diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 14da6bd5ef1..e6efd4f909f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -142,6 +142,17 @@ gcloud auth login --update-adc make run-api-server ``` +#### API E2E Snapshots + +If you have made any changes to the API, please update the API query snapshots with + +```shell +gcloud auth login --update-adc +make update-api-snapshots +``` + +and check the git diff to see if the API result changes are expected. + ### Making commits Please follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification for commit messages. This helps us to automate processes like changelog generation and ensures a clear and consistent commit history. diff --git a/Makefile b/Makefile index bfd4e43a4c6..17017e4d94e 100644 --- a/Makefile +++ b/Makefile @@ -47,6 +47,12 @@ api-server-tests: test -f $(HOME)/.config/gcloud/application_default_credentials.json || (echo "GCP Application Default Credentials not set, try 'gcloud auth login --update-adc'"; exit 1) cd gcp/api && docker build -f Dockerfile.esp -t osv/esp:latest . cd gcp/api && ./run_tests.sh $(HOME)/.config/gcloud/application_default_credentials.json + cd gcp/api && ./run_tests_e2e.sh $(HOME)/.config/gcloud/application_default_credentials.json + +update-api-snapshots: + test -f $(HOME)/.config/gcloud/application_default_credentials.json || (echo "GCP Application Default Credentials not set, try 'gcloud auth login --update-adc'"; exit 1) + cd gcp/api && docker build -f Dockerfile.esp -t osv/esp:latest . + cd gcp/api && UPDATE_SNAPS=true ./run_tests_e2e.sh $(HOME)/.config/gcloud/application_default_credentials.json lint: GOTOOLCHAIN=go1.25.5 $(run-cmd) tools/lint_and_format.sh diff --git a/deployment/terraform/environments/oss-vdb/unmanaged.md b/deployment/terraform/environments/oss-vdb/unmanaged.md index cc37c133e3e..94a86781c71 100644 --- a/deployment/terraform/environments/oss-vdb/unmanaged.md +++ b/deployment/terraform/environments/oss-vdb/unmanaged.md @@ -42,6 +42,7 @@ Not everything here needs to be managed by Terraform, this is just for reference - `esp-test` - `osv-user` (unused?) - `terraform-plan` + - `api-e2e-tester` - `worker` (unused?) - A number of IAM permissions - `osv-vulnerabilities GCS bucket health` Monitoring Alert Policy diff --git a/gcp/api/cloudbuild.yaml b/gcp/api/cloudbuild.yaml index 0b26e84e04f..d7cad579243 100644 --- a/gcp/api/cloudbuild.yaml +++ b/gcp/api/cloudbuild.yaml @@ -41,7 +41,16 @@ steps: args: ['bash', '-ex', 'run_tests.sh', '/workspace/dummy.json'] waitFor: ['init', 'sync'] +- name: 'gcr.io/oss-vdb/ci' + id: 'api-snapshot-tests' + dir: gcp/api + args: ['bash', '-ex', 'run_tests_e2e.sh', '/workspace/dummy.json'] + # Don't run at the same time as api-tests + waitFor: ['init', 'sync', 'api-tests'] + timeout: 7200s +serviceAccount: 'projects/oss-vdb/serviceAccounts/api-e2e-tester@oss-vdb.iam.gserviceaccount.com' options: + logging: CLOUD_LOGGING_ONLY env: - CLOUDBUILD=1 diff --git a/gcp/api/run_apitester.py b/gcp/api/run_apitester.py new file mode 100644 index 00000000000..281063a320b --- /dev/null +++ b/gcp/api/run_apitester.py @@ -0,0 +1,72 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Run E2E golang cassette API tests.""" + +import os +import sys +import subprocess +import time +import test_server + +_PORT = 8080 + + +def main(): + if len(sys.argv) < 2: + print(f'Usage: {sys.argv[0]} path/to/credential.json') + sys.exit(1) + + credential_path = sys.argv[1] + + # Ensure Docker image is pulled + subprocess.run( + ['docker', 'pull', 'gcr.io/endpoints-release/endpoints-runtime:2'], + check=True) + + print("Starting test server...") + server = test_server.start(credential_path, port=_PORT) + + # Wait for server to start up + time.sleep(10) + + try: + # Determine API URL + if os.getenv('CLOUDBUILD'): + host = test_server.get_cloudbuild_esp_host() + else: + host = 'localhost' + + api_base_url = f"{host}:{_PORT}" + print(f"Running Go tests against {api_base_url}") + + env = os.environ.copy() + env['OSV_API_BASE_URL'] = api_base_url + + # Go tests path + # Assuming this script is in gcp/api/ + go_test_dir = os.path.abspath( + os.path.join(os.path.dirname(__file__), '../../tools/apitester')) + + cmd = ['go', 'test', './...'] + print(f"Executing: {' '.join(cmd)} in {go_test_dir}") + + subprocess.run(cmd, cwd=go_test_dir, env=env, check=True) + + finally: + print("Stopping test server...") + server.stop() + + +if __name__ == '__main__': + main() diff --git a/gcp/api/run_tests_e2e.sh b/gcp/api/run_tests_e2e.sh new file mode 100755 index 00000000000..aebf45a5e02 --- /dev/null +++ b/gcp/api/run_tests_e2e.sh @@ -0,0 +1,31 @@ +#!/bin/bash -x +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ $# -lt 1 ]; then + echo "Usage: $0 /path/to/credential.json" + exit 1 +fi + +export GOOGLE_CLOUD_PROJECT=oss-vdb-test OSV_VULNERABILITIES_BUCKET=osv-test-vulnerabilities + +# Try to start docker if not running (mostly for CI) +service docker start || true + +set -e + +if [ -z "$CLOUDBUILD" ]; then + poetry sync +fi +poetry run python run_apitester.py "$1" diff --git a/tools/apitester/README.md b/tools/apitester/README.md index 6b7d142f140..719ae68737a 100644 --- a/tools/apitester/README.md +++ b/tools/apitester/README.md @@ -46,4 +46,5 @@ Before the test suite is actually run, the cassettes will be "cleaned" so that - the `response` is property is not present, to reduce the size of each cassette By default, requests are made against the local instance of the API, but you can -use the `OSV_API_BASE_URL` to point it against other instances. +use the `OSV_API_BASE_URL` to point it against other instances. +E.g. `OSV_API_BASE_URL=api.test.osv.dev go test ./...` diff --git a/tools/apitester/__snapshots__/cassette_TestCommand.snap b/tools/apitester/__snapshots__/cassette_TestCommand.snap index 59066590159..ff2efcb1020 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand.snap @@ -61,35 +61,35 @@ "vulns": [ { "id": "GO-2024-2598", - "modified": "" + "modified": "" }, { "id": "GO-2024-2599", - "modified": "" + "modified": "" }, { "id": "GO-2024-2600", - "modified": "" + "modified": "" }, { "id": "GO-2024-2609", - "modified": "" + "modified": "" }, { "id": "GO-2024-2610", - "modified": "" + "modified": "" }, { "id": "GO-2024-2687", - "modified": "" + "modified": "" }, { "id": "GO-2024-2887", - "modified": "" + "modified": "" }, { "id": "GO-2024-2888", - "modified": "" + "modified": "" }, { "id": "GO-2024-2963", @@ -117,7 +117,7 @@ }, { "id": "GO-2025-3447", - "modified": "" + "modified": "" }, { "id": "GO-2025-3563", @@ -133,51 +133,51 @@ }, { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -201,35 +201,35 @@ "vulns": [ { "id": "GO-2024-2598", - "modified": "" + "modified": "" }, { "id": "GO-2024-2599", - "modified": "" + "modified": "" }, { "id": "GO-2024-2600", - "modified": "" + "modified": "" }, { "id": "GO-2024-2609", - "modified": "" + "modified": "" }, { "id": "GO-2024-2610", - "modified": "" + "modified": "" }, { "id": "GO-2024-2687", - "modified": "" + "modified": "" }, { "id": "GO-2024-2887", - "modified": "" + "modified": "" }, { "id": "GO-2024-2888", - "modified": "" + "modified": "" }, { "id": "GO-2024-2963", @@ -257,7 +257,7 @@ }, { "id": "GO-2025-3447", - "modified": "" + "modified": "" }, { "id": "GO-2025-3563", @@ -273,51 +273,51 @@ }, { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -333,35 +333,35 @@ "vulns": [ { "id": "GO-2024-2598", - "modified": "" + "modified": "" }, { "id": "GO-2024-2599", - "modified": "" + "modified": "" }, { "id": "GO-2024-2600", - "modified": "" + "modified": "" }, { "id": "GO-2024-2609", - "modified": "" + "modified": "" }, { "id": "GO-2024-2610", - "modified": "" + "modified": "" }, { "id": "GO-2024-2687", - "modified": "" + "modified": "" }, { "id": "GO-2024-2887", - "modified": "" + "modified": "" }, { "id": "GO-2024-2888", - "modified": "" + "modified": "" }, { "id": "GO-2024-2963", @@ -389,7 +389,7 @@ }, { "id": "GO-2025-3447", - "modified": "" + "modified": "" }, { "id": "GO-2025-3563", @@ -405,51 +405,51 @@ }, { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -473,35 +473,35 @@ "vulns": [ { "id": "GO-2024-2598", - "modified": "" + "modified": "" }, { "id": "GO-2024-2599", - "modified": "" + "modified": "" }, { "id": "GO-2024-2600", - "modified": "" + "modified": "" }, { "id": "GO-2024-2609", - "modified": "" + "modified": "" }, { "id": "GO-2024-2610", - "modified": "" + "modified": "" }, { "id": "GO-2024-2687", - "modified": "" + "modified": "" }, { "id": "GO-2024-2887", - "modified": "" + "modified": "" }, { "id": "GO-2024-2888", - "modified": "" + "modified": "" }, { "id": "GO-2024-2963", @@ -529,7 +529,7 @@ }, { "id": "GO-2025-3447", - "modified": "" + "modified": "" }, { "id": "GO-2025-3563", @@ -545,51 +545,51 @@ }, { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -1307,6 +1307,10 @@ "id": "DEBIAN-CVE-2024-12133", "modified": "" }, + { + "id": "DEBIAN-CVE-2025-13151", + "modified": "" + }, { "id": "DLA-3263-1", "modified": "" @@ -1487,10 +1491,6 @@ "id": "DEBIAN-CVE-2024-56171", "modified": "" }, - { - "id": "DEBIAN-CVE-2025-12863", - "modified": "" - }, { "id": "DEBIAN-CVE-2025-24928", "modified": "" @@ -1529,7 +1529,19 @@ }, { "id": "DEBIAN-CVE-2025-9714", - "modified": "" + "modified": "" + }, + { + "id": "DEBIAN-CVE-2026-0989", + "modified": "" + }, + { + "id": "DEBIAN-CVE-2026-0990", + "modified": "" + }, + { + "id": "DEBIAN-CVE-2026-0992", + "modified": "" }, { "id": "DLA-3012-1", @@ -1815,7 +1827,7 @@ }, { "id": "DEBIAN-CVE-2024-13176", - "modified": "" + "modified": "" }, { "id": "DEBIAN-CVE-2024-2511", @@ -2359,51 +2371,51 @@ "vulns": [ { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -2419,7 +2431,7 @@ "vulns": [ { "id": "GO-2025-3828", - "modified": "" + "modified": "" } ] } @@ -2928,11 +2940,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -2940,11 +2952,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -2952,11 +2964,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -2964,11 +2976,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3012,11 +3024,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -3024,11 +3036,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -3062,19 +3074,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -3082,19 +3094,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -3105,27 +3117,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -3141,11 +3157,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, @@ -3153,27 +3169,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -3189,35 +3209,47 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] } @@ -3406,11 +3438,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3418,11 +3450,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3430,11 +3462,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3442,11 +3474,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3490,11 +3522,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -3502,11 +3534,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -3540,19 +3572,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -3560,19 +3592,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -3583,27 +3615,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -3619,11 +3655,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, @@ -3631,27 +3667,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -3667,35 +3707,47 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] } diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_CallAnalysis.snap b/tools/apitester/__snapshots__/cassette_TestCommand_CallAnalysis.snap index c7fa922010d..012857de860 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_CallAnalysis.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_CallAnalysis.snap @@ -6,7 +6,7 @@ "vulns": [ { "id": "GHSA-c3h9-896r-86jm", - "modified": "" + "modified": "" }, { "id": "GO-2021-0053", @@ -74,7 +74,7 @@ "vulns": [ { "id": "GHSA-c3h9-896r-86jm", - "modified": "" + "modified": "" }, { "id": "GO-2021-0053", @@ -94,7 +94,7 @@ "vulns": [ { "id": "GHSA-c3h9-896r-86jm", - "modified": "" + "modified": "" }, { "id": "GO-2021-0053", diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_JavareachArchive.snap b/tools/apitester/__snapshots__/cassette_TestCommand_JavareachArchive.snap index 194e20f8c60..783c963fe76 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_JavareachArchive.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_JavareachArchive.snap @@ -27,7 +27,7 @@ "vulns": [ { "id": "GHSA-288c-cq4h-88gq", - "modified": "" + "modified": "" }, { "id": "GHSA-4gq5-ch57-c2mg", @@ -39,7 +39,7 @@ }, { "id": "GHSA-57j2-w4cx-62h2", - "modified": "" + "modified": "" }, { "id": "GHSA-5949-rw7g-wx7w", @@ -151,7 +151,7 @@ }, { "id": "GHSA-jjjh-jjxp-wpff", - "modified": "" + "modified": "" }, { "id": "GHSA-m6x4-97wx-4q27", @@ -195,7 +195,7 @@ }, { "id": "GHSA-rgv9-q543-rqg4", - "modified": "" + "modified": "" }, { "id": "GHSA-rpr3-cw39-3pxh", @@ -316,7 +316,7 @@ "vulns": [ { "id": "GHSA-288c-cq4h-88gq", - "modified": "" + "modified": "" }, { "id": "GHSA-4gq5-ch57-c2mg", @@ -328,7 +328,7 @@ }, { "id": "GHSA-57j2-w4cx-62h2", - "modified": "" + "modified": "" }, { "id": "GHSA-5949-rw7g-wx7w", @@ -440,7 +440,7 @@ }, { "id": "GHSA-jjjh-jjxp-wpff", - "modified": "" + "modified": "" }, { "id": "GHSA-m6x4-97wx-4q27", @@ -484,7 +484,7 @@ }, { "id": "GHSA-rgv9-q543-rqg4", - "modified": "" + "modified": "" }, { "id": "GHSA-rpr3-cw39-3pxh", diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap b/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap index bc802edcf12..e1aad04a757 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap @@ -137,7 +137,7 @@ "vulns": [ { "id": "GHSA-8qvm-5x2c-j2w7", - "modified": "" + "modified": "" } ] } diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap index 66c1c427573..31d87aa9714 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap @@ -51,11 +51,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -63,19 +63,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] } @@ -91,11 +91,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -288,11 +288,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -301,19 +301,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] } @@ -550,11 +550,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -562,11 +562,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -578,19 +578,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -598,27 +598,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -634,19 +638,23 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] } diff --git a/tools/apitester/__snapshots__/cassette_single_query.snap b/tools/apitester/__snapshots__/cassette_single_query.snap index 680b407c069..c2b16c15bc6 100755 --- a/tools/apitester/__snapshots__/cassette_single_query.snap +++ b/tools/apitester/__snapshots__/cassette_single_query.snap @@ -82,7 +82,11 @@ { "id": "CVE-2022-33068", "details": "An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.", - "modified": "", + "aliases": [ + "ROOT-OS-DEBIAN-11-CVE-2022-33068", + "ROOT-OS-DEBIAN-bullseye-CVE-2022-33068" + ], + "modified": "", "published": "2022-06-23T17:15:14.350Z", "related": [ "ALSA-2022:8384", @@ -163,7 +167,13 @@ { "id": "CVE-2023-25193", "details": "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.", - "modified": "", + "aliases": [ + "ROOT-OS-DEBIAN-11-CVE-2023-25193", + "ROOT-OS-DEBIAN-12-CVE-2023-25193", + "ROOT-OS-DEBIAN-bookworm-CVE-2023-25193", + "ROOT-OS-DEBIAN-bullseye-CVE-2023-25193" + ], + "modified": "", "published": "2023-02-04T20:15:08.027Z", "related": [ "ALSA-2023:4158", @@ -264,6 +274,68 @@ } ] }, + { + "id": "CVE-2026-22693", + "summary": "Null Pointer Dereference in SubtableUnicodesCache::create leading to DoS", + "details": "HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.", + "aliases": ["GHSA-xvjr-f2r9-c7ww", "ROOT-OS-DEBIAN-13-CVE-2026-22693"], + "modified": "", + "published": "2026-01-10T05:53:21.019Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/01/11/1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/01/12/1" + }, + { + "type": "ADVISORY", + "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22693.json" + }, + { + "type": "FIX", + "url": "https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae" + }, + { + "type": "ADVISORY", + "url": "https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22693" + } + ], + "affected": [ + { + "ranges": [ + { + "type": "GIT", + "repo": "https://github.com/harfbuzz/harfbuzz", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "b0af59229cc233a66106c696534ac39be56093d8" + } + ] + } + ], + "versions": 206, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ] + }, { "id": "OSV-2020-484", "summary": "Heap-buffer-overflow in AAT::KerxSubTableFormat4\u003cAAT::KerxSubTableHeader\u003e::driver_context_t::transition", @@ -675,8 +747,12 @@ "id": "CURL-CVE-2024-9681", "summary": "HSTS subdomain overwrites parent cache entry", "details": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", - "aliases": ["CVE-2024-9681"], - "modified": "", + "aliases": [ + "CVE-2024-9681", + "ROOT-OS-DEBIAN-11-CVE-2024-9681", + "ROOT-OS-DEBIAN-bullseye-CVE-2024-9681" + ], + "modified": "", "published": "2024-11-05T08:00:00Z", "database_specific": "", "affected": [ @@ -876,12 +952,12 @@ ] }, { - "id": "CURL-CVE-2025-5025", - "summary": "No QUIC certificate pinning with wolfSSL", - "details": "libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing.", - "aliases": ["CVE-2025-5025"], - "modified": "", - "published": "2025-05-28T08:00:00Z", + "id": "CURL-CVE-2025-14017", + "summary": "broken TLS options for threaded LDAPS", + "details": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.", + "aliases": ["CVE-2025-14017"], + "modified": "", + "published": "2026-01-07T08:00:00Z", "database_specific": "", "affected": [ { @@ -890,10 +966,10 @@ "type": "SEMVER", "events": [ { - "introduced": "8.5.0" + "introduced": "7.17.0" }, { - "fixed": "8.14.0" + "fixed": "8.18.0" } ] }, @@ -902,37 +978,37 @@ "repo": "https://github.com/curl/curl.git", "events": [ { - "introduced": "5f78cf503c786a1d48d13528dde038bccfa6c67c" + "introduced": "ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34" }, { - "fixed": "e1f65937a96a451292e9231339672797da86ecc5" + "fixed": "39d1976b7f709a516e3243338ebc0443bdd8d56d" } ] } ], - "versions": 14, + "versions": 143, "database_specific": "" } ], "schema_version": "1.7.3", "credits": [ { - "name": "Hiroki Kurosawa", + "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { - "name": "Stefan Eissing", + "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ] }, { - "id": "CURL-CVE-2025-9086", - "summary": "Out of bounds read for cookie path", - "details": "1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path=\"/\"`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.", - "aliases": ["CVE-2025-9086"], - "modified": "", - "published": "2025-09-10T08:00:00Z", + "id": "CURL-CVE-2025-14524", + "summary": "bearer token leak on cross-protocol redirect", + "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.", + "aliases": ["CVE-2025-14524"], + "modified": "", + "published": "2026-01-06T08:00:00Z", "database_specific": "", "affected": [ { @@ -941,10 +1017,10 @@ "type": "SEMVER", "events": [ { - "introduced": "7.31.0" + "introduced": "7.33.0" }, { - "fixed": "8.16.0" + "fixed": "8.18.0" } ] }, @@ -953,10 +1029,10 @@ "repo": "https://github.com/curl/curl.git", "events": [ { - "introduced": "f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d" + "introduced": "06c1bea72faabb6fad4b7ef818aafaa336c9a7aa" }, { - "fixed": "c6ae07c6a541e0e96d0040afb62b45dd37711300" + "fixed": "1a822275d333dc6da6043497160fd04c8fa48640" } ] } @@ -968,7 +1044,109 @@ "schema_version": "1.7.3", "credits": [ { - "name": "Google Big Sleep", + "name": "anonymous237 on hackerone", + "type": "FINDER" + }, + { + "name": "Daniel Stenberg", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-14819", + "summary": "OpenSSL partial chain store policy bypass", + "details": "When doing TLS related transfers with reused easy or multi handles and\naltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not.", + "aliases": ["CVE-2025-14819"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.87.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "3c16697ebd796f799227be293e8689aec5f8190d" + }, + { + "fixed": "cd046f6c93b39d673a58c18648d8906e954c4f5d" + } + ] + } + ], + "versions": 31, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Stanislav Fort (Aisle Research)", + "type": "FINDER" + }, + { + "name": "Daniel Stenberg", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-15079", + "summary": "libssh global known_hosts override", + "details": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.", + "aliases": ["CVE-2025-15079"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.58.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a" + }, + { + "fixed": "adca486c125d9a6d9565b9607a19dce803a8b479" + } + ] + } + ], + "versions": 70, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Harry Sintonen", "type": "FINDER" }, { @@ -977,6 +1155,108 @@ } ] }, + { + "id": "CURL-CVE-2025-15224", + "summary": "libssh key passphrase bypass without agent set", + "details": "When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent.", + "aliases": ["CVE-2025-15224"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.58.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a" + }, + { + "fixed": "16d5f2a5660c61cc27bd5f1c7f512391d1c927aa" + } + ] + } + ], + "versions": 70, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Harry Sintonen", + "type": "FINDER" + }, + { + "name": "Harry Sintonen", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-5025", + "summary": "No QUIC certificate pinning with wolfSSL", + "details": "libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing.", + "aliases": ["CVE-2025-5025"], + "modified": "", + "published": "2025-05-28T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.5.0" + }, + { + "fixed": "8.14.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "5f78cf503c786a1d48d13528dde038bccfa6c67c" + }, + { + "fixed": "e1f65937a96a451292e9231339672797da86ecc5" + } + ] + } + ], + "versions": 14, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Hiroki Kurosawa", + "type": "FINDER" + }, + { + "name": "Stefan Eissing", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, { "id": "CVE-2024-0853", "details": "curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.", @@ -1467,7 +1747,6 @@ "related": [ "ALSA-2025:1671", "ALSA-2025:1673", - "CGA-962m-89hc-rmjq", "RLSA-2025:1673", "SUSE-SU-2024:2784-1", "SUSE-SU-2024:2930-1", @@ -1546,7 +1825,6 @@ "modified": "", "published": "2024-09-11T10:15:02.883Z", "related": [ - "CGA-g55g-qx76-5fjj", "SUSE-SU-2024:3202-1", "SUSE-SU-2024:3203-1", "SUSE-SU-2024:3204-1", @@ -1610,8 +1888,12 @@ { "id": "CVE-2024-9681", "details": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", - "aliases": ["CURL-CVE-2024-9681"], - "modified": "", + "aliases": [ + "CURL-CVE-2024-9681", + "ROOT-OS-DEBIAN-11-CVE-2024-9681", + "ROOT-OS-DEBIAN-bullseye-CVE-2024-9681" + ], + "modified": "", "published": "2024-11-06T08:15:03.740Z", "related": [ "MGASA-2024-0360", @@ -1710,6 +1992,7 @@ "modified": "", "published": "2025-02-05T10:15:22.710Z", "related": [ + "CGA-gr5c-pjrp-3fmw", "MGASA-2025-0123", "SUSE-SU-2025:0369-1", "SUSE-SU-2025:0370-1", @@ -1768,7 +2051,11 @@ "aliases": ["CURL-CVE-2025-0665"], "modified": "", "published": "2025-02-05T10:15:22.857Z", - "related": ["MGASA-2025-0123", "openSUSE-SU-2025:14809-1"], + "related": [ + "CGA-h2f8-6v5h-2qcp", + "MGASA-2025-0123", + "openSUSE-SU-2025:14809-1" + ], "references": [ { "type": "ADVISORY", @@ -1830,6 +2117,7 @@ "modified": "", "published": "2025-02-05T10:15:22.980Z", "related": [ + "CGA-378j-cghq-mmhg", "MGASA-2025-0123", "SUSE-SU-2025:0369-1", "SUSE-SU-2025:0370-1", @@ -2247,8 +2535,8 @@ "id": "GHSA-cpwx-vrp4-4pq7", "summary": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method", "details": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.", - "aliases": ["CVE-2025-27516"], - "modified": "", + "aliases": ["CVE-2025-27516", "ROOT-APP-PYPI-CVE-2025-27516"], + "modified": "", "published": "2025-03-05T20:40:14Z", "related": [ "CGA-2h34-36gr-7wjw", @@ -2331,8 +2619,8 @@ "id": "GHSA-gmj6-6f8f-6699", "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", - "aliases": ["CVE-2024-56201"], - "modified": "", + "aliases": ["CVE-2024-56201", "ROOT-APP-PYPI-CVE-2024-56201"], + "modified": "", "published": "2024-12-23T17:54:12Z", "related": [ "CGA-2589-9xpr-fmp7", @@ -2420,8 +2708,8 @@ "id": "GHSA-q2x7-8rv6-6q7h", "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", - "aliases": ["CVE-2024-56326"], - "modified": "", + "aliases": ["CVE-2024-56326", "ROOT-APP-PYPI-CVE-2024-56326"], + "modified": "", "published": "2024-12-23T17:56:08Z", "related": [ "CGA-3cj4-2jg2-4qm3", @@ -2518,8 +2806,8 @@ "id": "GHSA-cpwx-vrp4-4pq7", "summary": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method", "details": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.", - "aliases": ["CVE-2025-27516"], - "modified": "", + "aliases": ["CVE-2025-27516", "ROOT-APP-PYPI-CVE-2025-27516"], + "modified": "", "published": "2025-03-05T20:40:14Z", "related": [ "CGA-2h34-36gr-7wjw", @@ -2602,8 +2890,8 @@ "id": "GHSA-gmj6-6f8f-6699", "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", - "aliases": ["CVE-2024-56201"], - "modified": "", + "aliases": ["CVE-2024-56201", "ROOT-APP-PYPI-CVE-2024-56201"], + "modified": "", "published": "2024-12-23T17:54:12Z", "related": [ "CGA-2589-9xpr-fmp7", @@ -2691,8 +2979,8 @@ "id": "GHSA-q2x7-8rv6-6q7h", "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", - "aliases": ["CVE-2024-56326"], - "modified": "", + "aliases": ["CVE-2024-56326", "ROOT-APP-PYPI-CVE-2024-56326"], + "modified": "", "published": "2024-12-23T17:56:08Z", "related": [ "CGA-3cj4-2jg2-4qm3", @@ -2789,8 +3077,8 @@ "id": "GHSA-cpwx-vrp4-4pq7", "summary": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method", "details": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.", - "aliases": ["CVE-2025-27516"], - "modified": "", + "aliases": ["CVE-2025-27516", "ROOT-APP-PYPI-CVE-2025-27516"], + "modified": "", "published": "2025-03-05T20:40:14Z", "related": [ "CGA-2h34-36gr-7wjw", @@ -2873,8 +3161,8 @@ "id": "GHSA-gmj6-6f8f-6699", "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", - "aliases": ["CVE-2024-56201"], - "modified": "", + "aliases": ["CVE-2024-56201", "ROOT-APP-PYPI-CVE-2024-56201"], + "modified": "", "published": "2024-12-23T17:54:12Z", "related": [ "CGA-2589-9xpr-fmp7", @@ -2962,8 +3250,8 @@ "id": "GHSA-q2x7-8rv6-6q7h", "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", - "aliases": ["CVE-2024-56326"], - "modified": "", + "aliases": ["CVE-2024-56326", "ROOT-APP-PYPI-CVE-2024-56326"], + "modified": "", "published": "2024-12-23T17:56:08Z", "related": [ "CGA-3cj4-2jg2-4qm3", diff --git a/tools/apitester/internal/vcr/interactions.go b/tools/apitester/internal/vcr/interactions.go index b61b1bdbc6b..c3d41e49961 100644 --- a/tools/apitester/internal/vcr/interactions.go +++ b/tools/apitester/internal/vcr/interactions.go @@ -3,6 +3,7 @@ package vcr import ( "net/http" "os" + "strings" "testing" "gopkg.in/dnaeon/go-vcr.v4/pkg/cassette" @@ -32,10 +33,11 @@ func Play(t *testing.T, interaction *cassette.Interaction) *http.Response { } req.URL.Host = fetchAPIBaseURL() + req.Host = req.URL.Host req.Header.Set("User-Agent", "osv.dev/apitester") req.ContentLength = -1 - if req.URL.Hostname() == "localhost" || req.URL.Hostname() == "127.0.0.1" { + if req.URL.Hostname() == "localhost" || req.URL.Hostname() == "127.0.0.1" || strings.HasPrefix(req.URL.Hostname(), "192.168.") { req.URL.Scheme = "http" }