-
Notifications
You must be signed in to change notification settings - Fork 2
/
opa-endpoints.postman_collection.json
497 lines (497 loc) · 121 KB
/
opa-endpoints.postman_collection.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
{
"info": {
"_postman_id": "d0d26451-4fa8-4836-afdd-895bb6f19d29",
"name": "OPA",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
{
"name": "v1",
"item": [
{
"name": "Create & Update Policies - static_code_analysis",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.static_code_analysis\n\ndefault valid = false\n\nvalid = output {\n\tcount(rules) >= 0\n\toutput := count(rules - rules_matched) == 0\n}\n\ndetail = {\n}\n\nrules[output] {\n\toutput := input.policy.rules[_].metric\n}\n\nrules_matched[metric] {\n\tmetric := input.policy.rules[i].metric\n\tvariable := input.data.measures[metric]\n\trule := input.policy.rules[i]\n\tvalid_value(rule.value, variable, rule.operator)\n}\n\nrules_matched[metric] {\n\tmetric := input.policy.rules[i].metric\n\tmetricSplit := split(metric, \"-\")\n\tmetricCategory := metricSplit[0]\n\tmetricKey := metricSplit[1]\n\tmetricCategory == \"issues\"\n\tvariable := input.data.issues[metricKey]\n\trule := input.policy.rules[i]\n\tvalid_value(rule.value, variable, rule.operator)\n}\n\nvalid_value(rule, value, operator) {\n\toperator == \"equal\"\n\tto_number(value) = to_number(rule)\n} else {\n\toperator == \"not equal\"\n\tto_number(value) != to_number(rule)\n} else {\n\toperator == \"less than\"\n\tto_number(value) < to_number(rule)\n} else {\n\toperator == \"less than or equal\"\n\tto_number(value) <= to_number(rule)\n} else {\n\toperator == \"greater than\"\n\tto_number(value) > to_number(rule)\n} else {\n\toperator == \"greater than or equal\"\n\tto_number(value) >= to_number(rule)\n}"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/static_code_analysis",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"static_code_analysis"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - unit_tests",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.unit_tests\n\ndefault valid = false\n\nvalid = output {\n\tcount(rules) >= 0\n\toutput := count(rules - rules_matched) == 0\n}\n\ndetail = {\n}\n\nrules[output] {\n\toutput := input.policy.rules[_].metric\n}\n\nrules_matched[metric] {\n\tmetric := input.policy.rules[i].metric\n\tvariable := input.data.measures[metric]\n\trule := input.policy.rules[i]\n\tvalid_value(rule.value, variable, rule.operator)\n}\n\nvalid_value(rule, value, operator) {\n\toperator == \"equal\"\n\tto_number(value) = to_number(rule)\n} else {\n\toperator == \"not equal\"\n\tto_number(value) != to_number(rule)\n} else {\n\toperator == \"less than\"\n\tto_number(value) < to_number(rule)\n} else {\n\toperator == \"less than or equal\"\n\tto_number(value) <= to_number(rule)\n} else {\n\toperator == \"greater than\"\n\tto_number(value) > to_number(rule)\n} else {\n\toperator == \"greater than or equal\"\n\tto_number(value) >= to_number(rule)\n}"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/unit_tests",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"unit_tests"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - package_safelist",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.package_safelist\n\ndefault valid = false\n\nvalid = output {\n\tcount(rules) >= 0\n\toutput := count(rules - rules_matched) == 0\n}\n\ndetail = {\n}\n\nrules[output] { \n artifact := input.policy.rules[i].artifact\n version := input.policy.rules[i].version\n output := concat(\"\", [\"^.*:\", artifact, \":\", version, \"$\"])\n} \n\nlibrary[output] { \n output := input.data.components[_].components[_].component_id\n}\n\nrules_matched[output] {\n output := rules[_]\n re_match(output, library[_])\n}\n\nrules_not_matched[output] {\n output := rules - rules_matched\n}"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/package_safelist",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"package_safelist"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - cve_safelist",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.cve_safelist\n\ndefault valid = false\n\nvalid = output {\n\tcount(rules) >= 0\n\toutput := count(rules_matched) == 0\n}\n\ndetail = {\n}\n\nrules[output] { \n cve := input.policy.rules[_].cve\n output := concat(\"\", [\"^\", cve, \"$\"])\n} \n\nissues[output] { \n output := input.data.issues[_].cves[_].cve\n}\n\nrules_matched[output] {\n output := rules[_]\n re_match(output, issues[_])\n}\n\nrules_not_matched[output] {\n output := rules - rules_matched\n}"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/cve_safelist",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"cve_safelist"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - security_issue_analysis",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.security_issue_analysis\n\ndefault valid = false\ndefault allIssues = 0\ndefault criticalIssues = 0\ndefault highIssues = 0\ndefault mediumIssues = 0\ndefault lowIssues = 0\n\nvalid {\n\tallValid := [output | output := summary[_].valid]\n\tall(allValid)\n}\n\ndetail = {\n}\n\nallIssues = count(input.data.issues)\n\ncriticalIssuesList[output] {\n\tissue := input.data.issues[_]\n\tissue.severity == \"Critical\"\n\toutput := issue\n}\ncriticalIssues = output {\n\tissue := input.data.issues[_]\n\tissue.severity == \"Critical\"\n\toutput = count(issue)\n} else = output {\n\toutput = 0\n}\n\nhighIssuesList[output] {\n\tissue := input.data.issues[_]\n\tissue.severity == \"High\"\n\toutput := issue\n}\nhighIssues = count(highIssuesList)\n\nmediumIssuesList[output] {\n\tissue := input.data.issues[_]\n\tissue.severity == \"Medium\"\n\toutput := issue\n}\nmediumIssues = count(mediumIssuesList)\n\nlowIssuesList[output] {\n\tissue := input.data.issues[_]\n\tissue.severity == \"Low\"\n\toutput := issue\n}\nlowIssues = count(lowIssuesList)\n\n\nsummary[output] {\n\toutput := issues_matched(\"All\")\n} {\n\toutput := issues_matched(\"Critical\")\n} {\n\toutput := issues_matched(\"High\")\n} {\n\toutput := issues_matched(\"Medium\")\n} {\n\toutput := issues_matched(\"Low\")\n}\n\nissues_detail = { \"All\": allIssues, \"Critical\": criticalIssues, \"High\": highIssues, \"Medium\": mediumIssues, \"Low\": lowIssues }\n\nissues_matched(severity) = output {\n\trule := input.policy.rules[i]\n\trule.severity == severity\n\tissueCount := issues_detail[severity]\n\tvalid_value(rule.count, issueCount, rule.operator)\n\toutput := issues_object(severity, issueCount, rule.count, rule.operator, true)\n} else = output {\n\trule := input.policy.rules[i]\n\trule.severity == severity\n\tissueCount := issues_detail[severity]\n\toutput := issues_object(severity, issueCount, rule.count, rule.operator, false)\n} \n\nissues_object(severity, issues, rule, operator, valid) = { \"severity\": severity, \"issues\" : issues, \"rule\": rule, \"operator\": operator, \"valid\": valid }\n\nvalid_value(rule, value, operator) {\n\toperator == \"equal\"\n\tto_number(value) = to_number(rule)\n} else {\n\toperator == \"not equal\"\n\tto_number(value) != to_number(rule)\n} else {\n\toperator == \"less than\"\n\tto_number(value) < to_number(rule)\n} else {\n\toperator == \"less than or equal\"\n\tto_number(value) <= to_number(rule)\n} else {\n\toperator == \"greater than\"\n\tto_number(value) > to_number(rule)\n} else {\n\toperator == \"greater than or equal\"\n\tto_number(value) >= to_number(rule)\n}\n\n\n\n\n\n\n\n\nissuesBySeverity(severity) = [output] {\n\tissue := input.data.issues[_]\n\tissue.severity == severity\n\toutput := issue\n}\n"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/security_issue_analysis",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"security_issue_analysis"
]
}
},
"response": []
}
]
},
{
"name": "Query",
"request": {
"method": "POST",
"header": [
{
"key": "Content-Type",
"value": "application/json",
"type": "text"
}
],
"body": {
"mode": "raw",
"raw": "{\n \"rules\": {\n \"id\" : \"12345\",\n \"key\" : \"static_code_analysis\",\n \"name\" : \"Static Code Analysis\",\n \"description\":\"The following policy metrics are retrieved from SonarQube\",\n \"order\" : \"0\",\n \"rules\" : [{\n \"key\" : \"lines\",\n \"type\": \"number\",\n \"operator\": \"\",\n \"value\":\"500\"\n },\n {\n \"key\" : \"complexity\", \n \"type\": \"percentage\",\n \"operator\": \"less than\",\n \"value\":\"\"\n },\n {\n \"key\" : \"staticIssuesTotal\", \n \"type\": \"number\",\n \"operator\": \"less than\",\n \"value\": \"10\"\n }]\n },\n \"data\": {\n \"staticIssuesTotal\": \"9\",\n \"staticCriticalIssuesTotal\": \"0\",\n \"staticFilesTotal\": \"29\"\n }\n}"
},
"url": {
"raw": "http://localhost:8181/v1/data",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"data"
]
}
},
"response": []
},
{
"name": "Data Static Code Analysis",
"request": {
"method": "POST",
"header": [
{
"key": "Content-Type",
"type": "text",
"value": "application/json"
}
],
"body": {
"mode": "raw",
"raw": "{\n \"input\": {\n \"policy\": {\n \"id\": \"12345\",\n \"key\": \"static_code_analysis\",\n \"name\": \"Static Code Analysis\",\n \"description\": \"The following policy metrics are retrieved from SonarQube\",\n \"order\": \"0\",\n \"rules\": [\n {\n \"metric\": \"issues-total\",\n \"operator\": \"less than\",\n \"value\": \"50\"\n },\n {\n \"metric\": \"complexity\",\n \"operator\": \"equals\",\n \"value\": \"0\"\n },\n {\n \"metric\": \"violations\",\n \"operator\": \"less than\",\n \"value\": \"30\"\n }\n ]\n },\n \"data\": {\n \"issues\": {\n \"total\": 40,\n \"blocker\": 4,\n \"critical\": 7,\n \"major\": 16,\n \"minor\": 7,\n \"info\": 6,\n \"filesAnalyzed\": 15\n },\n \"measures\": {\n \"ncloc\": 6010,\n \"complexity\": 964,\n \"violations\": 42\n }\n }\n }\n}"
},
"url": {
"raw": "http://localhost:8181/v1/data/citadel/static_code_analysis",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"data",
"citadel",
"static_code_analysis"
]
}
},
"response": []
},
{
"name": "Data Unit Tests",
"request": {
"method": "POST",
"header": [
{
"key": "Content-Type",
"type": "text",
"value": "application/json"
}
],
"body": {
"mode": "raw",
"raw": "{\n \"input\": {\n \"policy\": {\n \"id\": \"12345\",\n \"key\": \"unit_tests\",\n \"name\": \"Unit Tests\",\n \"description\": \"The following policy metrics are retrieved from SonarQube\",\n \"order\": \"0\",\n \"rules\": [\n {\n \"metric\": \"tests\",\n \"operator\": \"greater than\",\n \"value\": \"10\"\n },\n {\n \"metric\": \"coverage\",\n \"operator\": \"greater than\",\n \"value\": \"10\"\n },\n {\n \"metric\": \"test_errors\",\n \"operator\": \"less than or equal\",\n \"value\": \"0\"\n }\n ]\n },\n \"data\": {\n \"measures\": {\n \"tests\": 2,\n \"test_errors\": 0,\n \"test_failures\": 0,\n \"skipped_tests\": 0,\n \"test_success_density\": 100,\n \"test_execution_time\": 7,\n \"coverage\": 30,\n \"lines_to_cover\": 10,\n \"uncovered_lines\": 7,\n \"line_coverage\": 30\n }\n }\n }\n}"
},
"url": {
"raw": "http://localhost:8181/v1/data/citadel/unit_tests",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"data",
"citadel",
"unit_tests"
]
}
},
"response": []
},
{
"name": "Data Package Safelist",
"request": {
"method": "POST",
"header": [
{
"key": "Content-Type",
"type": "text",
"value": "application/json"
}
],
"body": {
"mode": "raw",
"raw": "{\n \"input\": {\n \"policy\": {\n \"id\": \"12345\",\n \"key\": \"package_safelist\",\n \"name\": \"Package Safe List\",\n \"description\": \"\",\n \"order\": \"1\",\n \"rules\": [\n {\n \"type\": \"maven\",\n \"artifact\": \"commons-.*\",\n \"version\": \".*\"\n },\n {\n \"type\": \"maven\",\n \"artifact\": \"jackson-annotations\",\n \"version\": \"3.[0-9].*\"\n }\n ]\n },\n \"data\": {\n \t \"artifact\":{\n \"name\":\"ise/bmrg-service-ci:6.4.9-175\",\n \"path\":\"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.4.9-175/\",\n \"pkg_type\":\"Docker\",\n \"sha256\":\"d58922cb310d654d0b1d17054817464e379f28bc378ae7a6072dac08df43708e\",\n \"component_id\":\"ise/bmrg-service-ci:6.4.9-175\"\n },\n \t\"components\":[\n \t\t\t{\n \"component_name\": \"service.jar\",\n \"component_id\": \"net.boomerangplatform:service-ci:${version.name}\",\n \"package_type\": \"Maven\",\n \"created\": \"2019-05-04T12:43:27Z\",\n \"components\": [\n {\n \"component_name\": \"spring-security-core-4.2.3.RELEASE.jar\",\n \"component_id\": \"org.springframework.security:spring-security-samples-preauth:4.2.3.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-06-07T23:20:14Z\",\n \"components\": []\n },\n {\n \"component_name\": \"lib-util-0.2.8.jar\",\n \"component_id\": \"net.boomerangplatform:lib-util:${version.name}\",\n \"package_type\": \"Maven\",\n \"created\": \"2019-04-17T14:40:52Z\",\n \"components\": []\n },\n {\n \"component_name\": \"aspectjweaver-1.8.10.jar\",\n \"component_id\": \"org.aspectj:aspectjweaver:1.8.10\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-12-12T05:08:02Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-starter-aop-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot-starter-aop:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:19:16Z\",\n \"components\": []\n },\n {\n \"component_name\": \"lib-audit-0.1.31.jar\",\n \"component_id\": \"net.boomerangplatform:lib-audit:${version.name}\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-11-20T12:22:32Z\",\n \"components\": []\n },\n {\n \"component_name\": \"log4j-web-2.7.jar\",\n \"component_id\": \"org.apache.logging.log4j:log4j-web:2.7\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-10-02T06:31:10Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jackson-annotations-2.8.0.jar\",\n \"component_id\": \"com.fasterxml.jackson.core:jackson-annotations:2.8.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-07-03T17:20:36Z\",\n \"components\": []\n },\n {\n \"component_name\": \"json-20090211_1.jar\",\n \"component_id\": \"org.apache.geronimo.bundles:${pkgArtifactId}:20090211_1\",\n \"package_type\": \"Maven\",\n \"created\": \"2010-12-17T04:29:30Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jackson-datatype-json-org-2.8.10.jar\",\n \"component_id\": \"com.fasterxml.jackson.datatype:jackson-datatype-json-org:2.8.10\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-08-24T00:19:22Z\",\n \"components\": []\n },\n {\n \"component_name\": \"lib-mongo-2.4.18.jar\",\n \"component_id\": \"net.boomerangplatform:lib-mongo:${version.name}\",\n \"package_type\": \"Maven\",\n \"created\": \"2019-05-01T11:25:20Z\",\n \"components\": []\n },\n {\n \"component_name\": \"lib-rest-0.0.6.jar\",\n \"component_id\": \"net.boomerangplatform:lib-rest:0.0.6\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-05-01T03:56:32Z\",\n \"components\": []\n },\n {\n \"component_name\": \"commons-lang3-3.7.jar\",\n \"component_id\": \"org.apache.commons:commons-lang3:3.7\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-11-04T07:15:00Z\",\n \"components\": []\n },\n {\n \"component_name\": \"commons-text-1.3.jar\",\n \"component_id\": \"org.apache.commons:commons-text:1.3\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-03-16T06:26:00Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-security-web-4.2.3.RELEASE.jar\",\n \"component_id\": \"org.springframework.security:spring-security-samples-preauth:4.2.3.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-06-07T23:20:28Z\",\n \"components\": []\n },\n {\n \"component_name\": \"aopalliance-1.0.jar\",\n \"component_id\": \"aopalliance:aopalliance:1.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2004-03-19T08:57:02Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-security-config-4.2.3.RELEASE.jar\",\n \"component_id\": \"org.springframework.security:spring-security-samples-preauth:4.2.3.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-06-07T23:20:36Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jjwt-0.9.0.jar\",\n \"component_id\": \"io.jsonwebtoken:jjwt:0.9.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-10-10T10:14:30Z\",\n \"components\": []\n },\n {\n \"component_name\": \"lib-security-0.1.16.jar\",\n \"component_id\": \"net.boomerangplatform:lib-security:${version.name}\",\n \"package_type\": \"Maven\",\n \"created\": \"2019-01-24T13:02:26Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jaxb-api-2.3.0.jar\",\n \"component_id\": \"javax.xml.bind:jaxb-api:2.3.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-07-31T08:27:16Z\",\n \"components\": []\n },\n {\n \"component_name\": \"mapstruct-1.2.0.Final.jar\",\n \"component_id\": \"org.mapstruct:mapstruct:1.2.0.Final\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-10-17T18:14:00Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-plugin-metadata-1.2.0.RELEASE.jar\",\n \"component_id\": \"org.springframework.plugin:spring-plugin-metadata:1.2.0.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2015-03-04T20:12:22Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-plugin-core-1.2.0.RELEASE.jar\",\n \"component_id\": \"org.springframework.plugin:spring-plugin-core:1.2.0.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2015-03-04T20:12:12Z\",\n \"components\": []\n },\n {\n \"component_name\": \"classmate-1.3.4.jar\",\n \"component_id\": \"com.fasterxml:classmate:1.3.4\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-09T09:47:28Z\",\n \"components\": []\n },\n {\n \"component_name\": \"guava-20.0.jar\",\n \"component_id\": \"com.google.guava:guava:20.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-10-28T11:56:18Z\",\n \"components\": []\n },\n {\n \"component_name\": \"javassist-3.21.0-GA.jar\",\n \"component_id\": \"org.javassist:javassist:3.21.0-GA\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-10-03T07:44:56Z\",\n \"components\": []\n },\n {\n \"component_name\": \"reflections-0.9.11.jar\",\n \"component_id\": \"org.reflections:reflections:0.9.11\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-03-24T10:32:14Z\",\n \"components\": []\n },\n {\n \"component_name\": \"springfox-spring-web-2.8.0.jar\",\n \"component_id\": \"io.springfox:springfox-core:2.8.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-01-14T10:14:22Z\",\n \"components\": []\n },\n {\n \"component_name\": \"springfox-swagger-common-2.8.0.jar\",\n \"component_id\": \"io.springfox:springfox-core:2.8.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-01-14T10:14:46Z\",\n \"components\": []\n },\n {\n \"component_name\": \"springfox-schema-2.8.0.jar\",\n \"component_id\": \"io.springfox:springfox-core:2.8.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-01-14T10:14:34Z\",\n \"components\": []\n },\n {\n \"component_name\": \"byte-buddy-1.7.9.jar\",\n \"component_id\": \"net.bytebuddy:byte-buddy:1.7.9\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-11-06T16:54:00Z\",\n \"components\": []\n },\n {\n \"component_name\": \"springfox-core-2.8.0.jar\",\n \"component_id\": \"io.springfox:springfox-core:2.8.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-01-14T10:14:08Z\",\n \"components\": []\n },\n {\n \"component_name\": \"springfox-spi-2.8.0.jar\",\n \"component_id\": \"io.springfox:springfox-core:2.8.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-01-14T10:14:08Z\",\n \"components\": []\n },\n {\n \"component_name\": \"swagger-models-1.5.14.jar\",\n \"component_id\": \"io.swagger:swagger-models:1.5.14\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-06-13T08:31:16Z\",\n \"components\": []\n },\n {\n \"component_name\": \"swagger-annotations-1.5.14.jar\",\n \"component_id\": \"io.swagger:swagger-annotations:1.5.14\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-06-13T08:30:58Z\",\n \"components\": []\n },\n {\n \"component_name\": \"springfox-swagger2-2.8.0.jar\",\n \"component_id\": \"io.springfox:springfox-core:2.8.0\",\n \"package_type\": \"Maven\",\n \"created\": \"2018-01-14T10:16:04Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-actuator-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot-actuator:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:18:10Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-starter-actuator-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot-starter-actuator:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:19:42Z\",\n \"components\": []\n },\n {\n \"component_name\": \"commons-io-2.4.jar\",\n \"component_id\": \"commons-io:commons-io:2.4\",\n \"package_type\": \"Maven\",\n \"created\": \"2012-06-12T13:19:42Z\",\n \"components\": []\n },\n {\n \"component_name\": \"commons-codec-1.10.jar\",\n \"component_id\": \"commons-codec:commons-codec:1.10\",\n \"package_type\": \"Maven\",\n \"created\": \"2014-11-06T03:14:42Z\",\n \"components\": []\n },\n {\n \"component_name\": \"httpcore-4.4.6.jar\",\n \"component_id\": \"org.apache.httpcomponents:httpcore:4.4.6\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-01-07T08:49:50Z\",\n \"components\": []\n },\n {\n \"component_name\": \"httpclient-4.5.3.jar\",\n \"component_id\": \"org.apache.httpcomponents:httpclient:4.5.3\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-01-21T11:00:04Z\",\n \"components\": []\n },\n {\n \"component_name\": \"slf4j-api-1.7.25.jar\",\n \"component_id\": \"org.slf4j:slf4j-api:1.7.25\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-03-16T12:36:32Z\",\n \"components\": []\n },\n {\n \"component_name\": \"mongo-java-driver-3.4.3.jar\",\n \"component_id\": \"org.mongodb:mongo-java-driver:3.4.3\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-07-31T11:09:56Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-data-commons-1.13.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.data:spring-data-commons:1.13.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-11T06:53:48Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-expression-4.3.11.RELEASE.jar\",\n \"component_id\": \"org.springframework:spring-expression:4.3.11.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-11T02:56:06Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-beans-4.3.11.RELEASE.jar\",\n \"component_id\": \"spring-beans-4.3.11.RELEASE.jar\",\n \"package_type\": \"Generic\",\n \"created\": \"2017-09-11T02:55:54Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-context-4.3.11.RELEASE.jar\",\n \"component_id\": \"spring-context-4.3.11.RELEASE.jar\",\n \"package_type\": \"Generic\",\n \"created\": \"2017-09-11T02:56:20Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-tx-4.3.11.RELEASE.jar\",\n \"component_id\": \"spring-tx-4.3.11.RELEASE.jar\",\n \"package_type\": \"Generic\",\n \"created\": \"2017-09-11T02:56:30Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-data-mongodb-1.10.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.data:spring-data-mongodb:1.10.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-11T07:08:12Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jul-to-slf4j-1.7.25.jar\",\n \"component_id\": \"org.slf4j:jul-to-slf4j:1.7.25\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-03-16T12:37:48Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jcl-over-slf4j-1.7.25.jar\",\n \"component_id\": \"org.slf4j:jcl-over-slf4j:1.7.25\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-03-16T12:37:30Z\",\n \"components\": []\n },\n {\n \"component_name\": \"log4j-core-2.7.jar\",\n \"component_id\": \"org.apache.logging.log4j:log4j-core:2.7\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-10-02T06:24:12Z\",\n \"components\": []\n },\n {\n \"component_name\": \"log4j-api-2.7.jar\",\n \"component_id\": \"org.apache.logging.log4j:log4j-api:2.7\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-10-02T06:14:18Z\",\n \"components\": []\n },\n {\n \"component_name\": \"log4j-slf4j-impl-2.7.jar\",\n \"component_id\": \"org.apache.logging.log4j:log4j-slf4j-impl:2.7\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-10-02T06:29:54Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-starter-log4j2-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot-starter-log4j2:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:19:40Z\",\n \"components\": []\n },\n {\n \"component_name\": \"snakeyaml-1.17.jar\",\n \"component_id\": \"org.yaml:snakeyaml:1.17\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-02-19T07:13:32Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-autoconfigure-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot-autoconfigure:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:13:50Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:07:20Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-starter-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot-starter:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:19:14Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-core-4.3.11.RELEASE.jar\",\n \"component_id\": \"spring-core-4.3.11.RELEASE.jar\",\n \"package_type\": \"Generic\",\n \"created\": \"2017-09-11T02:55:48Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-webmvc-4.3.11.RELEASE.jar\",\n \"component_id\": \"spring-webmvc-4.3.11.RELEASE.jar\",\n \"package_type\": \"Generic\",\n \"created\": \"2017-09-11T02:58:32Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-aop-4.3.11.RELEASE.jar\",\n \"component_id\": \"spring-aop-4.3.11.RELEASE.jar\",\n \"package_type\": \"Generic\",\n \"created\": \"2017-09-11T02:55:56Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-web-4.3.11.RELEASE.jar\",\n \"component_id\": \"spring-web-4.3.11.RELEASE.jar\",\n \"package_type\": \"Generic\",\n \"created\": \"2017-09-11T02:57:44Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jackson-core-2.8.10.jar\",\n \"component_id\": \"com.fasterxml.jackson.core:jackson-core:2.8.10\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-08-23T16:24:30Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jackson-databind-2.8.10.jar\",\n \"component_id\": \"com.fasterxml.jackson.core:jackson-databind:2.8.10\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-08-23T23:27:26Z\",\n \"components\": []\n },\n {\n \"component_name\": \"jboss-logging-3.3.1.Final.jar\",\n \"component_id\": \"org.jboss.logging:jboss-logging:3.3.1.Final\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-03-15T08:22:08Z\",\n \"components\": []\n },\n {\n \"component_name\": \"validation-api-1.1.0.Final.jar\",\n \"component_id\": \"javax.validation:validation-api:1.1.0.Final\",\n \"package_type\": \"Maven\",\n \"created\": \"2013-04-10T10:02:44Z\",\n \"components\": []\n },\n {\n \"component_name\": \"hibernate-validator-5.3.5.Final.jar\",\n \"component_id\": \"org.hibernate:hibernate-validator:5.3.5.Final\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-03-15T08:14:58Z\",\n \"components\": []\n },\n {\n \"component_name\": \"tomcat-embed-websocket-8.5.20.jar\",\n \"component_id\": \"org.apache.tomcat.embed:tomcat-embed-websocket:8.5.20\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-08-02T17:36:12Z\",\n \"components\": []\n },\n {\n \"component_name\": \"tomcat-embed-el-8.5.20.jar\",\n \"component_id\": \"org.apache.tomcat.embed:tomcat-embed-el:8.5.20\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-08-02T17:36:12Z\",\n \"components\": []\n },\n {\n \"component_name\": \"tomcat-embed-core-8.5.20.jar\",\n \"component_id\": \"org.apache.tomcat.embed:tomcat-embed-core:8.5.20\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-08-02T17:36:12Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-starter-tomcat-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot-starter-tomcat:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:19:30Z\",\n \"components\": []\n },\n {\n \"component_name\": \"spring-boot-starter-web-1.5.7.RELEASE.jar\",\n \"component_id\": \"org.springframework.boot:spring-boot-starter-web:1.5.7.RELEASE\",\n \"package_type\": \"Maven\",\n \"created\": \"2017-09-12T05:19:30Z\",\n \"components\": []\n },\n {\n \"component_name\": \"commons-collections-3.2.2.jar\",\n \"component_id\": \"commons-collections:commons-collections:3.2.2\",\n \"package_type\": \"Maven\",\n \"created\": \"2015-11-12T18:10:38Z\",\n \"components\": []\n },\n {\n \"component_name\": \"commons-beanutils-1.9.3.jar\",\n \"component_id\": \"commons-beanutils:commons-beanutils:1.9.3\",\n \"package_type\": \"Maven\",\n \"created\": \"2016-09-21T12:21:16Z\",\n \"components\": []\n }\n ]\n }]\n }\n }\n}"
},
"url": {
"raw": "http://localhost:8181/v1/data/citadel/package_safelist",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"data",
"citadel",
"package_safelist"
]
}
},
"response": []
},
{
"name": "Data CVE Safelist",
"request": {
"method": "POST",
"header": [
{
"key": "Content-Type",
"type": "text",
"value": "application/json"
}
],
"body": {
"mode": "raw",
"raw": "{\n \"input\": {\n \"policy\": {\n \"id\": \"12345\",\n \"key\": \"cve_safelist\",\n \"name\": \"CVE Safe List\",\n \"description\": \"\",\n \"order\": \"2\",\n \"rules\": [\n {\n \"cve\": \"CVE-2018-14718\"\n }\n ]\n },\n \"data\": {\n \t \"issues\": [\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-14718\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.051Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.\",\n \"description\": \"Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-1259\",\n \"cwe\": [\n \"CWE-611\"\n ],\n \"cvss_v2\": \"5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\",\n \"cvss_v3\": \"7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ],\n \"created\": \"2019-02-13T00:00:00.174Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/spring-data-commons-1.13.7.RELEASE.jar\"\n ]\n },\n {\n \"summary\": \"Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness\",\n \"description\": \"Apache Commons IO contains a flaw that allows traversing outside of a restricted path. The issue is due to FileNameUtils.normalize not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can disclose arbitrary files.\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cvss_v2\": \"5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\"\n }\n ],\n \"created\": \"2019-03-13T00:00:00.128Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/commons-io-2.4.jar\"\n ]\n },\n {\n \"summary\": \"In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().\",\n \"description\": \"In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-7536\",\n \"cwe\": [\n \"CWE-264\"\n ],\n \"cvss_v2\": \"4.4/CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"7.0/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-07-04T00:00:00.119Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/hibernate-validator-5.3.5.Final.jar\"\n ]\n },\n {\n \"summary\": \"A vulnerability was detected in the latest Jackson JSON library. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525. (S2-055)\",\n \"description\": \"A vulnerability was detected in the latest Jackson JSON library. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525. (S2-055)\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-7525\"\n }\n ],\n \"created\": \"2017-12-02T00:00:00.758Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-14721\",\n \"cwe\": [\n \"CWE-918\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.774Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-14719\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.958Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.\",\n \"description\": \"A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-7525\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2017-11-22T00:00:00.536Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\",\n \"description\": \"FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-17485\",\n \"cwe\": [\n \"CWE-94\",\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-01-29T00:00:00.841Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.\",\n \"description\": \"Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-1273\",\n \"cwe\": [\n \"CWE-20\"\n ],\n \"cvss_v2\": \"7.5/(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-07-22T00:00:00.392Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/spring-data-commons-1.13.7.RELEASE.jar\"\n ]\n },\n {\n \"summary\": \"Apache Commons IO Java Deserialization Remote Code Execution\",\n \"description\": \"Apache Commons IO contains a flaw that is due to the program failing to restrict which class can be serialized. This may allow a remote attacker to execute arbitrary Java code via deserialization methods.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cvss_v2\": \"10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C\"\n }\n ],\n \"created\": \"2019-03-25T00:00:00.856Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/commons-io-2.4.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-14720\",\n \"cwe\": [\n \"CWE-611\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.864Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-19361\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.502Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-19360\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.592Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.\",\n \"description\": \"FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-7489\",\n \"cwe\": [\n \"CWE-502\",\n \"CWE-184\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-04-04T00:00:00.751Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.\",\n \"description\": \"FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-5968\",\n \"cwe\": [\n \"CWE-502\",\n \"CWE-184\"\n ],\n \"cvss_v2\": \"5.1/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-01-29T00:00:00.685Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.\",\n \"description\": \"In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-5645\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2017-07-05T00:00:00.963Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/log4j-core-2.7.jar\"\n ]\n },\n {\n \"summary\": \"It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal.\",\n \"description\": \"It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal.\",\n \"issue_type\": \"security\",\n \"severity\": \"Low\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-2595\",\n \"cwe\": [\n \"CWE-22\"\n ],\n \"cvss_v2\": \"4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N\",\n \"cvss_v3\": \"6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ],\n \"created\": \"2019-02-21T00:00:00.423Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jboss-logging-3.3.1.Final.jar\"\n ]\n },\n {\n \"summary\": \"Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).\",\n \"description\": \"Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-1274\",\n \"cwe\": [\n \"CWE-399\"\n ],\n \"cvss_v2\": \"5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"cvss_v3\": \"7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"created\": \"2019-02-13T00:00:00.083Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/spring-data-commons-1.13.7.RELEASE.jar\"\n ]\n },\n {\n \"summary\": \"Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.\",\n \"description\": \"Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-10237\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"4.3/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"cvss_v3\": \"5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"created\": \"2018-07-04T00:00:00.070Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/guava-20.0.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-19362\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.410Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n }\n ]\n }\n }\n}"
},
"url": {
"raw": "http://localhost:8181/v1/data/citadel/cve_safelist",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"data",
"citadel",
"cve_safelist"
]
}
},
"response": []
},
{
"name": "Data Security Issues Analysis",
"request": {
"method": "POST",
"header": [
{
"key": "Content-Type",
"type": "text",
"value": "application/json"
}
],
"body": {
"mode": "raw",
"raw": "{\n \"input\": {\n \"policy\": {\n \"id\": \"12345\",\n \"key\": \"security_issue_analysis\",\n \"name\": \"security_issue_analysis\",\n \"description\": \"\",\n \"order\": \"2\",\n \"rules\": [\n {\n \"severity\": \"High\",\n \"operator\": \"less than\",\n \"count\": \"10\"\n },\n {\n \"severity\": \"Medium\",\n \"operator\": \"less than\",\n \"count\": \"10\"\n }\n ]\n },\n \"data\": {\n \t \"issues\": [\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-14718\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.051Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.\",\n \"description\": \"Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-1259\",\n \"cwe\": [\n \"CWE-611\"\n ],\n \"cvss_v2\": \"5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\",\n \"cvss_v3\": \"7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ],\n \"created\": \"2019-02-13T00:00:00.174Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/spring-data-commons-1.13.7.RELEASE.jar\"\n ]\n },\n {\n \"summary\": \"Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness\",\n \"description\": \"Apache Commons IO contains a flaw that allows traversing outside of a restricted path. The issue is due to FileNameUtils.normalize not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can disclose arbitrary files.\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cvss_v2\": \"5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\"\n }\n ],\n \"created\": \"2019-03-13T00:00:00.128Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/commons-io-2.4.jar\"\n ]\n },\n {\n \"summary\": \"In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().\",\n \"description\": \"In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-7536\",\n \"cwe\": [\n \"CWE-264\"\n ],\n \"cvss_v2\": \"4.4/CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"7.0/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-07-04T00:00:00.119Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/hibernate-validator-5.3.5.Final.jar\"\n ]\n },\n {\n \"summary\": \"A vulnerability was detected in the latest Jackson JSON library. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525. (S2-055)\",\n \"description\": \"A vulnerability was detected in the latest Jackson JSON library. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525. (S2-055)\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-7525\"\n }\n ],\n \"created\": \"2017-12-02T00:00:00.758Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-14721\",\n \"cwe\": [\n \"CWE-918\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.774Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-14719\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.958Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.\",\n \"description\": \"A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-7525\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2017-11-22T00:00:00.536Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\",\n \"description\": \"FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-17485\",\n \"cwe\": [\n \"CWE-94\",\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-01-29T00:00:00.841Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.\",\n \"description\": \"Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-1273\",\n \"cwe\": [\n \"CWE-20\"\n ],\n \"cvss_v2\": \"7.5/(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-07-22T00:00:00.392Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/spring-data-commons-1.13.7.RELEASE.jar\"\n ]\n },\n {\n \"summary\": \"Apache Commons IO Java Deserialization Remote Code Execution\",\n \"description\": \"Apache Commons IO contains a flaw that is due to the program failing to restrict which class can be serialized. This may allow a remote attacker to execute arbitrary Java code via deserialization methods.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cvss_v2\": \"10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C\"\n }\n ],\n \"created\": \"2019-03-25T00:00:00.856Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/commons-io-2.4.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-14720\",\n \"cwe\": [\n \"CWE-611\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.864Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-19361\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.502Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-19360\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.592Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.\",\n \"description\": \"FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-7489\",\n \"cwe\": [\n \"CWE-502\",\n \"CWE-184\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-04-04T00:00:00.751Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.\",\n \"description\": \"FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-5968\",\n \"cwe\": [\n \"CWE-502\",\n \"CWE-184\"\n ],\n \"cvss_v2\": \"5.1/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2018-01-29T00:00:00.685Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n },\n {\n \"summary\": \"In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.\",\n \"description\": \"In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-5645\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2017-07-05T00:00:00.963Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/log4j-core-2.7.jar\"\n ]\n },\n {\n \"summary\": \"It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal.\",\n \"description\": \"It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal.\",\n \"issue_type\": \"security\",\n \"severity\": \"Low\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2017-2595\",\n \"cwe\": [\n \"CWE-22\"\n ],\n \"cvss_v2\": \"4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N\",\n \"cvss_v3\": \"6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ],\n \"created\": \"2019-02-21T00:00:00.423Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jboss-logging-3.3.1.Final.jar\"\n ]\n },\n {\n \"summary\": \"Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).\",\n \"description\": \"Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-1274\",\n \"cwe\": [\n \"CWE-399\"\n ],\n \"cvss_v2\": \"5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"cvss_v3\": \"7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"created\": \"2019-02-13T00:00:00.083Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/spring-data-commons-1.13.7.RELEASE.jar\"\n ]\n },\n {\n \"summary\": \"Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.\",\n \"description\": \"Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.\",\n \"issue_type\": \"security\",\n \"severity\": \"Medium\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-10237\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"4.3/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"cvss_v3\": \"5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"created\": \"2018-07-04T00:00:00.070Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/guava-20.0.jar\"\n ]\n },\n {\n \"summary\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.\",\n \"description\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.\",\n \"issue_type\": \"security\",\n \"severity\": \"High\",\n \"provider\": \"JFrog\",\n \"cves\": [\n {\n \"cve\": \"CVE-2018-19362\",\n \"cwe\": [\n \"CWE-502\"\n ],\n \"cvss_v2\": \"7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"cvss_v3\": \"9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"created\": \"2019-01-29T00:00:00.410Z\",\n \"impact_path\": [\n \"boomerang-artifactory/boomeranglib-docker/ise/bmrg-service-ci/6.3.29-165/sha256__e2782ebc9215525d821053b4f6bb5e79af1f2c199cce7d1ee5aa27d401805747.tar.gz/service.jar/BOOT-INF/lib/jackson-databind-2.8.10.jar\"\n ]\n }\n ]\n }\n }\n}"
},
"url": {
"raw": "http://localhost:8181/v1/data/citadel/security_issue_analysis",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"data",
"citadel",
"security_issue_analysis"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - static_code_analysis v2",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.static_code_analysis\n\ndefault valid = false\n\nvalid = true {\n\tcount(rules) >= 0\n\tcount(violations) == 0\n}\n\nrules[{\n\t\"metric\": metric,\n\t\"value\": value,\n\t\"operator\": operator, \n\t\"measure\": measure\n}] {\n\tmetric := input.policy.rules[i].metric\n\trule := input.policy.rules[i]\n\tmeasure := rule.value\n\toperator := rule.operator\n\tvalue := input.data.measures[metric]\n} {\n\tmetric := input.policy.rules[i].metric\n\trule := input.policy.rules[i]\n\tmeasure := rule.value\n\toperator := rule.operator\n\tmetricSplit := split(metric, \"-\")\n\tmetricCategory := metricSplit[0]\n\tmetricKey := metricSplit[1]\n\tmetricCategory == \"issues\"\n\tvalue := input.data.issues[metricKey]\n}\n\nviolations[{\n\t\"metric\": metric,\n\t\"message\": message,\n\t\"valid\": false\n}] {\n\tmetric := rules[i].metric\n\tnot valid_value(rules[i].value, rules[i].measure, rules[i].operator)\n\tmessage := sprintf(\"%v %s %v was not satisfied\", [rules[i].value, rules[i].operator, rules[i].measure])\n}\n\nvalid_value(value, measure, operator) {\n\toperator == \"equal\"\n\tto_number(value) = to_number(measure)\n} else {\n\toperator == \"not equal\"\n\tto_number(value) != to_number(measure)\n} else {\n\toperator == \"less than\"\n\tto_number(value) < to_number(measure)\n} else {\n\toperator == \"less than or equal\"\n\tto_number(value) <= to_number(measure)\n} else {\n\toperator == \"greater than\"\n\tto_number(value) > to_number(measure)\n} else {\n\toperator == \"greater than or equal\"\n\tto_number(value) >= to_number(measure)\n}"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/static_code_analysis",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"static_code_analysis"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - unit_tests v2",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.unit_tests\n\ndefault valid = false\n\nvalid = true {\n\tcount(rules) >= 0\n\tcount(violations) == 0\n}\n\nrules[{\n\t\"metric\": metric,\n\t\"value\": value,\n\t\"operator\": operator, \n\t\"measure\": measure\n}] {\n\tmetric := input.policy.rules[i].metric\n\trule := input.policy.rules[i]\n\tmeasure := rule.value\n\toperator := rule.operator\n\tvalue := input.data.measures[metric]\n}\n\nviolations[{\n\t\"metric\": metric,\n\t\"message\": message,\n\t\"valid\": false\n}] {\n\tmetric := rules[i].metric\n\tnot valid_value(rules[i].value, rules[i].measure, rules[i].operator)\n\tmessage := sprintf(\"%v %s %v was not satisfied\", [rules[i].value, rules[i].operator, rules[i].measure])\n}\n\nvalid_value(value, measure, operator) {\n\toperator == \"equal\"\n\tto_number(value) = to_number(measure)\n} else {\n\toperator == \"not equal\"\n\tto_number(value) != to_number(measure)\n} else {\n\toperator == \"less than\"\n\tto_number(value) < to_number(measure)\n} else {\n\toperator == \"less than or equal\"\n\tto_number(value) <= to_number(measure)\n} else {\n\toperator == \"greater than\"\n\tto_number(value) > to_number(measure)\n} else {\n\toperator == \"greater than or equal\"\n\tto_number(value) >= to_number(measure)\n}"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/unit_tests",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"unit_tests"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - package_safelist v2",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.package_safelist\n\ndefault valid = false\n\nvalid = true {\n\tcount(rules) >= 0\n\tcount(violations) == 0\n}\n\nrules[{\n\t\"type\": \"maven\",\n\t\"artifact\": artifact,\n\t\"version\": version,\n\t\"metric\": metric\n}] {\n artifact := input.policy.rules[i].artifact\n version := input.policy.rules[i].version\n metric := concat(\"\", [\"^.*:\", artifact, \":\", version, \"$\"])\n}\n\nviolations[{\n\t\"metric\": metric,\n\t\"message\": message,\n\t\"valid\": false\n}] {\n\tmetric := rules[i].metric\n\trules_not_matched[_].metric == metric\n\tmessage := sprintf(\"Package rule not met. Artifact: %s, and Version: %s\", [rules[i].artifact, rules[i].version])\n}\n\nlibrary[output] {\n output := input.data.components[_].components[_].component_id\n}\n\nrules_matched[output] {\n output := rules[i]\n re_match(rules[i].metric, input.data.components[_].components[_].component_id)\n}\n\nrules_not_matched = rules - rules_matched"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/package_safelist",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"package_safelist"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - cve_safelist v2",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.cve_safelist\n\ndefault valid = false\n\nvalid = true {\n\tcount(rules) >= 0\n\tcount(violations) == 0\n}\n\nrules[{\n\t\"metric\": metric\n}] {\n metric := concat(\"\", [\"^\", input.policy.rules[_].cve, \"$\"])\n}\n\nviolations[{\n\t\"metric\": metric,\n\t\"message\": message,\n\t\"valid\": false\n}] {\n\tmetric := rules[i].metric\n\trules_matched[_].metric == metric\n\tmessage := sprintf(\"CVE rule matched. Rule: %s\", [metric])\n}\n\ncves[output] { \n output := input.data.issues[_].cves[_].cve\n}\n\nrules_matched[output] {\n output := rules[i]\n re_match(rules[i].metric, cves[_])\n}"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/cve_safelist",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"cve_safelist"
]
}
},
"response": []
},
{
"name": "Create & Update Policies - security_issue_analysis v2",
"request": {
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "package citadel.security_issue_analysis\n\ndefault valid = false\ndefault allIssues = 0\ndefault criticalIssues = 0\ndefault highIssues = 0\ndefault mediumIssues = 0\ndefault lowIssues = 0\n\nvalid {\n\tallValid := [output | output := summary[_].valid]\n\tall(allValid)\n}\n\nallIssues = count(input.data.issues)\n\ncriticalIssuesList[output] {\n\tissue := input.data.issues[_]\n\tissue.severity == \"Critical\"\n\toutput := issue\n}\ncriticalIssues = output {\n\tissue := input.data.issues[_]\n\tissue.severity == \"Critical\"\n\toutput = count(issue)\n} else = output {\n\toutput = 0\n}\n\nhighIssuesList[output] {\n\tissue := input.data.issues[_]\n\tissue.severity == \"High\"\n\toutput := issue\n}\nhighIssues = count(highIssuesList)\n\nmediumIssuesList[output] {\n\tissue := input.data.issues[_]\n\tissue.severity == \"Medium\"\n\toutput := issue\n}\nmediumIssues = count(mediumIssuesList)\n\nlowIssuesList[output] {\n\tissue := input.data.issues[_]\n\tissue.severity == \"Low\"\n\toutput := issue\n}\nlowIssues = count(lowIssuesList)\n\n\nsummary[output] {\n\toutput := issues_matched(\"All\")\n} {\n\toutput := issues_matched(\"Critical\")\n} {\n\toutput := issues_matched(\"High\")\n} {\n\toutput := issues_matched(\"Medium\")\n} {\n\toutput := issues_matched(\"Low\")\n}\n\nissues_detail = { \"All\": allIssues, \"Critical\": criticalIssues, \"High\": highIssues, \"Medium\": mediumIssues, \"Low\": lowIssues }\n\nissues_matched(severity) = output {\n\trule := input.policy.rules[i]\n\trule.severity == severity\n\tissueCount := issues_detail[severity]\n\tvalid_value(rule.count, issueCount, rule.operator)\n\toutput := issues_object(severity, issueCount, rule.count, rule.operator, true)\n} else = output {\n\trule := input.policy.rules[i]\n\trule.severity == severity\n\tissueCount := issues_detail[severity]\n\toutput := issues_object(severity, issueCount, rule.count, rule.operator, false)\n} \n\nissues_object(severity, issues, rule, operator, valid) = { \"severity\": severity, \"issues\" : issues, \"rule\": rule, \"operator\": operator, \"valid\": valid }\n\nvalid_value(rule, value, operator) {\n\toperator == \"equal\"\n\tto_number(value) = to_number(rule)\n} else {\n\toperator == \"not equal\"\n\tto_number(value) != to_number(rule)\n} else {\n\toperator == \"less than\"\n\tto_number(value) < to_number(rule)\n} else {\n\toperator == \"less than or equal\"\n\tto_number(value) <= to_number(rule)\n} else {\n\toperator == \"greater than\"\n\tto_number(value) > to_number(rule)\n} else {\n\toperator == \"greater than or equal\"\n\tto_number(value) >= to_number(rule)\n}\n\nviolations[{\n\t\"metric\": metric,\n\t\"message\": message,\n\t\"valid\": false\n}] {\n\tnot summary[i].valid\n\tmetric := sprintf(\"%v %s Issues\", [summary[i].issues, summary[i].severity])\n\tmessage := sprintf(\"%v %s %v %s Issues was not satisfied\", [summary[i].issues, summary[i].operator, summary[i].rule, summary[i].severity])\n}\n\nissuesBySeverity(severity) = [output] {\n\tissue := input.data.issues[_]\n\tissue.severity == severity\n\toutput := issue\n}\n"
},
"url": {
"raw": "http://localhost:8181/v1/policies/citadel/security_issue_analysis",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies",
"citadel",
"security_issue_analysis"
]
}
},
"response": []
},
{
"name": "Policies",
"protocolProfileBehavior": {
"disableBodyPruning": true
},
"request": {
"method": "GET",
"header": [
{
"key": "Content-Type",
"value": "application/json",
"type": "text"
}
],
"body": {
"mode": "raw",
"raw": "{\n \"rules\": {\n \"id\" : \"12345\",\n \"key\" : \"static_code_analysis\",\n \"name\" : \"Static Code Analysis\",\n \"description\":\"The following policy metrics are retrieved from SonarQube\",\n \"order\" : \"0\",\n \"rules\" : [{\n \"key\" : \"lines\",\n \"type\": \"number\",\n \"operator\": \"\",\n \"value\":\"500\"\n },\n {\n \"key\" : \"complexity\", \n \"type\": \"percentage\",\n \"operator\": \"less than\",\n \"value\":\"\"\n },\n {\n \"key\" : \"staticIssuesTotal\", \n \"type\": \"number\",\n \"operator\": \"less than\",\n \"value\": \"10\"\n }]\n },\n \"data\": {\n \"staticIssuesTotal\": \"9\",\n \"staticCriticalIssuesTotal\": \"0\",\n \"staticFilesTotal\": \"29\"\n }\n}"
},
"url": {
"raw": "http://localhost:8181/v1/policies",
"protocol": "http",
"host": [
"localhost"
],
"port": "8181",
"path": [
"v1",
"policies"
]
}
},
"response": []
}
]
}