Scan Json Report missing CWEID #8318
Unanswered
jackliu2006
asked this question in
Q&A
Replies: 1 comment
-
|
Hello @jackliu2006 This is weird case. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Question
Hi,
We are using trivy:0.57.0 to scan our container image. The report of two times scans are not consistent on the same vun pakpath, they are with same PkgPath, VulnerabilityID, but one is with CWEID, the other is missing. Does anyone had the same issue?
The one without CWEID:
{
"VulnerabilityID": "CVE-2024-51127",
"PkgName": "org.hornetq:hornetq-core-client",
"PkgPath": "opt/wildfly/modules/system/layers/base/org/hornetq/client/main/hornetq-core-client-2.4.9.Final.jar",
"PkgIdentifier": {
"PURL": "pkg:maven/org.hornetq/[email protected]",
"UID": "342c228cf6228f86"
},
"InstalledVersion": "2.4.9.Final",
"Status": "affected",
"Layer": {
"DiffID": "sha256:d096c62d59cf7f2d97a071e05bb1079a0a109042cd48305a3106b018948686a2"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51127",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Maven",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"Title": "hornetq-core-client: Arbitrarily overwrite files or access sensitive information",
"Description": "An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 9.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
}
}
The one with CWEID:
{
"VulnerabilityID": "CVE-2024-51127",
"PkgName": "org.hornetq:hornetq-core-client",
"PkgPath": "opt/wildfly/modules/system/layers/base/org/hornetq/client/main/hornetq-core-client-2.4.9.Final.jar",
"PkgIdentifier": {
"PURL": "pkg:maven/org.hornetq/[email protected]",
"UID": "342c228cf6228f86"
},
"InstalledVersion": "2.4.9.Final",
"Status": "affected",
"Layer": {
"DiffID": "sha256:d096c62d59cf7f2d97a071e05bb1079a0a109042cd48305a3106b018948686a2"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51127",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Maven",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"Title": "hornetq-core-client: Arbitrarily overwrite files or access sensitive information",
"Description": "An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.",
"Severity": "HIGH",
"CweIDs": [
"CWE-22"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 9.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
}
},
"References": [
"http://hornetq.com",
"https://access.redhat.com/security/cve/CVE-2024-51127",
"https://github.com/JAckLosingHeart/CWE-378/blob/main/CVE-2024-51127.md",
"https://github.com/darranl/hornetq",
"https://github.com/hornetq/hornetq/blob/HornetQ_2_4_9_Final/hornetq-core-client/src/main/java/org/hornetq/core/client/impl/ClientConsumerImpl.java#L665C35-L665C49",
"https://nvd.nist.gov/vuln/detail/CVE-2024-51127",
"https://www.cve.org/CVERecord?id=CVE-2024-51127"
],
"PublishedDate": "2024-11-04T18:15:05.113Z",
"LastModifiedDate": "2024-11-21T09:45:17.017Z"
}
Target
Container Image
Scanner
Vulnerability
Output Format
JSON
Mode
Standalone
Operating System
linux
Version
Beta Was this translation helpful? Give feedback.
All reactions