diff --git a/cmd/osv-scanner/fix/__snapshots__/command_test.snap b/cmd/osv-scanner/fix/__snapshots__/command_test.snap index 0276e8ad534..c3685face1f 100755 --- a/cmd/osv-scanner/fix/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/fix/__snapshots__/command_test.snap @@ -5297,14 +5297,14 @@ UNFIXABLE-VULNS: 8 "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dependencies": { + "uri-js": "^4.2.2", "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-json-stable-stringify": "^2.0.0" }, "funding": { - "type": "github", - "url": "https://github.com/sponsors/epoberezkin" + "url": "https://github.com/sponsors/epoberezkin", + "type": "github" } }, "node_modules/ansi-regex": { @@ -6233,10 +6233,10 @@ UNFIXABLE-VULNS: 8 "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "requires": { + "uri-js": "^4.2.2", "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-json-stable-stringify": "^2.0.0" } }, "ansi-regex": { @@ -7323,14 +7323,14 @@ Guided remediation (the fix command) can be risky when run on untrusted projects "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dependencies": { + "uri-js": "^4.2.2", "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-json-stable-stringify": "^2.0.0" }, "funding": { - "type": "github", - "url": "https://github.com/sponsors/epoberezkin" + "url": "https://github.com/sponsors/epoberezkin", + "type": "github" } }, "node_modules/ansi-regex": { @@ -8259,10 +8259,10 @@ Guided remediation (the fix command) can be risky when run on untrusted projects "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "requires": { + "uri-js": "^4.2.2", "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-json-stable-stringify": "^2.0.0" } }, "ansi-regex": { @@ -9665,14 +9665,14 @@ UNFIXABLE-VULNS: 8 "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dependencies": { + "uri-js": "^4.2.2", "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-json-stable-stringify": "^2.0.0" }, "funding": { - "type": "github", - "url": "https://github.com/sponsors/epoberezkin" + "url": "https://github.com/sponsors/epoberezkin", + "type": "github" } }, "node_modules/ansi-regex": { @@ -10601,10 +10601,10 @@ UNFIXABLE-VULNS: 8 "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "requires": { + "uri-js": "^4.2.2", "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-json-stable-stringify": "^2.0.0" } }, "ansi-regex": { @@ -11484,14 +11484,14 @@ UNFIXABLE-VULNS: 8 "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dependencies": { + "uri-js": "^4.2.2", "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-json-stable-stringify": "^2.0.0" }, "funding": { - "type": "github", - "url": "https://github.com/sponsors/epoberezkin" + "url": "https://github.com/sponsors/epoberezkin", + "type": "github" } }, "node_modules/ansi-regex": { @@ -12420,10 +12420,10 @@ UNFIXABLE-VULNS: 8 "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "requires": { + "uri-js": "^4.2.2", "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-json-stable-stringify": "^2.0.0" } }, "ansi-regex": { diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap index 8a91e46a3cc..d4d51e8996a 100755 --- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap @@ -619,7 +619,7 @@ Scanning local image tarball "./testdata/test-java-full.tar" Container Scanning Result (Alpine Linux v3.21) (Based on "eclipse-temurin" image): -Total 26 packages affected by 91 known vulnerabilities (3 Critical, 41 High, 40 Medium, 4 Low, 3 Unknown) from 2 ecosystems. +Total 26 packages affected by 91 known vulnerabilities (4 Critical, 42 High, 40 Medium, 4 Low, 1 Unknown) from 2 ecosystems. 91 vulnerabilities can be fixed. @@ -678,18 +678,18 @@ Scanning local image tarball "./testdata/test-python-empty.tar" Container Scanning Result (Debian GNU/Linux 10 (buster)) (Based on "python" image): -Total 15 packages affected by 27 known vulnerabilities (0 Critical, 7 High, 4 Medium, 2 Low, 14 Unknown) from 2 ecosystems. +Total 15 packages affected by 29 known vulnerabilities (0 Critical, 7 High, 6 Medium, 2 Low, 14 Unknown) from 2 ecosystems. 27 vulnerabilities can be fixed. PyPI -+---------------------------------------------------------------------------------------------+ -| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | -+---------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------+-------------------+---------------+------------+------------------+---------------+ -| pip | 23.0.1 | Fix Available | 3 | # 7 Layer | python | -+---------+-------------------+---------------+------------+------------------+---------------+ ++-------------------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +| pip | 23.0.1 | Partial fixes Available | 4 | # 7 Layer | python | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl | +------------+-------------------+---------------+------------+------------------+---------------+ @@ -697,13 +697,13 @@ PyPI +------------+-------------------+---------------+------------+------------------+---------------+ | setuptools | 58.1.0 | Fix Available | 3 | # 7 Layer | python | +------------+-------------------+---------------+------------+------------------+---------------+ -+---------------------------------------------------------------------------------------------+ -| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | -+---------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------+-------------------+---------------+------------+------------------+---------------+ -| pip | 23.0.1 | Fix Available | 3 | # 13 Layer | python | -+---------+-------------------+---------------+------------+------------------+---------------+ ++-------------------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +| pip | 23.0.1 | Partial fixes Available | 4 | # 13 Layer | python | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | +------------+-------------------+---------------+------------+------------------+---------------+ @@ -750,18 +750,18 @@ Scanning local image tarball "./testdata/test-python-full.tar" Container Scanning Result (Debian GNU/Linux 10 (buster)) (Based on "python" image): -Total 21 packages affected by 54 known vulnerabilities (1 Critical, 18 High, 17 Medium, 3 Low, 15 Unknown) from 2 ecosystems. +Total 21 packages affected by 56 known vulnerabilities (1 Critical, 18 High, 19 Medium, 3 Low, 15 Unknown) from 2 ecosystems. 54 vulnerabilities can be fixed. PyPI -+---------------------------------------------------------------------------------------------+ -| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | -+---------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------+-------------------+---------------+------------+------------------+---------------+ -| pip | 23.0.1 | Fix Available | 3 | # 7 Layer | python | -+---------+-------------------+---------------+------------+------------------+---------------+ ++-------------------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +| pip | 23.0.1 | Partial fixes Available | 4 | # 7 Layer | python | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl | +------------+-------------------+---------------+------------+------------------+---------------+ @@ -790,13 +790,13 @@ PyPI +---------+-------------------+---------------+------------+------------------+---------------+ | idna | 2.7 | Fix Available | 1 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ -+---------------------------------------------------------------------------------------------+ -| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | -+---------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------+-------------------+---------------+------------+------------------+---------------+ -| pip | 23.0.1 | Fix Available | 3 | # 13 Layer | python | -+---------+-------------------+---------------+------------+------------------+---------------+ ++-------------------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +| pip | 23.0.1 | Partial fixes Available | 4 | # 13 Layer | python | ++---------+-------------------+-------------------------+------------+------------------+---------------+ +----------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA | +----------+-------------------+---------------+------------+------------------+---------------+ @@ -864,7 +864,7 @@ Scanning local image tarball "./testdata/test-package-tracing.tar" Container Scanning Result (Alpine Linux v3.20) (Based on "alpine" image): -Total 10 packages affected by 265 known vulnerabilities (1 Critical, 13 High, 13 Medium, 2 Low, 236 Unknown) from 2 ecosystems. +Total 10 packages affected by 265 known vulnerabilities (2 Critical, 14 High, 13 Medium, 2 Low, 234 Unknown) from 2 ecosystems. 265 vulnerabilities can be fixed. @@ -1263,10 +1263,11 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne "index": 7 } }, - "groups": 3, + "groups": 4, "vulnerabilities": [ "PYSEC-2023-228", "GHSA-4xh5-x5gv-qwph", + "GHSA-58qw-9mgm-455v", "GHSA-6vgw-5pg2-w6jp", "GHSA-mq26-g339-26xf" ] @@ -1394,10 +1395,11 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne "index": 13 } }, - "groups": 3, + "groups": 4, "vulnerabilities": [ "PYSEC-2023-228", "GHSA-4xh5-x5gv-qwph", + "GHSA-58qw-9mgm-455v", "GHSA-6vgw-5pg2-w6jp", "GHSA-mq26-g339-26xf" ] @@ -3317,10 +3319,10 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" }, "groups": 7, "vulnerabilities": [ - "USN-8005-1", "USN-7259-1", "USN-7541-1", "USN-7760-1", + "USN-8005-1", "UBUNTU-CVE-2016-20013", "UBUNTU-CVE-2025-0395", "UBUNTU-CVE-2025-15281", @@ -3345,10 +3347,10 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" }, "groups": 7, "vulnerabilities": [ - "USN-8005-1", "USN-7259-1", "USN-7541-1", "USN-7760-1", + "USN-8005-1", "UBUNTU-CVE-2016-20013", "UBUNTU-CVE-2025-0395", "UBUNTU-CVE-2025-15281", @@ -3447,8 +3449,8 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" }, "groups": 4, "vulnerabilities": [ - "USN-7314-1", "USN-7257-1", + "USN-7314-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", @@ -3470,8 +3472,8 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" }, "groups": 4, "vulnerabilities": [ - "USN-7314-1", "USN-7257-1", + "USN-7314-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", @@ -3493,8 +3495,8 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" }, "groups": 4, "vulnerabilities": [ - "USN-7314-1", "USN-7257-1", + "USN-7314-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", @@ -3516,8 +3518,8 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" }, "groups": 4, "vulnerabilities": [ - "USN-7314-1", "USN-7257-1", + "USN-7314-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", @@ -4368,10 +4370,10 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" }, "groups": 7, "vulnerabilities": [ - "USN-8005-1", "USN-7259-1", "USN-7541-1", "USN-7760-1", + "USN-8005-1", "UBUNTU-CVE-2016-20013", "UBUNTU-CVE-2025-0395", "UBUNTU-CVE-2025-15281", @@ -4396,10 +4398,10 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" }, "groups": 7, "vulnerabilities": [ - "USN-8005-1", "USN-7259-1", "USN-7541-1", "USN-7760-1", + "USN-8005-1", "UBUNTU-CVE-2016-20013", "UBUNTU-CVE-2025-0395", "UBUNTU-CVE-2025-15281", @@ -4498,8 +4500,8 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" }, "groups": 4, "vulnerabilities": [ - "USN-7314-1", "USN-7257-1", + "USN-7314-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", @@ -4521,8 +4523,8 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" }, "groups": 4, "vulnerabilities": [ - "USN-7314-1", "USN-7257-1", + "USN-7314-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", @@ -4544,8 +4546,8 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" }, "groups": 4, "vulnerabilities": [ - "USN-7314-1", "USN-7257-1", + "USN-7314-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", @@ -4567,8 +4569,8 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" }, "groups": 4, "vulnerabilities": [ - "USN-7314-1", "USN-7257-1", + "USN-7314-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml index 8afac6c2878..a12c5e78004 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml @@ -2369,7 +2369,7 @@ interactions: }, { "id": "USN-7768-1", - "modified": "2026-04-22T11:02:24.586547Z" + "modified": "2026-04-24T10:04:30.308885Z" } ] }, @@ -2387,7 +2387,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -2485,7 +2485,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -2493,11 +2493,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -2545,7 +2545,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -2553,11 +2553,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -2574,11 +2574,11 @@ interactions: }, { "id": "USN-7287-1", - "modified": "2026-04-22T10:55:35.745293Z" + "modified": "2026-04-24T09:57:47.363441Z" }, { "id": "USN-8193-1", - "modified": "2026-04-22T16:44:18.251193Z" + "modified": "2026-04-24T10:13:14.933555Z" } ] }, @@ -2600,7 +2600,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -2645,15 +2645,15 @@ interactions: }, { "id": "USN-7281-1", - "modified": "2026-04-22T10:55:19.204031Z" + "modified": "2026-04-24T09:57:44.272396Z" }, { "id": "USN-7635-1", - "modified": "2026-04-22T11:00:15.256152Z" + "modified": "2026-04-24T10:03:26.589842Z" }, { "id": "USN-8043-1", - "modified": "2026-04-22T11:06:24.165916Z" + "modified": "2026-04-24T10:09:40.727333Z" } ] }, @@ -2686,15 +2686,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -2728,15 +2728,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -2769,15 +2769,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -2809,15 +2809,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -2896,7 +2896,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -2912,7 +2912,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -2928,7 +2928,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -2944,7 +2944,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -3063,19 +3063,19 @@ interactions: }, { "id": "USN-7278-1", - "modified": "2026-04-22T10:54:48.564638Z" + "modified": "2026-04-24T09:57:38.266329Z" }, { "id": "USN-7786-1", - "modified": "2026-04-22T11:02:28.476194Z" + "modified": "2026-04-24T10:05:14.521475Z" }, { "id": "USN-7980-1", - "modified": "2026-04-22T11:05:05.881663Z" + "modified": "2026-04-24T10:09:19.139280Z" }, { "id": "USN-8155-1", - "modified": "2026-04-22T11:07:30.162280Z" + "modified": "2026-04-24T10:12:33.261778Z" } ] }, @@ -3091,7 +3091,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -3159,7 +3159,7 @@ interactions: }, { "id": "USN-7275-1", - "modified": "2026-04-22T10:55:28.234701Z" + "modified": "2026-04-24T09:58:00.297899Z" }, { "id": "USN-7954-1", @@ -3350,7 +3350,7 @@ interactions: }, { "id": "USN-7678-1", - "modified": "2026-04-22T11:00:11.130172Z" + "modified": "2026-04-24T10:04:25.035316Z" } ] }, @@ -4183,7 +4183,7 @@ interactions: }, { "id": "USN-7768-1", - "modified": "2026-04-22T11:02:24.586547Z" + "modified": "2026-04-24T10:04:30.308885Z" } ] }, @@ -4201,7 +4201,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -4299,7 +4299,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -4307,11 +4307,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -4359,7 +4359,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -4367,11 +4367,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -4388,11 +4388,11 @@ interactions: }, { "id": "USN-7287-1", - "modified": "2026-04-22T10:55:35.745293Z" + "modified": "2026-04-24T09:57:47.363441Z" }, { "id": "USN-8193-1", - "modified": "2026-04-22T16:44:18.251193Z" + "modified": "2026-04-24T10:13:14.933555Z" } ] }, @@ -4414,7 +4414,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -4459,15 +4459,15 @@ interactions: }, { "id": "USN-7281-1", - "modified": "2026-04-22T10:55:19.204031Z" + "modified": "2026-04-24T09:57:44.272396Z" }, { "id": "USN-7635-1", - "modified": "2026-04-22T11:00:15.256152Z" + "modified": "2026-04-24T10:03:26.589842Z" }, { "id": "USN-8043-1", - "modified": "2026-04-22T11:06:24.165916Z" + "modified": "2026-04-24T10:09:40.727333Z" } ] }, @@ -4500,15 +4500,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -4542,15 +4542,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -4583,15 +4583,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -4623,15 +4623,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -4710,7 +4710,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -4726,7 +4726,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -4742,7 +4742,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -4758,7 +4758,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -4877,19 +4877,19 @@ interactions: }, { "id": "USN-7278-1", - "modified": "2026-04-22T10:54:48.564638Z" + "modified": "2026-04-24T09:57:38.266329Z" }, { "id": "USN-7786-1", - "modified": "2026-04-22T11:02:28.476194Z" + "modified": "2026-04-24T10:05:14.521475Z" }, { "id": "USN-7980-1", - "modified": "2026-04-22T11:05:05.881663Z" + "modified": "2026-04-24T10:09:19.139280Z" }, { "id": "USN-8155-1", - "modified": "2026-04-22T11:07:30.162280Z" + "modified": "2026-04-24T10:12:33.261778Z" } ] }, @@ -4905,7 +4905,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -4973,7 +4973,7 @@ interactions: }, { "id": "USN-7275-1", - "modified": "2026-04-22T10:55:28.234701Z" + "modified": "2026-04-24T09:58:00.297899Z" }, { "id": "USN-7954-1", @@ -5164,7 +5164,7 @@ interactions: }, { "id": "USN-7678-1", - "modified": "2026-04-22T11:00:11.130172Z" + "modified": "2026-04-24T10:04:25.035316Z" } ] }, @@ -6011,7 +6011,7 @@ interactions: }, { "id": "USN-7768-1", - "modified": "2026-04-22T11:02:24.586547Z" + "modified": "2026-04-24T10:04:30.308885Z" } ] }, @@ -6030,7 +6030,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -6366,7 +6366,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -6496,7 +6496,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -6504,11 +6504,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -6556,7 +6556,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -6564,11 +6564,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -6585,11 +6585,11 @@ interactions: }, { "id": "USN-7287-1", - "modified": "2026-04-22T10:55:35.745293Z" + "modified": "2026-04-24T09:57:47.363441Z" }, { "id": "USN-8193-1", - "modified": "2026-04-22T16:44:18.251193Z" + "modified": "2026-04-24T10:13:14.933555Z" } ] }, @@ -6611,7 +6611,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -6656,15 +6656,15 @@ interactions: }, { "id": "USN-7281-1", - "modified": "2026-04-22T10:55:19.204031Z" + "modified": "2026-04-24T09:57:44.272396Z" }, { "id": "USN-7635-1", - "modified": "2026-04-22T11:00:15.256152Z" + "modified": "2026-04-24T10:03:26.589842Z" }, { "id": "USN-8043-1", - "modified": "2026-04-22T11:06:24.165916Z" + "modified": "2026-04-24T10:09:40.727333Z" } ] }, @@ -6697,15 +6697,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -6739,15 +6739,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -6780,15 +6780,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -6820,15 +6820,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -6907,7 +6907,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -6923,7 +6923,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -6939,7 +6939,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -6955,7 +6955,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -7074,19 +7074,19 @@ interactions: }, { "id": "USN-7278-1", - "modified": "2026-04-22T10:54:48.564638Z" + "modified": "2026-04-24T09:57:38.266329Z" }, { "id": "USN-7786-1", - "modified": "2026-04-22T11:02:28.476194Z" + "modified": "2026-04-24T10:05:14.521475Z" }, { "id": "USN-7980-1", - "modified": "2026-04-22T11:05:05.881663Z" + "modified": "2026-04-24T10:09:19.139280Z" }, { "id": "USN-8155-1", - "modified": "2026-04-22T11:07:30.162280Z" + "modified": "2026-04-24T10:12:33.261778Z" } ] }, @@ -7102,7 +7102,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -7170,7 +7170,7 @@ interactions: }, { "id": "USN-7275-1", - "modified": "2026-04-22T10:55:28.234701Z" + "modified": "2026-04-24T09:58:00.297899Z" }, { "id": "USN-7954-1", @@ -7361,7 +7361,7 @@ interactions: }, { "id": "USN-7678-1", - "modified": "2026-04-22T11:00:11.130172Z" + "modified": "2026-04-24T10:04:25.035316Z" } ] }, @@ -9328,7 +9328,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -9344,7 +9344,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", @@ -9506,7 +9506,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -9522,7 +9522,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", @@ -9645,7 +9645,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -9661,7 +9661,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", @@ -10559,7 +10559,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 3752 + content_length: 3892 body: | { "results": [ @@ -10823,6 +10823,10 @@ interactions: "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-03-24T01:43:53.135277Z" }, + { + "id": "GHSA-58qw-9mgm-455v", + "modified": "2026-04-24T16:11:51.939364Z" + }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-03-24T01:43:46.425088Z" @@ -10843,6 +10847,10 @@ interactions: "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-03-24T01:43:53.135277Z" }, + { + "id": "GHSA-58qw-9mgm-455v", + "modified": "2026-04-24T16:11:51.939364Z" + }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-03-24T01:43:46.425088Z" @@ -10949,7 +10957,7 @@ interactions: } headers: Content-Length: - - "3752" + - "3892" Content-Type: - application/json status: 200 OK @@ -11754,7 +11762,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 6310 + content_length: 6450 body: | { "results": [ @@ -12116,6 +12124,10 @@ interactions: "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-03-24T01:43:53.135277Z" }, + { + "id": "GHSA-58qw-9mgm-455v", + "modified": "2026-04-24T16:11:51.939364Z" + }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-03-24T01:43:46.425088Z" @@ -12136,6 +12148,10 @@ interactions: "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-03-24T01:43:53.135277Z" }, + { + "id": "GHSA-58qw-9mgm-455v", + "modified": "2026-04-24T16:11:51.939364Z" + }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-03-24T01:43:46.425088Z" @@ -12319,7 +12335,7 @@ interactions: } headers: Content-Length: - - "6310" + - "6450" Content-Type: - application/json status: 200 OK @@ -12734,7 +12750,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -12894,7 +12910,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -13054,7 +13070,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -13214,7 +13230,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -13374,7 +13390,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -13534,7 +13550,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -13646,7 +13662,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -13662,7 +13678,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", @@ -13746,7 +13762,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -13762,7 +13778,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml index 85bc49b3b78..bbf619ec001 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml @@ -800,7 +800,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 6310 + content_length: 6450 body: | { "results": [ @@ -1162,6 +1162,10 @@ interactions: "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-03-24T01:43:53.135277Z" }, + { + "id": "GHSA-58qw-9mgm-455v", + "modified": "2026-04-24T16:11:51.939364Z" + }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-03-24T01:43:46.425088Z" @@ -1182,6 +1186,10 @@ interactions: "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-03-24T01:43:53.135277Z" }, + { + "id": "GHSA-58qw-9mgm-455v", + "modified": "2026-04-24T16:11:51.939364Z" + }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-03-24T01:43:46.425088Z" @@ -1365,7 +1373,7 @@ interactions: } headers: Content-Length: - - "6310" + - "6450" Content-Type: - application/json status: 200 OK @@ -1838,7 +1846,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -1854,7 +1862,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", @@ -1918,7 +1926,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -1934,7 +1942,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", @@ -2322,7 +2330,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -2434,7 +2442,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -2450,7 +2458,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", @@ -2534,7 +2542,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-28387", - "modified": "2026-04-10T06:31:25.158219Z" + "modified": "2026-04-24T17:33:25.485817Z" }, { "id": "ALPINE-CVE-2026-28388", @@ -2550,7 +2558,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-31789", - "modified": "2026-04-10T06:31:30.642935Z" + "modified": "2026-04-24T17:33:30.596643Z" }, { "id": "ALPINE-CVE-2026-31790", @@ -4083,7 +4091,7 @@ interactions: }, { "id": "USN-7768-1", - "modified": "2026-04-22T11:02:24.586547Z" + "modified": "2026-04-24T10:04:30.308885Z" } ] }, @@ -4101,7 +4109,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -4199,7 +4207,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -4207,11 +4215,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -4259,7 +4267,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -4267,11 +4275,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -4288,11 +4296,11 @@ interactions: }, { "id": "USN-7287-1", - "modified": "2026-04-22T10:55:35.745293Z" + "modified": "2026-04-24T09:57:47.363441Z" }, { "id": "USN-8193-1", - "modified": "2026-04-22T16:44:18.251193Z" + "modified": "2026-04-24T10:13:14.933555Z" } ] }, @@ -4314,7 +4322,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -4359,15 +4367,15 @@ interactions: }, { "id": "USN-7281-1", - "modified": "2026-04-22T10:55:19.204031Z" + "modified": "2026-04-24T09:57:44.272396Z" }, { "id": "USN-7635-1", - "modified": "2026-04-22T11:00:15.256152Z" + "modified": "2026-04-24T10:03:26.589842Z" }, { "id": "USN-8043-1", - "modified": "2026-04-22T11:06:24.165916Z" + "modified": "2026-04-24T10:09:40.727333Z" } ] }, @@ -4400,15 +4408,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -4442,15 +4450,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -4483,15 +4491,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -4523,15 +4531,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -4610,7 +4618,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -4626,7 +4634,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -4642,7 +4650,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -4658,7 +4666,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -4777,19 +4785,19 @@ interactions: }, { "id": "USN-7278-1", - "modified": "2026-04-22T10:54:48.564638Z" + "modified": "2026-04-24T09:57:38.266329Z" }, { "id": "USN-7786-1", - "modified": "2026-04-22T11:02:28.476194Z" + "modified": "2026-04-24T10:05:14.521475Z" }, { "id": "USN-7980-1", - "modified": "2026-04-22T11:05:05.881663Z" + "modified": "2026-04-24T10:09:19.139280Z" }, { "id": "USN-8155-1", - "modified": "2026-04-22T11:07:30.162280Z" + "modified": "2026-04-24T10:12:33.261778Z" } ] }, @@ -4805,7 +4813,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -4873,7 +4881,7 @@ interactions: }, { "id": "USN-7275-1", - "modified": "2026-04-22T10:55:28.234701Z" + "modified": "2026-04-24T09:58:00.297899Z" }, { "id": "USN-7954-1", @@ -5064,7 +5072,7 @@ interactions: }, { "id": "USN-7678-1", - "modified": "2026-04-22T11:00:11.130172Z" + "modified": "2026-04-24T10:04:25.035316Z" } ] }, @@ -5911,7 +5919,7 @@ interactions: }, { "id": "USN-7768-1", - "modified": "2026-04-22T11:02:24.586547Z" + "modified": "2026-04-24T10:04:30.308885Z" } ] }, @@ -5930,7 +5938,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -6266,7 +6274,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -6396,7 +6404,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -6404,11 +6412,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -6456,7 +6464,7 @@ interactions: }, { "id": "USN-7259-1", - "modified": "2026-04-22T10:55:18.855513Z" + "modified": "2026-04-24T09:57:03.419613Z" }, { "id": "USN-7541-1", @@ -6464,11 +6472,11 @@ interactions: }, { "id": "USN-7760-1", - "modified": "2026-04-22T11:02:08.935305Z" + "modified": "2026-04-24T10:04:09.337475Z" }, { "id": "USN-8005-1", - "modified": "2026-04-22T11:06:04.498787Z" + "modified": "2026-04-24T10:17:16.007868Z" } ] }, @@ -6485,11 +6493,11 @@ interactions: }, { "id": "USN-7287-1", - "modified": "2026-04-22T10:55:35.745293Z" + "modified": "2026-04-24T09:57:47.363441Z" }, { "id": "USN-8193-1", - "modified": "2026-04-22T16:44:18.251193Z" + "modified": "2026-04-24T10:13:14.933555Z" } ] }, @@ -6511,7 +6519,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -6556,15 +6564,15 @@ interactions: }, { "id": "USN-7281-1", - "modified": "2026-04-22T10:55:19.204031Z" + "modified": "2026-04-24T09:57:44.272396Z" }, { "id": "USN-7635-1", - "modified": "2026-04-22T11:00:15.256152Z" + "modified": "2026-04-24T10:03:26.589842Z" }, { "id": "USN-8043-1", - "modified": "2026-04-22T11:06:24.165916Z" + "modified": "2026-04-24T10:09:40.727333Z" } ] }, @@ -6597,15 +6605,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -6639,15 +6647,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -6680,15 +6688,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -6720,15 +6728,15 @@ interactions: }, { "id": "USN-7257-1", - "modified": "2026-04-22T10:54:44.735114Z" + "modified": "2026-04-24T09:56:50.512553Z" }, { "id": "USN-7314-1", - "modified": "2026-04-22T10:56:04.510559Z" + "modified": "2026-04-24T10:02:38.476230Z" }, { "id": "USN-7542-1", - "modified": "2026-04-22T10:59:10.069007Z" + "modified": "2026-04-24T10:02:22.909596Z" } ] }, @@ -6807,7 +6815,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -6823,7 +6831,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -6839,7 +6847,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -6855,7 +6863,7 @@ interactions: }, { "id": "USN-7580-1", - "modified": "2026-04-22T11:00:07.090315Z" + "modified": "2026-04-24T10:02:04.398966Z" } ] }, @@ -6974,19 +6982,19 @@ interactions: }, { "id": "USN-7278-1", - "modified": "2026-04-22T10:54:48.564638Z" + "modified": "2026-04-24T09:57:38.266329Z" }, { "id": "USN-7786-1", - "modified": "2026-04-22T11:02:28.476194Z" + "modified": "2026-04-24T10:05:14.521475Z" }, { "id": "USN-7980-1", - "modified": "2026-04-22T11:05:05.881663Z" + "modified": "2026-04-24T10:09:19.139280Z" }, { "id": "USN-8155-1", - "modified": "2026-04-22T11:07:30.162280Z" + "modified": "2026-04-24T10:12:33.261778Z" } ] }, @@ -7002,7 +7010,7 @@ interactions: }, { "id": "USN-7700-1", - "modified": "2026-04-22T11:00:38.812987Z" + "modified": "2026-04-24T10:04:23.618781Z" } ] }, @@ -7070,7 +7078,7 @@ interactions: }, { "id": "USN-7275-1", - "modified": "2026-04-22T10:55:28.234701Z" + "modified": "2026-04-24T09:58:00.297899Z" }, { "id": "USN-7954-1", @@ -7261,7 +7269,7 @@ interactions: }, { "id": "USN-7678-1", - "modified": "2026-04-22T11:00:11.130172Z" + "modified": "2026-04-24T10:04:25.035316Z" } ] }, diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index c6fe16bf9ff..98bc2314ad3 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -879,7 +879,7 @@ Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Filtered 10 local/unscannable package/s from the scan. -Total 27 packages affected by 199 known vulnerabilities (21 Critical, 84 High, 60 Medium, 5 Low, 29 Unknown) from 4 ecosystems. +Total 27 packages affected by 200 known vulnerabilities (22 Critical, 86 High, 64 Medium, 5 Low, 23 Unknown) from 4 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -946,8 +946,8 @@ Total 27 packages affected by 199 known vulnerabilities (21 Critical, 84 High, 6 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41989 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41990 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41989 | 6.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41990 | 4.0 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -992,6 +992,7 @@ Total 27 packages affected by 199 known vulnerabilities (21 Critical, 84 High, 6 | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-6732 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -1050,17 +1051,17 @@ Total 27 packages affected by 199 known vulnerabilities (21 Critical, 84 High, 6 | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28386 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28389 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28390 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31789 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-31790 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2017-20230 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-20230 | 10.0 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -1086,12 +1087,12 @@ Total 27 packages affected by 199 known vulnerabilities (21 Critical, 84 High, 6 | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-5958 | | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5958 | 2.1 | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -1112,7 +1113,7 @@ Total 27 packages affected by 199 known vulnerabilities (21 Critical, 84 High, 6 | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 5.3 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ --- @@ -2124,7 +2125,7 @@ Filtered 8 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 27 packages affected by 193 known vulnerabilities (21 Critical, 79 High, 59 Medium, 5 Low, 29 Unknown) from 4 ecosystems. +Total 27 packages affected by 194 known vulnerabilities (22 Critical, 81 High, 63 Medium, 5 Low, 23 Unknown) from 4 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -2183,8 +2184,8 @@ Total 27 packages affected by 193 known vulnerabilities (21 Critical, 79 High, 5 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41989 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41990 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41989 | 6.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41990 | 4.0 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2229,6 +2230,7 @@ Total 27 packages affected by 193 known vulnerabilities (21 Critical, 79 High, 5 | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-6732 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2287,17 +2289,17 @@ Total 27 packages affected by 193 known vulnerabilities (21 Critical, 79 High, 5 | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28386 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28389 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28390 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31789 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-31790 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2017-20230 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-20230 | 10.0 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2323,12 +2325,12 @@ Total 27 packages affected by 193 known vulnerabilities (21 Critical, 79 High, 5 | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-5958 | | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5958 | 2.1 | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2349,7 +2351,7 @@ Total 27 packages affected by 193 known vulnerabilities (21 Critical, 79 High, 5 | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 5.3 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ --- @@ -2372,7 +2374,7 @@ Filtered 6 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 24 packages affected by 185 known vulnerabilities (19 Critical, 76 High, 56 Medium, 5 Low, 29 Unknown) from 3 ecosystems. +Total 24 packages affected by 186 known vulnerabilities (20 Critical, 78 High, 60 Medium, 5 Low, 23 Unknown) from 3 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -2423,8 +2425,8 @@ Total 24 packages affected by 185 known vulnerabilities (19 Critical, 76 High, 5 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41989 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41990 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41989 | 6.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41990 | 4.0 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2469,6 +2471,7 @@ Total 24 packages affected by 185 known vulnerabilities (19 Critical, 76 High, 5 | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-6732 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2527,17 +2530,17 @@ Total 24 packages affected by 185 known vulnerabilities (19 Critical, 76 High, 5 | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28386 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28389 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28390 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31789 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-31790 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2017-20230 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-20230 | 10.0 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2563,12 +2566,12 @@ Total 24 packages affected by 185 known vulnerabilities (19 Critical, 76 High, 5 | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-5958 | | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5958 | 2.1 | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2589,7 +2592,7 @@ Total 24 packages affected by 185 known vulnerabilities (19 Critical, 76 High, 5 | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 5.3 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- @@ -4648,7 +4651,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 55 Medium, 5 Low, 29 Unknown) from 2 ecosystems. +Total 22 packages affected by 183 known vulnerabilities (19 Critical, 77 High, 59 Medium, 5 Low, 23 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -4698,8 +4701,8 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41989 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41990 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41989 | 6.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41990 | 4.0 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4744,6 +4747,7 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-6732 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4802,17 +4806,17 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28386 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28389 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28390 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31789 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-31790 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2017-20230 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-20230 | 10.0 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4838,12 +4842,12 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-5958 | | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5958 | 2.1 | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4864,7 +4868,7 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 5.3 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- @@ -4880,7 +4884,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 55 Medium, 5 Low, 29 Unknown) from 2 ecosystems. +Total 22 packages affected by 183 known vulnerabilities (19 Critical, 77 High, 59 Medium, 5 Low, 23 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -4930,8 +4934,8 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41989 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-41990 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41989 | 6.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41990 | 4.0 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4976,6 +4980,7 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-6732 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5034,17 +5039,17 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28386 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28389 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28390 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31789 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-31790 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2017-20230 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-20230 | 10.0 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5070,12 +5075,12 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-5958 | | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5958 | 2.1 | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5096,7 +5101,7 @@ Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 5.3 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index 4b434a0c24e..49c29761351 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -462,7 +462,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -704,7 +704,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -896,7 +896,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -1131,7 +1131,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", @@ -3736,7 +3736,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 23599 + content_length: 23670 body: | { "results": [ @@ -4123,11 +4123,11 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-23T10:00:15.682147Z" + "modified": "2026-04-24T17:05:20.087743Z" }, { "id": "DEBIAN-CVE-2026-41990", - "modified": "2026-04-23T10:01:21.235502Z" + "modified": "2026-04-24T17:05:01.403901Z" } ] }, @@ -4439,6 +4439,10 @@ interactions: "id": "DEBIAN-CVE-2026-1757", "modified": "2026-03-27T10:02:04.914884Z" }, + { + "id": "DEBIAN-CVE-2026-6732", + "modified": "2026-04-24T17:05:31.472091Z" + }, { "id": "DLA-3012-1", "modified": "2026-03-09T01:20:46.878115Z" @@ -4804,11 +4808,11 @@ interactions: }, { "id": "DEBIAN-CVE-2026-28386", - "modified": "2026-04-20T00:00:49.100894Z" + "modified": "2026-04-25T09:02:11.007516Z" }, { "id": "DEBIAN-CVE-2026-28387", - "modified": "2026-04-20T00:00:57.690122Z" + "modified": "2026-04-24T17:04:12.456936Z" }, { "id": "DEBIAN-CVE-2026-28388", @@ -4824,7 +4828,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-31789", - "modified": "2026-04-20T00:00:42.604688Z" + "modified": "2026-04-24T17:05:31.519314Z" }, { "id": "DEBIAN-CVE-2026-31790", @@ -4949,7 +4953,7 @@ interactions: }, { "id": "DEBIAN-CVE-2017-20230", - "modified": "2026-04-22T23:00:59.527466Z" + "modified": "2026-04-24T17:00:07.790339Z" }, { "id": "DEBIAN-CVE-2018-12015", @@ -5085,7 +5089,7 @@ interactions: "vulns": [ { "id": "DEBIAN-CVE-2026-5958", - "modified": "2026-04-23T17:02:53.103271Z" + "modified": "2026-04-24T17:05:24.984708Z" } ] }, @@ -5127,7 +5131,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-5704", - "modified": "2026-04-07T09:00:52.977033Z" + "modified": "2026-04-24T17:05:22.457544Z" }, { "id": "DLA-3755-1", @@ -5263,7 +5267,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-34743", - "modified": "2026-04-09T05:00:21.571838Z" + "modified": "2026-04-24T17:02:53.062265Z" }, { "id": "DSA-5123-1", @@ -5329,7 +5333,7 @@ interactions: } headers: Content-Length: - - "23599" + - "23670" Content-Type: - application/json status: 200 OK @@ -5502,7 +5506,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-23T10:44:31.655019Z" + "modified": "2026-04-24T10:29:18.445693Z" }, { "id": "GO-2026-4602", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml index a026feccde3..7bc51cf9e51 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml @@ -132,7 +132,7 @@ interactions: }, { "id": "OSV-2024-340", - "modified": "2026-04-23T14:20:07.226312Z" + "modified": "2026-04-25T14:30:01.386695Z" } ] }, diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml index b302d5dcf91..2c35cecc099 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml @@ -1416,7 +1416,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 23599 + content_length: 23670 body: | { "results": [ @@ -1803,11 +1803,11 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-23T10:00:15.682147Z" + "modified": "2026-04-24T17:05:20.087743Z" }, { "id": "DEBIAN-CVE-2026-41990", - "modified": "2026-04-23T10:01:21.235502Z" + "modified": "2026-04-24T17:05:01.403901Z" } ] }, @@ -2119,6 +2119,10 @@ interactions: "id": "DEBIAN-CVE-2026-1757", "modified": "2026-03-27T10:02:04.914884Z" }, + { + "id": "DEBIAN-CVE-2026-6732", + "modified": "2026-04-24T17:05:31.472091Z" + }, { "id": "DLA-3012-1", "modified": "2026-03-09T01:20:46.878115Z" @@ -2484,11 +2488,11 @@ interactions: }, { "id": "DEBIAN-CVE-2026-28386", - "modified": "2026-04-20T00:00:49.100894Z" + "modified": "2026-04-25T09:02:11.007516Z" }, { "id": "DEBIAN-CVE-2026-28387", - "modified": "2026-04-20T00:00:57.690122Z" + "modified": "2026-04-24T17:04:12.456936Z" }, { "id": "DEBIAN-CVE-2026-28388", @@ -2504,7 +2508,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-31789", - "modified": "2026-04-20T00:00:42.604688Z" + "modified": "2026-04-24T17:05:31.519314Z" }, { "id": "DEBIAN-CVE-2026-31790", @@ -2629,7 +2633,7 @@ interactions: }, { "id": "DEBIAN-CVE-2017-20230", - "modified": "2026-04-22T23:00:59.527466Z" + "modified": "2026-04-24T17:00:07.790339Z" }, { "id": "DEBIAN-CVE-2018-12015", @@ -2765,7 +2769,7 @@ interactions: "vulns": [ { "id": "DEBIAN-CVE-2026-5958", - "modified": "2026-04-23T17:02:53.103271Z" + "modified": "2026-04-24T17:05:24.984708Z" } ] }, @@ -2807,7 +2811,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-5704", - "modified": "2026-04-07T09:00:52.977033Z" + "modified": "2026-04-24T17:05:22.457544Z" }, { "id": "DLA-3755-1", @@ -2943,7 +2947,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-34743", - "modified": "2026-04-09T05:00:21.571838Z" + "modified": "2026-04-24T17:02:53.062265Z" }, { "id": "DSA-5123-1", @@ -3009,7 +3013,7 @@ interactions: } headers: Content-Length: - - "23599" + - "23670" Content-Type: - application/json status: 200 OK @@ -4080,7 +4084,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 22700 + content_length: 22771 body: | { "results": [ @@ -4435,11 +4439,11 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-23T10:00:15.682147Z" + "modified": "2026-04-24T17:05:20.087743Z" }, { "id": "DEBIAN-CVE-2026-41990", - "modified": "2026-04-23T10:01:21.235502Z" + "modified": "2026-04-24T17:05:01.403901Z" } ] }, @@ -4751,6 +4755,10 @@ interactions: "id": "DEBIAN-CVE-2026-1757", "modified": "2026-03-27T10:02:04.914884Z" }, + { + "id": "DEBIAN-CVE-2026-6732", + "modified": "2026-04-24T17:05:31.472091Z" + }, { "id": "DLA-3012-1", "modified": "2026-03-09T01:20:46.878115Z" @@ -5116,11 +5124,11 @@ interactions: }, { "id": "DEBIAN-CVE-2026-28386", - "modified": "2026-04-20T00:00:49.100894Z" + "modified": "2026-04-25T09:02:11.007516Z" }, { "id": "DEBIAN-CVE-2026-28387", - "modified": "2026-04-20T00:00:57.690122Z" + "modified": "2026-04-24T17:04:12.456936Z" }, { "id": "DEBIAN-CVE-2026-28388", @@ -5136,7 +5144,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-31789", - "modified": "2026-04-20T00:00:42.604688Z" + "modified": "2026-04-24T17:05:31.519314Z" }, { "id": "DEBIAN-CVE-2026-31790", @@ -5261,7 +5269,7 @@ interactions: }, { "id": "DEBIAN-CVE-2017-20230", - "modified": "2026-04-22T23:00:59.527466Z" + "modified": "2026-04-24T17:00:07.790339Z" }, { "id": "DEBIAN-CVE-2018-12015", @@ -5397,7 +5405,7 @@ interactions: "vulns": [ { "id": "DEBIAN-CVE-2026-5958", - "modified": "2026-04-23T17:02:53.103271Z" + "modified": "2026-04-24T17:05:24.984708Z" } ] }, @@ -5439,7 +5447,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-5704", - "modified": "2026-04-07T09:00:52.977033Z" + "modified": "2026-04-24T17:05:22.457544Z" }, { "id": "DLA-3755-1", @@ -5575,7 +5583,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-34743", - "modified": "2026-04-09T05:00:21.571838Z" + "modified": "2026-04-24T17:02:53.062265Z" }, { "id": "DSA-5123-1", @@ -5593,7 +5601,7 @@ interactions: } headers: Content-Length: - - "22700" + - "22771" Content-Type: - application/json status: 200 OK