chore(findings): synopsys/coverity/coverity-analysis
Summary
synopsys/coverity/coverity-analysis has 168 new findings discovered during continuous monitoring.
Information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=synopsys/coverity/coverity-analysis&tag=2024.3.0&branch=master
id | source | severity | package |
---|---|---|---|
ceb1b9ba055788f3812a65092a7d6b19 | Anchore Compliance | Critical | |
aff6b786a9b27d0552a7a31b3c296142 | Anchore Compliance | Critical | |
a7c533d913630060520993b28ad1e871 | Anchore Compliance | Critical | |
c43c4624702ddb8e7a6fce76202fb878 | Anchore Compliance | Critical | |
6cd64136af2783b70232e39ebed10291 | Anchore Compliance | Critical | |
d5213572cbf2f5e81d2c00d7d2c1d705 | Anchore Compliance | Critical | |
a15cf64e6697b00d99eec26c5b0f000e | Anchore Compliance | Critical | |
359f8d615338ea0e235d17cba297a484 | Anchore Compliance | Critical | |
e14e51fa5d3a58ab62acaf0645cfc15a | Anchore Compliance | Critical | |
113fe00513de043c9b922d20392ae5ab | Anchore Compliance | Critical | |
826793e186b0149157f0f67c6036dc76 | Anchore Compliance | Critical | |
0ee1034237596b0f54de13a55d5eacbf | Anchore Compliance | Critical | |
1ed479e50e36342cee6a2a542c6ca147 | Anchore Compliance | Critical | |
GHSA-2wrp-6fg6-hmc5 | Anchore CVE | High | spring-web-6.1.4 |
GHSA-69ch-w2m2-3vjp | Anchore CVE | High | golang.org/x/text-v0.3.7 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-fr-9.0.85 |
CVE-2016-6325 | Anchore CVE | High | tomcat-api-9.0.85 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-ko-9.0.85 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-de-9.0.85 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-fr-9.0.85 |
GHSA-cmhx-cq75-c4mj | Anchore CVE | High | System.Text.RegularExpressions-4.3.0 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-es-9.0.85 |
GHSA-vvpx-j8f3-3w6h | Anchore CVE | High | golang.org/x/net-v0.0.0-20220425223048-2871e0cb64e4 |
CVE-2021-26291 | Anchore CVE | Critical | maven-resolver-provider-3.5.4 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-de-9.0.85 |
GHSA-xhfc-gr8f-ffwc | Anchore CVE | High | System.Private.Uri-4.3.0 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-ko-9.0.85 |
CVE-2016-6325 | Anchore CVE | High | tomcat-util-9.0.85 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-es-9.0.85 |
GHSA-vmq6-5m68-f53m | Anchore CVE | High | logback-classic-1.2.9 |
GHSA-2f88-5hg8-9x2x | Anchore CVE | Critical | maven-compat-3.5.4 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-ja-9.0.85 |
CVE-2016-6325 | Anchore CVE | High | tomcat-jni-9.0.85 |
GHSA-4gmj-3p3h-gm8h | Anchore CVE | Low | es5-ext-0.10.62 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-ru-9.0.85 |
GHSA-f5x3-32g6-xq36 | Anchore CVE | Medium | tar-6.1.15 |
GHSA-5jpm-x58v-624v | Anchore CVE | Medium | netty-codec-http-4.1.107.Final |
CVE-2021-26291 | Anchore CVE | Critical | maven-common-artifact-filters-3.0.0 |
GHSA-vmq6-5m68-f53m | Anchore CVE | High | logback-core-1.2.9 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-cs-9.0.85 |
GHSA-xhfc-gr8f-ffwc | Anchore CVE | High | System.Private.Uri-4.3.0 |
CVE-2021-26291 | Anchore CVE | Critical | maven-embedder-3.5.4 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.0.0-20220425223048-2871e0cb64e4 |
GHSA-8r3f-844c-mc37 | Anchore CVE | Medium | google.golang.org/protobuf-v1.31.0 |
GHSA-qppj-fm5r-hxr3 | Anchore CVE | Medium | golang.org/x/net-v0.0.0-20220425223048-2871e0cb64e4 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-ru-9.0.85 |
GHSA-5crp-9r3c-p9vr | Anchore CVE | High | Newtonsoft.Json-11.0.2 |
GHSA-2f88-5hg8-9x2x | Anchore CVE | Critical | maven-core-3.5.4 |
GHSA-2wrh-6pvc-2jm9 | Anchore CVE | Medium | golang.org/x/net-v0.0.0-20220425223048-2871e0cb64e4 |
CVE-2016-5425 | Anchore CVE | High | tomcat-jni-9.0.85 |
CVE-2016-5425 | Anchore CVE | High | tomcat-util-9.0.85 |
CVE-2016-5425 | Anchore CVE | High | tomcat-api-9.0.85 |
CVE-2016-6325 | Anchore CVE | High | tomcat-dbcp-9.0.85 |
GHSA-5crp-9r3c-p9vr | Anchore CVE | High | Newtonsoft.Json-11.0.2 |
CVE-2021-26291 | Anchore CVE | Critical | maven-artifact-transfer-0.9.0 |
GHSA-5f2m-466j-3848 | Anchore CVE | High | System.Private.Uri-4.3.0 |
CVE-2016-6325 | Anchore CVE | High | tomcat-util-scan-9.0.85 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-cs-9.0.85 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-zh-CN-9.0.85 |
GHSA-wjxj-5m7g-mg7q | Anchore CVE | Medium | bcprov-jdk15on-1.69 |
CVE-2021-26291 | Anchore CVE | Critical | maven-model-builder-3.5.4 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-ja-9.0.85 |
CVE-2023-35116 | Anchore CVE | Medium | jackson-databind-2.13.5 |
GHSA-x5qj-9vmx-7g6g | Anchore CVE | Medium | System.Private.Uri-4.3.0 |
GHSA-p782-xgp4-8hr8 | Anchore CVE | Medium | golang.org/x/sys-v0.0.0-20211216021012-1d35b9e2eb4e |
CVE-2016-5425 | Anchore CVE | High | tomcat-util-scan-9.0.85 |
GHSA-7jgj-8wvc-jh57 | Anchore CVE | High | System.Net.Http-4.3.0 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.20.0 |
CVE-2016-6325 | Anchore CVE | High | tomcat-juli-9.0.85 |
GHSA-69cg-p879-7622 | Anchore CVE | High | golang.org/x/net-v0.0.0-20220425223048-2871e0cb64e4 |
GHSA-rhgr-952r-6p8q | Anchore CVE | Critical | maven-shared-utils-3.2.1 |
GHSA-78xj-cgh5-2h22 | Anchore CVE | Medium | ip-2.0.0 |
GHSA-4374-p667-p6c8 | Anchore CVE | High | golang.org/x/net-v0.0.0-20220425223048-2871e0cb64e4 |
GHSA-8r3f-844c-mc37 | Anchore CVE | Medium | google.golang.org/protobuf-v1.32.0 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-pt-BR-9.0.85 |
CVE-2021-26291 | Anchore CVE | Critical | maven-artifact-3.5.4 |
CVE-2016-6325 | Anchore CVE | High | tomcat-i18n-zh-CN-9.0.85 |
GHSA-hgjh-9rj2-g67j | Anchore CVE | High | spring-web-6.1.4 |
CVE-2016-5425 | Anchore CVE | High | tomcat-i18n-pt-BR-9.0.85 |
CVE-2016-6325 | Anchore CVE | High | tomcat-coyote-9.0.85 |
GHSA-5f2m-466j-3848 | Anchore CVE | High | System.Private.Uri-4.3.0 |
GHSA-ghr5-ch3p-vcr6 | Anchore CVE | Medium | ejs-3.1.7 |
CVE-2016-5425 | Anchore CVE | High | tomcat-juli-9.0.85 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.20.0 |
GHSA-7w75-32cg-r6g2 | Anchore CVE | Medium | tomcat-coyote-9.0.85 |
GHSA-hr8g-6v94-x4m9 | Anchore CVE | Medium | bcprov-jdk15on-1.69 |
CVE-2016-5425 | Anchore CVE | High | tomcat-coyote-9.0.85 |
CVE-2016-5425 | Anchore CVE | High | tomcat-dbcp-9.0.85 |
GHSA-x5qj-9vmx-7g6g | Anchore CVE | Medium | System.Private.Uri-4.3.0 |
CVE-2023-42282 | Twistlock CVE | Critical | ip-2.0.0 |
CVE-2020-0603 | Twistlock CVE | High | microsoft.aspnetcore.app-2.1.0 |
CVE-2020-0603 | Twistlock CVE | High | microsoft.aspnetcore.all-2.1.0 |
CVE-2020-0603 | Twistlock CVE | High | microsoft.aspnetcore.http.connections-1.0.0 |
CVE-2024-0056 | Twistlock CVE | High | system.data.sqlclient-4.6.0 |
CVE-2024-22262 | Twistlock CVE | High | spring-web-6.1.4 |
CVE-2024-22259 | Twistlock CVE | High | spring-web-6.1.4 |
CVE-2023-33170 | Twistlock CVE | High | microsoft.aspnetcore.identity-2.1.0 |
CVE-2020-1147 | Twistlock CVE | High | microsoft.netcore.app-2.1.0 |
PRISMA-2023-0067 | Twistlock CVE | High | com.fasterxml.jackson.core_jackson-core-2.13.5 |
CVE-2024-21907 | Twistlock CVE | High | newtonsoft.json-11.0.2 |
CVE-2024-21907 | Twistlock CVE | High | newtonsoft.json-11.0.2 |
CVE-2024-21907 | Twistlock CVE | High | newtonsoft.json-11.0.2 |
CVE-2024-21907 | Twistlock CVE | High | newtonsoft.json-10.0.1 |
CVE-2023-38180 | Twistlock CVE | High | microsoft.aspnetcore.server.kestrel.transport.sockets-2.1.0 |
CVE-2022-32149 | Twistlock CVE | High | golang.org/x/text/language-v0.3.7 |
CVE-2021-1723 | Twistlock CVE | High | microsoft.aspnetcore.server.kestrel.core-2.1.0 |
CVE-2020-1597 | Twistlock CVE | High | microsoft.aspnetcore.all-2.1.0 |
CVE-2020-1597 | Twistlock CVE | High | microsoft.aspnetcore.app-2.1.0 |
CVE-2020-1108 | Twistlock CVE | High | microsoft.netcore.app-2.1.0 |
CVE-2020-1045 | Twistlock CVE | High | microsoft.aspnetcore.http-2.1.0 |
CVE-2020-1045 | Twistlock CVE | High | microsoft.aspnetcore.app-2.1.0 |
CVE-2019-0981 | Twistlock CVE | High | system.private.uri-4.3.0 |
CVE-2019-0981 | Twistlock CVE | High | system.private.uri-4.3.0 |
CVE-2019-0980 | Twistlock CVE | High | system.private.uri-4.3.0 |
CVE-2019-0980 | Twistlock CVE | High | system.private.uri-4.3.0 |
CVE-2019-0820 | Twistlock CVE | High | system.text.regularexpressions-4.3.0 |
CVE-2019-0564 | Twistlock CVE | High | microsoft.aspnetcore.server.kestrel.core-2.1.0 |
CVE-2018-8409 | Twistlock CVE | High | system.io.pipelines-4.5.0 |
CVE-2018-8409 | Twistlock CVE | High | microsoft.aspnetcore.app-2.1.0 |
CVE-2018-8409 | Twistlock CVE | High | microsoft.aspnetcore.all-2.1.0 |
CVE-2018-8292 | Twistlock CVE | High | system.net.http-4.3.0 |
CVE-2018-8171 | Twistlock CVE | High | microsoft.aspnetcore.identity-2.1.0 |
CVE-2017-8585 | Twistlock CVE | High | microsoft.netcore.app-1.1.0 |
CVE-2017-8585 | Twistlock CVE | High | microsoft.netcore.app-1.0.0 |
CVE-2017-11770 | Twistlock CVE | High | microsoft.netcore.app-1.0.0 |
CVE-2017-11770 | Twistlock CVE | High | microsoft.netcore.app-2.0.0 |
CVE-2017-11770 | Twistlock CVE | High | microsoft.netcore.app-1.1.0 |
CVE-2017-0247 | Twistlock CVE | High | system.net.security-4.0.0 |
CVE-2023-21930 | Twistlock CVE | High | java-1.8.0_392 |
CVE-2017-0249 | Twistlock CVE | High | system.net.security-4.0.0 |
CVE-2023-44487 | Twistlock CVE | High | golang.org/x/net-v0.0.0-20220425223048-2871e0cb64e4 |
CVE-2024-29415 | Twistlock CVE | High | ip-2.0.0 |
CVE-2020-0602 | Twistlock CVE | Medium | microsoft.aspnetcore.all-2.1.0 |
CVE-2020-0602 | Twistlock CVE | Medium | microsoft.aspnetcore.http.connections-1.0.0 |
CVE-2020-0602 | Twistlock CVE | Medium | microsoft.aspnetcore.app-2.1.0 |
CVE-2017-0248 | Twistlock CVE | Medium | system.net.security-4.0.0 |
CVE-2024-21319 | Twistlock CVE | Medium | microsoft.identitymodel.jsonwebtokens-5.3.0 |
CVE-2024-21319 | Twistlock CVE | Medium | system.identitymodel.tokens.jwt-5.3.0 |
CVE-2024-28863 | Twistlock CVE | Medium | tar-6.1.15 |
CVE-2021-1721 | Twistlock CVE | Medium | microsoft.netcore.app-2.1.0 |
CVE-2018-8416 | Twistlock CVE | Medium | microsoft.netcore.app-2.1.0 |
CVE-2023-3978 | Twistlock CVE | Medium | golang.org/x/net/html-v0.0.0-20220425223048-2871e0cb64e4 |
CVE-2024-30171 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.69 |
CVE-2023-21967 | Twistlock CVE | Medium | java-1.8.0_392 |
CVE-2023-21954 | Twistlock CVE | Medium | java-1.8.0_392 |
CVE-2019-0657 | Twistlock CVE | Medium | system.private.uri-4.3.0 |
CVE-2019-0657 | Twistlock CVE | Medium | system.private.uri-4.3.0 |
CVE-2023-33202 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.69 |
CVE-2021-34532 | Twistlock CVE | Medium | microsoft.aspnetcore.authentication.jwtbearer-2.1.0 |
CVE-2021-34485 | Twistlock CVE | Medium | microsoft.netcore.app-2.1.0 |
CVE-2024-30172 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.69 |
CVE-2024-29857 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.69 |
CVE-2024-29025 | Twistlock CVE | Medium | io.netty_netty-codec-http-4.1.107.Final |
CVE-2023-22081 | Twistlock CVE | Medium | java-21 |
CVE-2023-21939 | Twistlock CVE | Medium | java-1.8.0_392 |
CVE-2022-29526 | Twistlock CVE | Medium | golang.org/x/sys/unix-v0.0.0-20211216021012-1d35b9e2eb4e |
CVE-2017-0256 | Twistlock CVE | Medium | system.net.security-4.0.0 |
GHSA-cgpw-2gph-2r9g | Twistlock CVE | Medium | microsoft.aspnetcore.server.kestrel.core-2.1.0 |
GHSA-cgpw-2gph-2r9g | Twistlock CVE | Medium | microsoft.aspnetcore.all-2.1.0 |
GHSA-cgpw-2gph-2r9g | Twistlock CVE | Medium | microsoft.aspnetcore.app-2.1.0 |
CVE-2024-33883 | Twistlock CVE | Medium | ejs-3.1.7 |
CVE-2024-24549 | Twistlock CVE | Medium | tomcat-coyote-9.0.85 |
CVE-2023-45288 | Twistlock CVE | Medium | golang.org/x/net/http2-v0.20.0 |
CVE-2023-22025 | Twistlock CVE | Low | java-21 |
CVE-2023-21938 | Twistlock CVE | Low | java-1.8.0_392 |
CVE-2023-21937 | Twistlock CVE | Low | java-1.8.0_392 |
CVE-2024-27088 | Twistlock CVE | Low | es5-ext-0.10.62 |
CCE-83637-9 | OSCAP Compliance | Medium |
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=synopsys/coverity/coverity-analysis&tag=2024.3.0&branch=master
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the StatusVerification label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
Verification
label will be removed and the issue will be sent back toOpen
. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theVerification
label.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding
.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.