pointer in corner cases that result in optimizing a node with no inputs. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29616","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. The implementation of TrySimplify(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/grappler/optimizers/arithmetic_optimizer.cc#L390-L401) has undefined behavior due to dereferencing a null pointer in corner cases that result in optimizing a node with no inputs. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-22T02:22:45.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-29617","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29617","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:53.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29618","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Passing a complex argument to `tf.transpose` at the same time as passing `conjugate=True` argument results in a crash. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29618","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Passing a complex argument to `tf.transpose` at the same time as passing `conjugate=True` argument results in a crash. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29619","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Passing invalid arguments (e.g., discovered via fuzzing) to `tf.raw_ops.SparseCountSparseOutput` results in segfault. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29619","source":"twistlock_cve","description":"TensorFlow is an end-to-end open source platform for machine learning. Passing invalid arguments (e.g., discovered via fuzzing) to `tf.raw_ops.SparseCountSparseOutput` results in segfault. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.","package":"tensorflow-1.15.5","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-20T19:29:54.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"msimmons719","email":"michael.simmons@anchore.com","role":"vendor_contributor"}},"reviewer":{"state":"reviewed","date":"2021-05-20T22:05:54.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-20T22:08:25.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3200","source":"anchore_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T00:31:56.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:10:21.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:18:42.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3200","source":"twistlock_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T13:34:08.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:34:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:35:21.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33560","source":"anchore_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-16T13:44:47.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-16T13:52:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-16T13:54:01.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33560","source":"twistlock_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-14T13:18:27.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-14T13:19:43.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-14T13:20:42.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"twistlock_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T13:31:07.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:34:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:35:21.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"twistlock_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"platform-python-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:10.000Z","justification":"No upstream fix is available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"python3-libs-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:10.000Z","justification":"No upstream fix is available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"twistlock_cve","description":"A flaw was found in libdnf\\'s signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T18:16:40.000Z","justification":"Patched upstream in version 0.60.1 on 4/12/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T18:17:14.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T18:19:19.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"python3-hawkey-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"python3-libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3572","source":"anchore_cve","description":"none","package":"platform-python-pip-9.0.3-19.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-06T16:06:50.000Z","justification":"Patched in 21.1 on 04/24/2021. Redhat has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-06T16:09:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-06T16:13:01.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3572","source":"anchore_cve","description":"none","package":"python3-pip-9.0.3-19.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-06T16:06:50.000Z","justification":"Patched in 21.1 on 04/24/2021. Redhat has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-06T16:09:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-06T16:13:01.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3572","source":"anchore_cve","description":"none","package":"python3-pip-wheel-9.0.3-19.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:13:07.000Z","justification":"Upstream patched in version 21.1. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:13:50.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:25:13.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3580","source":"anchore_cve","description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-08T18:20:21.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-08T18:20:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-08T18:21:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3580","source":"twistlock_cve","description":"A flaw was found in the way nettle\\'s RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"twistlock_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-23T15:50:48.000Z","justification":"Upstream patched in version 2.34 which is scheduled to be released on 8/1/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-23T18:06:10.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-23T18:09:07.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35958","source":"anchore_cve","description":"** DISPUTED ** TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives.","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-12T17:54:59.000Z","justification":"This CVE is disputed. The vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives. There are no patches available ","user":{"name":"olga","email":"olga@alphabravo.io","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-13T13:53:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-14T01:50:27.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-36084","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36084","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36222","source":"anchore_cve","description":"ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.","package":"krb5-libs-1.18.2-8.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-20T13:36:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-20T13:44:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-20T13:45:06.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3634","source":"anchore_cve","description":"none","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","justification":"Reported 7/2/21. RedHat has not patched. ","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T20:38:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3634","source":"anchore_cve","description":"none","package":"libssh-config-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","justification":"Reported 7/2/21. RedHat has not patched. ","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T20:38:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3712","source":"anchore_cve","description":"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-25T17:22:33.000Z","justification":"Upstream submitted patches on 08/24/2021 to the 1.1.1 branch. No ETA on finalizing a new 1.1.1 release which contains these patches.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-25T17:39:52.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-25T17:40:38.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3737","source":"anchore_cve","description":"none","package":"platform-python-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-26T14:23:26.000Z","justification":"Patched upstream in version 3.6.14 on 6/28/21. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T14:23:38.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T14:24:02.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3737","source":"anchore_cve","description":"none","package":"python3-libs-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-26T14:23:26.000Z","justification":"Patched upstream in version 3.6.14 on 6/28/21. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T14:23:38.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T14:24:02.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-37750","source":"anchore_cve","description":"The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.","package":"krb5-libs-1.18.2-8.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-27T13:49:53.000Z","justification":"Reported 8/23/21, fixed in krb 1.18.5. RedHat has not patched.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-27T13:49:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-27T13:50:39.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-24x6-8c7m-hv3f","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-26j7-6w8w-7922","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-278g-rq84-9hmg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-27j5-4p9v-pp67","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-27qf-jwm8-g7f3","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-2cpx-427x-q2c6","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-2gfx-95x2-5v3x","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-2r8p-fg3c-wcj4","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-2wmv-37vq-52g5","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-2xgj-xhgf-ggjv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-36vm-xw34-x4pj","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-393f-2jr3-cp69","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-3h8m-483j-7xxm","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-3hxh-8cp2-g4hg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-3qgw-p4fm-x7gf","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-3qxp-qjq7-w4hf","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-3w67-q784-6w7c","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-452g-f7fp-9jf7","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-4fg4-p75j-w5xj","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-4hrh-9vmp-2jgg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-4hvv-7x94-7vq8","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-4p4p-www8-8fv9","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-4vf2-4xcg-65cx","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-4vrf-ff7v-hpgr","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-4xfp-4pfp-89wg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-545v-42p7-98fq","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-59q2-x2qc-4c97","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-5gqf-456p-4836","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:47.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-5hj3-vjjf-f5m7","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-5xwc-mrhx-5g3m","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-62gx-355r-9fhg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-6f84-42vf-ppwp","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-6f89-8j54-29xf","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-6gv8-p3vj-pxvr","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-6j9c-grc6-5m6g","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-6p5r-g9mq-ggh2","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-6qgm-fv6v-rfpv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-75f6-78jr-4656","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-772j-h9xw-ffp5","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-772p-x54p-hjrv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-79fv-9865-4qcv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-7cqx-92hp-x6wh","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-7fvx-3jfc-2cpc","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-7ghq-fvr3-pj2x","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-828x-qc2p-wprq","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-84mw-34w6-2q43","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-8c89-2vwr-chcq","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-8gv3-57p6-g35r","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-8pmx-p244-g88h","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:23.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-8rm6-75mf-7r7r","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-95xm-g58g-3p88","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-9697-98pf-4rw7","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-97wf-p777-86jq","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-9c84-4hx6-xmm4","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-9c8h-2mv3-49ww","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-9c8h-vvrj-w2p8","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-9vpm-rcf4-9wqw","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-9w2p-5mgw-p94c","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-9xh4-23q4-v6wr","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-c45w-2wxr-pp53","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-c5x2-p679-95wc","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-c968-pq7h-7fxv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-c9qf-r67m-p7cg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-cfx7-2xpc-8w4h","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-cgfm-62j4-v4rf","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-ch4f-829c-v5pw","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-cjc7-49v2-jp64","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-cm5x-837x-jf3c","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-cmgw-8vpc-rc59","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-crch-j389-5f84","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-cwv3-863g-39vx","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:23.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-f5cx-5wr3-5qrc","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-f78g-q7r4-9wcv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-f8h4-7rgh-q2gm","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-fcwc-p4fc-c5cc","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-fphq-gw9m-ghrv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-fxqh-cfjm-fp93","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-g25h-jr74-qp5j","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-g4h2-gqm3-c9wq","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-g8wg-cjwc-xhhp","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-gf88-j2mg-cc82","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-gh6x-4whr-2qv4","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-gvm4-h8j3-rjrq","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-h4pc-gx2w-f2xv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:23.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-h6jh-7gv5-28vg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-h9px-9vqg-222h","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-hc6c-75p4-hmq4","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-hmg3-c7xj-6qwm","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-hp4c-x6r7-6555","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-hpv4-7p9c-mvfr","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-hwr7-8gxx-fj5p","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-j47f-4232-hvv8","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-j7rm-8ww4-xx2g","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-j8qc-5fqr-52fp","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-j8qh-3xrq-c825","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-jf7h-7m85-w2v2","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T00:32:23.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-jfp7-4j67-8r3q","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-jhq9-wm9m-cf89","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-jjr8-m8g8-p6wv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:32.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-m34j-p8rj-wjxq","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-m3f9-w3p3-p669","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-m7fm-4jfh-jrg6","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-mhhc-q96p-mfm9","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-mmq6-q8r3-48fm","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-mq5c-prh3-3f3h","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-mqh2-9wrp-vx84","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-mv78-g7wq-mhp4","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-p45v-v4pw-77jr","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-ph87-fvjr-v33w","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-pmpr-55fj-r229","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-pvrc-hg3f-58r6","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-q3g3-h9r4-prrc","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-q7f7-544h-67h9","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-qfpc-5pjr-mh26","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-qjj8-32p7-h289","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-qr82-2c78-4m8h","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-qw5h-7f53-xrp6","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-r35g-4525-29fq","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-r4c4-5fpq-56wg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-r4pj-74mg-8868","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-r6jx-9g48-2r5r","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-r6pg-pjwc-j585","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-rf3h-xgv5-2q39","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-rgvq-pcvf-hx75","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-rrfp-j2mp-hq9c","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-22T21:32:10.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"cvernooy","email":"cvernooy@oteemo.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-04-14T17:08:18.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-22T02:21:30.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-v52p-hfjf-wg88","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-v6r6-84gr-92rm","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-v768-w7m9-2vmm","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-v82p-hv3v-p6qp","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-vf94-36g5-69v8","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-vfr4-x8j2-3rf9","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-vmjw-c2vp-p33c","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-vq2r-5xvm-3hc3","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-vqw6-72r7-fgw7","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-vvg4-vgrv-xfr7","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-w4xf-2pqw-5mq7","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-w74j-v8xh-3w5h","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-wcv5-qrj6-9pfm","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-whr9-vfh2-7hm6","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-wp3c-xw9g-gpcg","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-wp77-4gmm-7cq8","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"needs_justification"},{"identifier":"GHSA-wvjw-p9f5-vq28","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-x4g7-fvjj-prg8","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-x83m-p7pv-ch8v","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-x8h6-xgqx-jqgp","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-xcwj-wfcm-m23c","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-xgc3-m89p-vr3x","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-xm2v-8rrw-w9pm","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-xqfj-35wv-m3cr","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-xqfj-cr6q-pc8w","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-xvjm-fvxx-q3hv","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-xw93-v57j-fcgh","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-10T20:38:48.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibilities  in the application created for 1.x","user":{"name":"jacob.rohlman","email":"jacob.rohlman@us.af.mil","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-10T20:50:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-10T20:54:33.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-xwhf-g6j5-j5gc","source":"anchore_cve","description":"none","package":"tensorflow-1.15.5","packagePath":"/usr/local/lib64/python3.6/site-packages/tensorflow","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-22T21:32:10.000Z","justification":"tensorflow 1.15 is the highest version supported according to pip in the 1.x major version. Upgrading to 2.x would introduce too much risk of incompatibillities in the appllcation created for 1.x","user":{"name":"cvernooy","email":"cvernooy@oteemo.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-04-14T17:08:18.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-22T02:21:30.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}}],"digest":"27c3b823947d0d64cabedc01eb86825781b55a4f8f09747cd54e74e68c08b9eb"}
INFO: POST Response: 201
section_end:1630368532:step_script[0Ksection_start:1630368532:upload_artifacts_on_success[0K[0K[36;1mUploading artifacts for successful job[0;m
[0;m[32;1mUploading artifacts...[0;m
ci-artifacts/vat_request.json: found 1 matching files and directories[0;m 
Uploading artifacts as "archive" to coordinator... ok[0;m  id[0;m=6087042 responseStatus[0;m=201 Created token[0;m=-XeWT6V5
section_end:1630368533:upload_artifacts_on_success[0Ksection_start:1630368533:cleanup_file_variables[0K[0K[36;1mCleaning up file based variables[0;m
[0;msection_end:1630368533:cleanup_file_variables[0K[32;1mJob succeeded
[0;m