{ "SchemaVersion": 2, "Metadata": { "Id": "eea6e726-1eec-436d-9b1a-7d339b867939", "InputKind": "repository", "InputLocation": "/Users/linpengzhang/GitHub/code-analysis-test-repo", "InputOrigin": "Linpengs-MacBook-Pro.local", "CustomProperties": { "deployment": "local", "version": "development" }, "Platform": { "architecture": "arm64", "os": "darwin", "os.version": "14.0", "variant": "v8" }, "Created": "2024-02-05T13:41:08.289199Z" }, "RootArtifactId": "49e5ee59-4d6b-4bf3-99f7-ce79af24a78c", "Artifacts": [ { "Id": "49e5ee59-4d6b-4bf3-99f7-ce79af24a78c", "Name": "ssh://github.com/lacework-dev/code-analysis-test-repo.git", "Path": "ssh://github.com/lacework-dev/code-analysis-test-repo.git", "Type": "repo", "Class": "collection", "Language": "none", "Repository": "1aef42df-adf4-49d7-9639-d43c7cec98a1", "Compare": { "Hash": "fb8d11c46b62844e4c72b56c0c05ea37e5c5a348" }, "LinesOfCode": { "java": 13 }, "Children": [ { "ArtifactId": "29e29686-f04c-40db-b0b4-badf960e7778" } ] }, { "Id": "29e29686-f04c-40db-b0b4-badf960e7778", "Name": "test-project", "Path": "pom.xml", "Type": "pom", "Class": "source", "Language": "java", "Version": { "Type": "maven", "Version": "0.1.0" }, "Repository": "1aef42df-adf4-49d7-9639-d43c7cec98a1", "LastEdit": "bfa957fa-2272-4a67-b965-aaaeebc0c904", "Compare": { "Hash": "871101666aeb10bdcfe990d2ff8d1a3e65440187" }, "Files": [ "src/main/java/hello/Greeter.java", "src/main/java/hello/HelloWorld.java" ], "Children": [ { "ArtifactId": "374b505b-ad5d-4d1c-adf3-4b6701c02d34", "PathInfo": { "MinDepth": 3 } }, { "ArtifactId": "0d537ec6-5c97-4353-af09-7b45b102bb4d", "PathInfo": { "MinDepth": 3 } }, { "ArtifactId": "66decff7-52d7-43cf-bb58-66523911c5d6", "Lines": [ { "Start": 19, "End": 23 } ], "Tags": [ "direct" ], "LastEdit": "63310040-22e6-4330-aeca-e9bad36f9835", "PathInfo": { "MinDepth": 2 } }, { "ArtifactId": "0fe373ef-1866-4a4b-81a2-b748d65361ac", "Tags": [ "direct" ], "PathInfo": { "MinDepth": 1 } } ], "Graph": [ { "From": "29e29686-f04c-40db-b0b4-badf960e7778", "To": [ "0fe373ef-1866-4a4b-81a2-b748d65361ac" ] }, { "From": "0fe373ef-1866-4a4b-81a2-b748d65361ac", "To": [ "66decff7-52d7-43cf-bb58-66523911c5d6" ] }, { "From": "66decff7-52d7-43cf-bb58-66523911c5d6", "To": [ "0d537ec6-5c97-4353-af09-7b45b102bb4d", "374b505b-ad5d-4d1c-adf3-4b6701c02d34" ] } ] }, { "Id": "374b505b-ad5d-4d1c-adf3-4b6701c02d34", "Name": "com.fasterxml.jackson.core:jackson-annotations", "Type": "maven", "Class": "pkg", "Language": "java", "Version": { "Type": "maven", "Version": "2.13.2" }, "Purl": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.13.2", "Compare": { "Hash": "abc40658c64a726831e19a544ccbd263dcce2baa" } }, { "Id": "0d537ec6-5c97-4353-af09-7b45b102bb4d", "Name": "com.fasterxml.jackson.core:jackson-core", "Type": "maven", "Class": "pkg", "Language": "java", "Version": { "Type": "maven", "Version": "2.13.2" }, "Purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.2", "Compare": { "Hash": "3d6d258e577a9d3d327b9cde800bb6e84e4d19ad" } }, { "Id": "66decff7-52d7-43cf-bb58-66523911c5d6", "Name": "com.fasterxml.jackson.core:jackson-databind", "Type": "maven", "Class": "pkg", "Language": "java", "Version": { "Type": "maven", "Version": "2.13.2" }, "Purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2", "Compare": { "Hash": "2d51d9fcd60f73df7c880034ff63fae9a138b108" } }, { "Id": "0fe373ef-1866-4a4b-81a2-b748d65361ac", "Name": "org.springframework:test-project", "Type": "maven", "Class": "pkg", "Language": "java", "Version": { "Type": "maven", "Version": "0.1.0" }, "Purl": "pkg:maven/org.springframework/test-project@0.1.0", "Compare": { "Hash": "1fa4b3eb88fa9d18391e2759cddc9bb31eaa6a62" } } ], "Identities": [ { "Id": "379bdb55-c267-4ded-bef4-f852e070d6aa", "Info": { "Name": "Edoardo Pirovano", "Email": "edoardo.pirovano@lacework.net" }, "Compare": { "Hash": "438be50bb9d1727630a304137d1cc2e16ffa433f" } } ], "Repositories": [ { "Id": "1aef42df-adf4-49d7-9639-d43c7cec98a1", "Info": { "Kind": "git", "Location": "ssh://github.com/lacework-dev/code-analysis-test-repo.git", "Branch": "main", "Revision": "dc8b1b4c7f80eeb2892a2ddd1669314eef508d03", "Name": "Edoardo Pirovano", "Email": "edoardo.pirovano@lacework.net", "Timestamp": "2023-07-13T11:01:04+01:00", "DefaultBranch": "main" }, "Edits": [ { "Id": "bfa957fa-2272-4a67-b965-aaaeebc0c904", "Info": { "Time": "2023-06-22T10:30:22+01:00", "Revision": "ec0e67ced3db33046bd4268862b456e6256894b9", "Signature": "unknown" }, "AuthorId": "379bdb55-c267-4ded-bef4-f852e070d6aa" }, { "Id": "63310040-22e6-4330-aeca-e9bad36f9835", "Info": { "Time": "2023-03-14T13:38:44Z", "Revision": "a78e4e9a6575cc998af57e96462d6d9d962ad2c1", "Signature": "unknown" }, "AuthorId": "379bdb55-c267-4ded-bef4-f852e070d6aa" } ], "Compare": { "Hash": "bd67a48121aa4f13b9e82c69095241a8e78ded9f" } } ], "Vulnerabilities": [ { "Id": "8051a408-ff8b-4743-9d40-1d8439a3ecc7", "AffectedArtifactIds": [ "66decff7-52d7-43cf-bb58-66523911c5d6" ], "FixedBy": [ "6daedb41-2386-42fd-b2fe-9a730a116e8d" ], "Info": { "ExternalId": "CVE-2020-36518", "Description": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "Status": "vulnerable", "Severity": "high", "Link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518", "FixVersion": { "Type": "maven", "Version": "2.13.2.1" }, "CVSSv2": { "PublishedDateTime": "2022-03-11T07:15:07.8Z", "Score": 5, "Vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "Metrics": { "Exploitability": { "AccessVector": "Network", "AccessComplexity": "Low", "Authentication": "None" }, "Impact": { "Confidentiality": "None", "Integrity": "None", "Availability": "Partial" } } }, "CVSSv3": { "ExploitabilityScore": 3.9, "ImpactScore": 3.6, "Score": 7.5, "Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Metrics": { "Exploitability": { "AttackVector": "Network", "AttackComplexity": "Low", "PrivilegesRequired": "None", "UserInteraction": "None" }, "Scope": "Unchanged", "Impact": { "Confidentiality": "None", "Integrity": "None", "Availability": "High" } } } }, "Compare": { "Hash": "764f44c0869f91cf0f72ecac36618f49671078d5" } }, { "Id": "14393c78-4e56-4b92-b13f-adb61741efcb", "AffectedArtifactIds": [ "66decff7-52d7-43cf-bb58-66523911c5d6" ], "FixedBy": [ "6daedb41-2386-42fd-b2fe-9a730a116e8d" ], "Info": { "ExternalId": "CVE-2022-42004", "Description": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "Status": "vulnerable", "Severity": "high", "Link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004", "FixVersion": { "Type": "maven", "Version": "2.13.4" }, "CVSSv3": { "ExploitabilityScore": 3.9, "ImpactScore": 3.6, "Score": 7.5, "Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Metrics": { "Exploitability": { "AttackVector": "Network", "AttackComplexity": "Low", "PrivilegesRequired": "None", "UserInteraction": "None" }, "Scope": "Unchanged", "Impact": { "Confidentiality": "None", "Integrity": "None", "Availability": "High" } } } }, "Compare": { "Hash": "a2db20a7a3bc16f42a69f251cf4c441a76fd93c7" } }, { "Id": "f96b12dd-a36b-489c-b53d-5df32ad19f2c", "AffectedArtifactIds": [ "66decff7-52d7-43cf-bb58-66523911c5d6" ], "FixedBy": [ "6daedb41-2386-42fd-b2fe-9a730a116e8d" ], "Info": { "ExternalId": "CVE-2022-42003", "Description": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.", "Status": "vulnerable", "Severity": "high", "Link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003", "FixVersion": { "Type": "maven", "Version": "2.13.4.2" }, "CVSSv3": { "ExploitabilityScore": 3.9, "ImpactScore": 3.6, "Score": 7.5, "Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Metrics": { "Exploitability": { "AttackVector": "Network", "AttackComplexity": "Low", "PrivilegesRequired": "None", "UserInteraction": "None" }, "Scope": "Unchanged", "Impact": { "Confidentiality": "None", "Integrity": "None", "Availability": "High" } } } }, "Compare": { "Hash": "b41f1547e3c2592ed9ba1d4d58e4c5d117b4c51e" } } ], "FixSuggestions": [ { "Id": "6daedb41-2386-42fd-b2fe-9a730a116e8d", "Info": { "Recommendations": [ { "FixVersion": { "Type": "maven", "Version": "2.13.4.2" }, "Kind": "Minimal version with no known vulnerabilities" }, { "FixVersion": { "Type": "maven", "Version": "2.13.4.2" }, "Kind": "Maximum version with no known vulnerabilities" } ], "VersionGraphInfo": { "NodeCnt": 4, "EdgeCnt": 6, "ExtraAthenaCalls": 1, "VersionGraph": [ { "Version": "2.13.2", "Edges": [ { "Version": "2.13.2.1", "Severity": "high", "CVE": "CVE-2020-36518" }, { "Version": "2.13.4", "Severity": "high", "CVE": "CVE-2022-42004" }, { "Version": "2.13.4.2", "Severity": "high", "CVE": "CVE-2022-42003" } ] }, { "Version": "2.13.2.1", "Edges": [ { "Version": "2.13.4", "Severity": "high", "CVE": "CVE-2022-42004" }, { "Version": "2.13.4.2", "Severity": "high", "CVE": "CVE-2022-42003" } ] }, { "Version": "2.13.4", "Edges": [ { "Version": "2.13.4.2", "Severity": "high", "CVE": "CVE-2022-42003" } ] }, { "Version": "2.13.4.2" } ] }, "FixSuggestionInfoAsString": "\nAriadne - Sorted Version Graph for package pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2\n 2.13.2 is vulnerable:\n high CVE-2020-36518 FixVersion= 2.13.2.1\n high CVE-2022-42004 FixVersion= 2.13.4\n high CVE-2022-42003 FixVersion= 2.13.4.2\n 2.13.2.1 is vulnerable:\n high CVE-2022-42004 FixVersion= 2.13.4\n high CVE-2022-42003 FixVersion= 2.13.4.2\n 2.13.4 is vulnerable:\n high CVE-2022-42003 FixVersion= 2.13.4.2\n 2.13.4.2 is not vulnerable\n\nAriadne - FixSuggestionInfo results for package pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2\n 2.13.4.2 is the minimal version with no known vulnerabilities\n 2.13.4.2 is the maximum version and it has no known vulnerabilities\n\nAriadne - Stats: the Version Graph has 4 versions (nodes) and 6 CVEs (edges) (diameter=1)\n\n" }, "AffectedArtifactId": "66decff7-52d7-43cf-bb58-66523911c5d6" } ] }