diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index f2ac0c853e..2f51edd29e 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -18,7 +18,7 @@ services: - .env environment: <<: *dev-env - command: ./manage.py runserver --skip-checks 0.0.0.0:8001 + command: ./manage.py runserver --skip-checks --insecure 0.0.0.0:8001 volumes: - ./scanpipe:/opt/scancodeio/scanpipe ports: diff --git a/scancodeio/static/main.css b/scancodeio/static/main.css index 171489290d..b554d801dd 100644 --- a/scancodeio/static/main.css +++ b/scancodeio/static/main.css @@ -391,9 +391,6 @@ progress.file-upload::before { #message-list th#column-severity { min-width: 110px; } -th#column-vulnerability_id { - min-width: 220px; -} th#column-summary { width: 40%; } diff --git a/scanpipe/management/commands/check-compliance.py b/scanpipe/management/commands/check-compliance.py index 0016177a01..84ada60341 100644 --- a/scanpipe/management/commands/check-compliance.py +++ b/scanpipe/management/commands/check-compliance.py @@ -110,8 +110,8 @@ def check_vulnerabilities(self): if self.verbosity > 0: if vulnerabilities_count: self.stderr.write(f"{vulnerabilities_count} vulnerabilities found:") - for vulnerability_id, vulnerability_data in all_vulnerabilities.items(): - self.stderr.write(str(vulnerability_id)) + for advisory_id, vulnerability_data in all_vulnerabilities.items(): + self.stderr.write(str(advisory_id)) for affected_obj in vulnerability_data.get("affects", []): self.stderr.write(f" > {affected_obj}") else: diff --git a/scanpipe/migrations/0080_vulnerablecode_v3_data.py b/scanpipe/migrations/0080_vulnerablecode_v3_data.py new file mode 100644 index 0000000000..f89b0dd8c6 --- /dev/null +++ b/scanpipe/migrations/0080_vulnerablecode_v3_data.py @@ -0,0 +1,34 @@ +# Generated by Django 6.0.3 on 2026-04-14 11:10 + +from django.db import migrations +from django.db.models import Q + + +def add_advisory_id(apps, schema_editor): + """Copy vulnerability_id to advisory_id in affected_by_vulnerabilities entries.""" + DiscoveredPackage = apps.get_model("scanpipe", "DiscoveredPackage") + DiscoveredDependency = apps.get_model("scanpipe", "DiscoveredDependency") + EMPTY_VALUES = [None, [], ""] + + vulnerable = ~Q(affected_by_vulnerabilities__in=EMPTY_VALUES) + + for model in [DiscoveredPackage, DiscoveredDependency]: + for instance in model.objects.filter(vulnerable): + for entry in instance.affected_by_vulnerabilities: + if "advisory_id" not in entry: + entry["advisory_id"] = entry.get("vulnerability_id", "") + instance.save(update_fields=["affected_by_vulnerabilities"]) + + +class Migration(migrations.Migration): + + dependencies = [ + ('scanpipe', '0079_apitoken_data'), + ] + + operations = [ + migrations.RunPython( + add_advisory_id, + reverse_code=migrations.RunPython.noop, + ), + ] diff --git a/scanpipe/models.py b/scanpipe/models.py index f941240dd9..8680205e2f 100644 --- a/scanpipe/models.py +++ b/scanpipe/models.py @@ -1573,7 +1573,7 @@ def vulnerabilities(self): """ Return a dict of all vulnerabilities affecting this project. - Combines package and dependency vulnerabilities, keyed by vulnerability_id. + Combines package and dependency vulnerabilities, keyed by advisory_id. Each vulnerability includes an "affects" list of all affected packages and dependencies. """ @@ -1583,11 +1583,13 @@ def vulnerabilities(self): for queryset in querysets: vulnerabilities = queryset.get_vulnerabilities_dict() - for vcid, vuln_data in vulnerabilities.items(): - if vcid in vulnerabilities_dict: - vulnerabilities_dict[vcid]["affects"].extend(vuln_data["affects"]) + for advisory_id, vuln_data in vulnerabilities.items(): + if advisory_id in vulnerabilities_dict: + vulnerabilities_dict[advisory_id]["affects"].extend( + vuln_data["affects"] + ) else: - vulnerabilities_dict[vcid] = vuln_data + vulnerabilities_dict[advisory_id] = vuln_data return vulnerabilities_dict @@ -3361,24 +3363,22 @@ def get_vulnerabilities_list(self): queryset. Extracts and flattens the affected_by_vulnerabilities field from - all objects in the queryset. Removes duplicates based on vulnerability_id + all objects in the queryset. Removes duplicates based on advisory_id while preserving the first occurrence of each unique vulnerability. """ vulnerabilities_lists = self.values_list(self.AFFECTED_BY_FIELD, flat=True) flatten_vulnerabilities = chain.from_iterable(vulnerabilities_lists) - # Deduplicate by vulnerability_id while preserving order + # Deduplicate by advisory_id while preserving order unique_vulnerabilities = { - vuln["vulnerability_id"]: vuln for vuln in flatten_vulnerabilities + vuln["advisory_id"]: vuln for vuln in flatten_vulnerabilities } - return sorted( - unique_vulnerabilities.values(), key=itemgetter("vulnerability_id") - ) + return sorted(unique_vulnerabilities.values(), key=itemgetter("advisory_id")) def get_vulnerabilities_dict(self): """ - Return a dict of vulnerabilities keyed by vulnerability_id. + Return a dict of vulnerabilities keyed by advisory_id. Each vulnerability includes an "affects" list containing all objects from this queryset affected by that vulnerability. @@ -3386,7 +3386,7 @@ def get_vulnerabilities_dict(self): Returns: dict: { 'VCID-1': { - 'vulnerability_id': 'VCID-1', + 'advisory_id': 'VCID-1', 'affects': [obj1, obj2, ...] }, ... @@ -3397,13 +3397,13 @@ def get_vulnerabilities_dict(self): for obj in self.vulnerable_ordered(): for vulnerability in obj.affected_by_vulnerabilities: - vcid = vulnerability.get("vulnerability_id") - if not vcid: + advisory_id = vulnerability.get("advisory_id") + if not advisory_id: continue - if vcid not in vulnerabilities_dict: - vulnerabilities_dict[vcid] = {**vulnerability, "affects": []} - vulnerabilities_dict[vcid]["affects"].append(obj) + if advisory_id not in vulnerabilities_dict: + vulnerabilities_dict[advisory_id] = {**vulnerability, "affects": []} + vulnerabilities_dict[advisory_id]["affects"].append(obj) return vulnerabilities_dict diff --git a/scanpipe/pipes/cyclonedx.py b/scanpipe/pipes/cyclonedx.py index 00a59bd4e2..08b21ad55c 100644 --- a/scanpipe/pipes/cyclonedx.py +++ b/scanpipe/pipes/cyclonedx.py @@ -188,7 +188,7 @@ def cyclonedx_component_to_package_data( cdx_vulnerability_json = cdx_vulnerability.as_json(view_=BaseSchemaVersion) affected_by_vulnerabilities.append( { - "vulnerability_id": str(cdx_vulnerability.id), + "advisory_id": str(cdx_vulnerability.id), "summary": cdx_vulnerability.description, "cdx_vulnerability_data": json.loads(cdx_vulnerability_json), } diff --git a/scanpipe/pipes/output.py b/scanpipe/pipes/output.py index 03fc4ca51c..ce4fb9908a 100644 --- a/scanpipe/pipes/output.py +++ b/scanpipe/pipes/output.py @@ -579,7 +579,7 @@ def add_vulnerabilities_sheet(workbook, project): ] vulnerability_fields = [ - "vulnerability_id", + "advisory_id", "aliases", "summary", "risk_score", @@ -863,7 +863,7 @@ def vulnerability_as_cyclonedx(vulnerability_data, component_bom_ref): ] return cdx_vulnerability.Vulnerability( - id=vulnerability_data.get("vulnerability_id"), + id=vulnerability_data.get("advisory_id"), source=source, description=vulnerability_data.get("summary"), affects=affects, diff --git a/scanpipe/pipes/vulnerablecode.py b/scanpipe/pipes/vulnerablecode.py index 061c8e2028..06fbe5a644 100644 --- a/scanpipe/pipes/vulnerablecode.py +++ b/scanpipe/pipes/vulnerablecode.py @@ -35,7 +35,7 @@ VULNERABLECODE_API_URL = None VULNERABLECODE_URL = settings.VULNERABLECODE_URL if VULNERABLECODE_URL: - VULNERABLECODE_API_URL = f"{VULNERABLECODE_URL}/api/" + VULNERABLECODE_API_URL = f"{VULNERABLECODE_URL.rstrip('/')}/api/v3" # Basic Authentication VULNERABLECODE_USER = settings.VULNERABLECODE_USER @@ -63,7 +63,7 @@ def is_available(): return False try: - response = session.head(VULNERABLECODE_API_URL) + response = session.head(VULNERABLECODE_API_URL, allow_redirects=True) response.raise_for_status() except requests.exceptions.RequestException as request_exception: logger.debug(f"{label} is_available() error: {request_exception}") @@ -91,28 +91,6 @@ def get_purls(packages): return [package_url for package in packages if (package_url := package.package_url)] -def request_get( - url, - payload=None, - timeout=None, -): - """Send a GET request to `url` with optional `payload` and return the response.""" - if not url: - return - - params = {"format": "json"} - if payload: - params.update(payload) - - logger.debug(f"{label}: url={url} params={params}") - try: - response = session.get(url, params=params, timeout=timeout) - response.raise_for_status() - return response.json() - except (requests.RequestException, ValueError, TypeError) as exception: - logger.debug(f"{label} [Exception] {exception}") - - def request_post( url, data, @@ -127,88 +105,29 @@ def request_post( logger.debug(f"{label} [Exception] {exception}") -def _get_vulnerabilities( - url, - field_name, - field_value, - timeout=None, -): - """Get the list of vulnerabilities.""" - payload = {field_name: field_value} - - response = request_get(url=url, payload=payload, timeout=timeout) - if response and response.get("count"): - results = response["results"] - return results - - -def get_vulnerabilities_by_purl( - purl, - timeout=None, - api_url=VULNERABLECODE_API_URL, -): - """Get the list of vulnerabilities providing a package `purl`.""" - return _get_vulnerabilities( - url=f"{api_url}packages/", - field_name="purl", - field_value=purl, - timeout=timeout, - ) - - -def get_vulnerabilities_by_cpe( - cpe, - timeout=None, - api_url=VULNERABLECODE_API_URL, -): - """Get the list of vulnerabilities providing a package or component `cpe`.""" - return _get_vulnerabilities( - url=f"{api_url}cpes/", - field_name="cpe", - field_value=cpe, - timeout=timeout, - ) - - def bulk_search_by_purl( purls, timeout=None, api_url=VULNERABLECODE_API_URL, ): """Bulk search of vulnerabilities using the provided list of `purls`.""" - url = f"{api_url}packages/bulk_search" + url = f"{api_url.rstrip('/')}/packages" data = { "purls": purls, - "vulnerabilities_only": True, + "details": True, } logger.debug(f"VulnerableCode: url={url} purls_count={len(purls)}") return request_post(url, data, timeout) -def bulk_search_by_cpes( - cpes, - timeout=None, - api_url=VULNERABLECODE_API_URL, -): - """Bulk search of vulnerabilities using the provided list of `cpes`.""" - url = f"{api_url}cpes/bulk_search" - - data = { - "cpes": cpes, - } - - logger.debug(f"VulnerableCode: url={url} cpes_count={len(cpes)}") - return request_post(url, data, timeout) - - def filter_vulnerabilities(vulnerabilities, ignore_set): """Filter out vulnerabilities based on a list of ignored IDs and aliases.""" return [ vulnerability for vulnerability in vulnerabilities - if vulnerability.get("vulnerability_id") not in ignore_set + if vulnerability.get("advisory_id") not in ignore_set and not any(alias in ignore_set for alias in vulnerability.get("aliases", [])) ] @@ -223,9 +142,12 @@ def fetch_vulnerabilities( vulnerabilities_by_purl = {} for purls_batch in chunked(get_purls(packages), chunk_size): + # Add support for pagination + # {'count': 17, 'next': None, 'previous': None, 'results': [....] response_data = bulk_search_by_purl(purls_batch) - for vulnerability_data in response_data: - vulnerabilities_by_purl[vulnerability_data["purl"]] = vulnerability_data + for vulnerability_data in response_data["results"]: + purl = vulnerability_data["purl"] + vulnerabilities_by_purl[purl] = vulnerability_data unsaved_objects = [] for package in packages: diff --git a/scanpipe/templates/scanpipe/includes/vulnerability_id.html b/scanpipe/templates/scanpipe/includes/vulnerability_id.html index 51b3b18163..ea7f6922bd 100644 --- a/scanpipe/templates/scanpipe/includes/vulnerability_id.html +++ b/scanpipe/templates/scanpipe/includes/vulnerability_id.html @@ -1,30 +1,30 @@ -{% if vulnerability.vulnerability_id|slice:":4" == "VCID" and VULNERABLECODE_URL %} - - {{ vulnerability.vulnerability_id }} - - +{% if vulnerability.resource_url %} + {{ vulnerability.advisory_id }} + + {% else %} - {{ vulnerability.vulnerability_id }} + {{ vulnerability.advisory_id }} {% endif %} - - \ No newline at end of file +{% if vulnerability.aliases %} + +{% endif %} \ No newline at end of file diff --git a/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html b/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html index e9d296b77d..24672646a7 100644 --- a/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html +++ b/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html @@ -1,28 +1,38 @@ -
- - +
+ + + + + + + + + + + + {% for vulnerability in tab_data.fields.affected_by_vulnerabilities.value %} - - - + + + + + + - - - {% for vulnerability in tab_data.fields.affected_by_vulnerabilities.value %} - - - - - - {% endfor %} - -
Affected bySummaryExploitabilitySeverityRiskAnalysis
Affected bySummaryAnalysis + {% include 'scanpipe/includes/vulnerability_id.html' with vulnerability=vulnerability %} + + {% include 'scanpipe/includes/vulnerability_summary.html' with vulnerability=vulnerability only %} + + {{ vulnerability.exploitability|default_if_none:"" }} + + {{ vulnerability.weighted_severity|default_if_none:"" }} + + {{ vulnerability.risk_score|default_if_none:"" }} + + {% for key, value in vulnerability.cdx_vulnerability.analysis.items %} + {{ key }}: {{ value }}{% if not forloop.last %}
{% endif %} + {% endfor %} +
- {% include 'scanpipe/includes/vulnerability_id.html' with vulnerability=vulnerability VULNERABLECODE_URL=tab_data.VULNERABLECODE_URL %} - - {% include 'scanpipe/includes/vulnerability_summary.html' with vulnerability=vulnerability only %} - - {% for key, value in vulnerability.cdx_vulnerability.analysis.items %} - {{ key }}: {{ value }}{% if not forloop.last %}
{% endif %} - {% endfor %} -
-
\ No newline at end of file + {% endfor %} + + \ No newline at end of file diff --git a/scanpipe/templates/scanpipe/vulnerability_list.html b/scanpipe/templates/scanpipe/vulnerability_list.html index 6eb4ed4043..b9b94ad325 100644 --- a/scanpipe/templates/scanpipe/vulnerability_list.html +++ b/scanpipe/templates/scanpipe/vulnerability_list.html @@ -23,6 +23,15 @@ {% include 'scanpipe/includes/vulnerability_summary.html' with vulnerability=vulnerability only %} + + {{ vulnerability.exploitability|default_if_none:"" }} + + + {{ vulnerability.weighted_severity|default_if_none:"" }} + + + {{ vulnerability.risk_score|default_if_none:"" }} + {% for obj in vulnerability.affects %} {{ obj }}
diff --git a/scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json b/scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json index e587c0f2e8..393f5accb5 100644 --- a/scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json +++ b/scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json @@ -157,70 +157,9 @@ ], "description": "Django bypasses validation when using one form field to upload multiple files", "id": "VCID-589h-ndhj-aaab", - "ratings": [ - { - "severity": "critical", - "source": { - "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p" - }, - "vector": "" - }, - { - "severity": "medium", - "source": { - "url": "https://groups.google.com/forum/#!forum/django-announce" - }, - "vector": "" - }, - { - "score": 6.5, - "source": { - "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json" - }, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" - }, - { - "score": 9.8, - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047" - }, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - { - "id": "", - "source": { - "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json" - } - }, - { - "id": "", - "source": { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047" - } - }, - { - "id": "", - "source": { - "url": "https://groups.google.com/forum/#!forum/django-announce" - } - }, - { - "id": "CVE-2023-31047", - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047" - } - }, - { - "id": "GHSA-r3xc-prgr-mg9p", - "source": { - "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p" - } - } - ], "source": { - "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p" + "name": "VulnerableCode", + "url": "http://public.vulnerablecode.io/api/vulnerabilities/457137" } } ] diff --git a/scanpipe/tests/data/cyclonedx/django-4.0.10-vulnerability.json b/scanpipe/tests/data/cyclonedx/django-4.0.10-vulnerability.json index 0748e85cf6..0f0511c9a9 100644 --- a/scanpipe/tests/data/cyclonedx/django-4.0.10-vulnerability.json +++ b/scanpipe/tests/data/cyclonedx/django-4.0.10-vulnerability.json @@ -1,63 +1,7 @@ { "url": "http://public.vulnerablecode.io/api/vulnerabilities/457137", - "vulnerability_id": "VCID-589h-ndhj-aaab", + "advisory_id": "VCID-589h-ndhj-aaab", "summary": "Django bypasses validation when using one form field to upload multiple files", - "references": [ - { - "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json", - "reference_id": "", - "scores": [ - { - "value": "6.5", - "scoring_system": "cvssv3", - "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" - } - ], - "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json" - }, - { - "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047", - "reference_id": "", - "scores": [], - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047" - }, - { - "reference_url": "https://groups.google.com/forum/#!forum/django-announce", - "reference_id": "", - "scores": [ - { - "value": "Medium", - "scoring_system": "generic_textual", - "scoring_elements": "" - } - ], - "url": "https://groups.google.com/forum/#!forum/django-announce" - }, - { - "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047", - "reference_id": "CVE-2023-31047", - "scores": [ - { - "value": "9.8", - "scoring_system": "cvssv3", - "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047" - }, - { - "reference_url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p", - "reference_id": "GHSA-r3xc-prgr-mg9p", - "scores": [ - { - "value": "CRITICAL", - "scoring_system": "cvssv3.1_qr", - "scoring_elements": "" - } - ], - "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p" - } - ], "weaknesses": [ { "cwe_id": 1, diff --git a/scanpipe/tests/data/cyclonedx/django-4.0.10_as_cdx.json b/scanpipe/tests/data/cyclonedx/django-4.0.10_as_cdx.json index c1c957144c..e328643733 100644 --- a/scanpipe/tests/data/cyclonedx/django-4.0.10_as_cdx.json +++ b/scanpipe/tests/data/cyclonedx/django-4.0.10_as_cdx.json @@ -9,69 +9,8 @@ ], "description": "Django bypasses validation when using one form field to upload multiple files", "id": "VCID-589h-ndhj-aaab", - "ratings": [ - { - "severity": "critical", - "source": { - "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p" - }, - "vector": "" - }, - { - "severity": "medium", - "source": { - "url": "https://groups.google.com/forum/#!forum/django-announce" - }, - "vector": "" - }, - { - "score": 6.5, - "source": { - "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json" - }, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" - }, - { - "score": 9.8, - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047" - }, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - { - "id": "", - "source": { - "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json" - } - }, - { - "id": "", - "source": { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047" - } - }, - { - "id": "", - "source": { - "url": "https://groups.google.com/forum/#!forum/django-announce" - } - }, - { - "id": "CVE-2023-31047", - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047" - } - }, - { - "id": "GHSA-r3xc-prgr-mg9p", - "source": { - "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p" - } - } - ], "source": { - "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p" + "name": "VulnerableCode", + "url": "http://public.vulnerablecode.io/api/vulnerabilities/457137" } } \ No newline at end of file diff --git a/scanpipe/tests/data/vulnerablecode/django-5.0_package_data.json b/scanpipe/tests/data/vulnerablecode/django-5.0_package_data.json index f2ccc21900..f00839031d 100644 --- a/scanpipe/tests/data/vulnerablecode/django-5.0_package_data.json +++ b/scanpipe/tests/data/vulnerablecode/django-5.0_package_data.json @@ -1,696 +1,2355 @@ { - "url": "http://vulnerablecode/api/packages/807568", - "purl": "pkg:pypi/django@5.0", - "type": "pypi", - "namespace": "", - "name": "django", - "version": "5.0", - "qualifiers": {}, - "subpath": "", - "next_non_vulnerable_version": "5.0.3", - "latest_non_vulnerable_version": "5.0.3", - "affected_by_vulnerabilities": [ + "count": 1, + "next": null, + "previous": null, + "results": [ { - "url": "http://vulnerablecode/api/vulnerabilities/516832", - "vulnerability_id": "VCID-3gge-bre2-aaac", - "summary": "", - "references": [ + "purl": "pkg:pypi/django@5.0", + "affected_by_vulnerabilities": [ { - "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24680.json", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-102", + "aliases": [ + "BIT-django-2024-45230", + "CVE-2024-45230", + "GHSA-5hgc-2vfp-mqvc" + ], + "weighted_severity": 6.2, + "exploitability": 0.5, + "risk_score": 3.1, + "summary": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:30:05Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/45xxx/CVE-2024-45230.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:30:05Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/45xxx/CVE-2024-45230.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:30:05Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/45xxx/CVE-2024-45230.json" + }, { - "value": "7.5", - "scoring_system": "cvssv3", - "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:30:05Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/45xxx/CVE-2024-45230.json" } ], - "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24680.json" - }, - { - "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680", - "reference_id": "", - "scores": [], - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.9", + "pkg:pypi/django@5.1.1", + "pkg:pypi/django@4.2.16" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-102" }, { - "reference_url": "https://docs.djangoproject.com/en/5.0/releases/security", - "reference_id": "", - "scores": [ + "advisory_id": "GHSA-6w2r-r2m5-xq5w", + "aliases": [ + "CVE-2025-57833" + ], + "weighted_severity": 6.4, + "exploitability": 0.5, + "risk_score": 3.2, + "summary": "Django is subject to SQL injection through its column aliases\nAn issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/", + "decision": "Track*", + "options": [ + { + "Exploitation": "poc" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/57xxx/CVE-2025-57833.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/", + "decision": "Track*", + "options": [ + { + "Exploitation": "poc" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/57xxx/CVE-2025-57833.json" } ], - "url": "https://docs.djangoproject.com/en/5.0/releases/security" - }, - { - "reference_url": "https://docs.djangoproject.com/en/5.0/releases/security/", - "reference_id": "", - "scores": [], - "url": "https://docs.djangoproject.com/en/5.0/releases/security/" + "fixed_by_packages": [ + "pkg:pypi/django@5.1.12" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-6w2r-r2m5-xq5w" }, { - "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-67", + "aliases": [ + "BIT-django-2024-41989", + "CVE-2024-41989", + "GHSA-jh75-99hh-qvx9" + ], + "weighted_severity": 6.2, + "exploitability": 0.5, + "risk_score": 3.1, + "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.", + "ssvc_trees": [ { - "value": "2.1", - "scoring_system": "cvssv2", - "scoring_elements": "AV:N/AC:H/Au:S/C:N/I:P/A:N" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T19:34:43Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41989.json" }, { - "value": "4.4", - "scoring_system": "cvssv3", - "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T19:34:43Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41989.json" }, { - "value": "4.7", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T19:34:43Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41989.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T19:34:43Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41989.json" } ], - "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.8", + "pkg:pypi/django@4.2.15" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-67" }, { - "reference_url": "https://github.com/django/django", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-68", + "aliases": [ + "BIT-django-2024-41990", + "CVE-2024-41990", + "GHSA-795c-9xpc-xw6g" + ], + "weighted_severity": 6.2, + "exploitability": 0.5, + "risk_score": 3.1, + "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T15:20:51Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41990.json" + }, { - "value": "7.5", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T15:20:51Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41990.json" }, { - "value": "HIGH", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T15:20:51Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41990.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T15:20:51Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41990.json" } ], - "url": "https://github.com/django/django" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.8", + "pkg:pypi/django@4.2.15" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-68" }, { - "reference_url": "https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-69", + "aliases": [ + "BIT-django-2024-41991", + "CVE-2024-41991", + "GHSA-r836-hh6v-rg5g" + ], + "weighted_severity": 6.2, + "exploitability": 0.5, + "risk_score": 3.1, + "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T17:57:11Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41991.json" + }, { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T17:57:11Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41991.json" }, { - "value": "MODERATE", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T17:57:11Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41991.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T17:57:11Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/41xxx/CVE-2024-41991.json" } ], - "url": "https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.8", + "pkg:pypi/django@4.2.15" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-69" }, { - "reference_url": "https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-70", + "aliases": [ + "BIT-django-2024-42005", + "CVE-2024-42005", + "GHSA-pv4p-cwwg-4rph" + ], + "weighted_severity": 8.4, + "exploitability": 0.5, + "risk_score": 4.2, + "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-16T20:19:17Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/42xxx/CVE-2024-42005.json" + }, { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-16T20:19:17Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/42xxx/CVE-2024-42005.json" }, { - "value": "MODERATE", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-16T20:19:17Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/42xxx/CVE-2024-42005.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-16T20:19:17Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/42xxx/CVE-2024-42005.json" } ], - "url": "https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.8", + "pkg:pypi/django@4.2.15" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-70" }, { - "reference_url": "https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2", - "reference_id": "", - "scores": [ + "advisory_id": "GHSA-7xr5-9hcq-chf9", + "aliases": [ + "CVE-2025-48432" + ], + "weighted_severity": 3.6, + "exploitability": 0.5, + "risk_score": 1.8, + "summary": "Django Improper Output Neutralization for Logs vulnerability\nAn issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:12Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/48xxx/CVE-2025-48432.json" }, { - "value": "MODERATE", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:12Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/48xxx/CVE-2025-48432.json" } ], - "url": "https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2" + "fixed_by_packages": [ + "pkg:pypi/django@5.1.10" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-7xr5-9hcq-chf9" }, { - "reference_url": "https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820", - "reference_id": "", - "scores": [ - { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, + "advisory_id": "GHSA-8498-2h75-472j", + "aliases": [ + "CVE-2024-53907" + ], + "weighted_severity": 6.8, + "exploitability": 0.5, + "risk_score": 3.4, + "summary": "Django denial-of-service in django.utils.html.strip_tags()\nAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.", + "ssvc_trees": [ { - "value": "MODERATE", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-06T16:22:53Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/53xxx/CVE-2024-53907.json" } ], - "url": "https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.10" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-8498-2h75-472j" }, { - "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml", - "reference_id": "", - "scores": [ - { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, + "advisory_id": "GHSA-m9g8-fxxm-xg86", + "aliases": [ + "CVE-2024-53908" + ], + "weighted_severity": 8.8, + "exploitability": 0.5, + "risk_score": 4.4, + "summary": "Django SQL injection in HasKey(lhs, rhs) on Oracle\nAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)", + "ssvc_trees": [ { - "value": "MODERATE", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-06T16:19:13Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/53xxx/CVE-2024-53908.json" } ], - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.10" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-m9g8-fxxm-xg86" }, { - "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-56", + "aliases": [ + "BIT-django-2024-38875", + "CVE-2024-38875", + "GHSA-qg2p-9jwr-mmqf" + ], + "weighted_severity": 7.8, + "exploitability": 0.5, + "risk_score": 3.9, + "summary": "An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:43:12Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/38xxx/CVE-2024-38875.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:43:12Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/38xxx/CVE-2024-38875.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:43:12Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/38xxx/CVE-2024-38875.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:43:12Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/38xxx/CVE-2024-38875.json" } ], - "url": "https://groups.google.com/forum/#%21forum/django-announce" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.7", + "pkg:pypi/django@4.2.14" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-56" }, { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-57", + "aliases": [ + "BIT-django-2024-39329", + "CVE-2024-39329", + "GHSA-x7q2-wr7g-xqmf" + ], + "weighted_severity": 6.2, + "exploitability": 0.5, + "risk_score": 3.1, + "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T16:17:00Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39329.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T16:17:00Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39329.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T16:17:00Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39329.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T16:17:00Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39329.json" } ], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX" - }, - { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/", - "reference_id": "", - "scores": [], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.7", + "pkg:pypi/django@4.2.14" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-57" }, { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-58", + "aliases": [ + "BIT-django-2024-39330", + "CVE-2024-39330", + "GHSA-9jmf-237g-qf46" + ], + "weighted_severity": 7.8, + "exploitability": 0.5, + "risk_score": 3.9, + "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:59:56Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39330.json" + }, + { + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:59:56Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39330.json" + }, { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:59:56Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39330.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:59:56Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39330.json" } ], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6" - }, - { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/", - "reference_id": "", - "scores": [], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.7", + "pkg:pypi/django@4.2.14" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-58" }, { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-59", + "aliases": [ + "BIT-django-2024-39614", + "CVE-2024-39614", + "GHSA-f6f8-9mx6-9mx2" + ], + "weighted_severity": 7.8, + "exploitability": 0.5, + "risk_score": 3.9, + "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:29:40Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39614.json" + }, { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:29:40Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39614.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:29:40Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39614.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:29:40Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39614.json" } ], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D" - }, - { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/", - "reference_id": "", - "scores": [], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.7", + "pkg:pypi/django@4.2.14" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-59" }, { - "reference_url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases", - "reference_id": "", - "scores": [ + "advisory_id": "GHSA-frmv-pr5f-9mcr", + "aliases": [ + "CVE-2025-64459" + ], + "weighted_severity": 8.2, + "exploitability": 2.0, + "risk_score": 10.0, + "summary": "Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.\nAn issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue.", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/64xxx/CVE-2025-64459.json" }, { - "value": "MODERATE", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/64xxx/CVE-2025-64459.json" } ], - "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases" - }, - { - "reference_url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/", - "reference_id": "", - "scores": [], - "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/" - }, - { - "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2261856", - "reference_id": "2261856", - "scores": [], - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2261856" - }, - { - "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", - "reference_id": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", - "scores": [], - "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*" + "fixed_by_packages": [ + "pkg:pypi/django@5.1.14" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-frmv-pr5f-9mcr" }, { - "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680", - "reference_id": "CVE-2024-24680", - "scores": [ + "advisory_id": "GHSA-qw25-v68c-qjf3", + "aliases": [ + "CVE-2025-64458" + ], + "weighted_severity": 6.8, + "exploitability": 0.5, + "risk_score": 3.4, + "summary": "Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows\nAn issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nNFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/64xxx/CVE-2025-64458.json" + }, { - "value": "7.5", - "scoring_system": "cvssv3", - "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/64xxx/CVE-2025-64458.json" } ], - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680" + "fixed_by_packages": [ + "pkg:pypi/django@5.1.14" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-qw25-v68c-qjf3" }, { - "reference_url": "https://github.com/advisories/GHSA-xxj9-f6rv-m3x4", - "reference_id": "GHSA-xxj9-f6rv-m3x4", - "scores": [ + "advisory_id": "PYSEC-2025-13", + "aliases": [ + "BIT-django-2025-26699", + "CVE-2025-26699", + "GHSA-p3fp-8748-vqfq" + ], + "weighted_severity": 4.5, + "exploitability": 0.5, + "risk_score": 2.2, + "summary": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T20:30:28Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/26xxx/CVE-2025-26699.json" + }, + { + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T20:30:28Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/26xxx/CVE-2025-26699.json" + }, + { + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T20:30:28Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/26xxx/CVE-2025-26699.json" + }, { - "value": "MODERATE", - "scoring_system": "cvssv3.1_qr", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T20:30:28Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/26xxx/CVE-2025-26699.json" } ], - "url": "https://github.com/advisories/GHSA-xxj9-f6rv-m3x4" - }, - { - "reference_url": "https://access.redhat.com/errata/RHSA-2024:1057", - "reference_id": "RHSA-2024:1057", - "scores": [], - "url": "https://access.redhat.com/errata/RHSA-2024:1057" - }, - { - "reference_url": "https://access.redhat.com/errata/RHSA-2024:1878", - "reference_id": "RHSA-2024:1878", - "scores": [], - "url": "https://access.redhat.com/errata/RHSA-2024:1878" - }, - { - "reference_url": "https://access.redhat.com/errata/RHSA-2024:2731", - "reference_id": "RHSA-2024:2731", - "scores": [], - "url": "https://access.redhat.com/errata/RHSA-2024:2731" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.13", + "pkg:pypi/django@4.2.20", + "pkg:pypi/django@5.1.7" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2025-13" }, { - "reference_url": "https://usn.ubuntu.com/6623-1/", - "reference_id": "USN-6623-1", - "scores": [], - "url": "https://usn.ubuntu.com/6623-1/" - } - ], - "fixed_packages": [ - { - "url": "http://vulnerablecode/api/packages/807572", - "purl": "pkg:pypi/django@5.0.2", - "is_vulnerable": true, - "affected_by_vulnerabilities": [ - { - "vulnerability": "VCID-q4q6-yfng-aaag" - } + "advisory_id": "GHSA-qcgg-j2x8-h9g8", + "aliases": [ + "CVE-2024-56374" ], - "resource_url": "http://vulnerablecode/packages/pkg:pypi/django@5.0.2" - } - ], - "aliases": [ - "BIT-django-2024-24680", - "CVE-2024-24680", - "GHSA-xxj9-f6rv-m3x4", - "PYSEC-2024-28" - ], - "resource_url": "http://vulnerablecode/vulnerabilities/VCID-3gge-bre2-aaac" - }, - { - "url": "http://vulnerablecode/api/vulnerabilities/522941", - "vulnerability_id": "VCID-q4q6-yfng-aaag", - "summary": "In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.", - "references": [ - { - "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27351.json", - "reference_id": "", - "scores": [ + "weighted_severity": 5.2, + "exploitability": 0.5, + "risk_score": 2.6, + "summary": "Django has a potential denial-of-service vulnerability in IPv6 validation\nAn issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions `clean_ipv6_address` and `is_valid_ipv6_address` are vulnerable, as is the `django.forms.GenericIPAddressField` form field. (The django.db.models.GenericIPAddressField model field is not affected.)", + "ssvc_trees": [ { - "value": "7.5", - "scoring_system": "cvssv3", - "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-15T19:40:35Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/56xxx/CVE-2024-56374.json" } ], - "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27351.json" - }, - { - "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351", - "reference_id": "", - "scores": [], - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.11" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-qcgg-j2x8-h9g8" }, { - "reference_url": "https://docs.djangoproject.com/en/5.0/releases/security", - "reference_id": "", - "scores": [ + "advisory_id": "GHSA-rrqc-c2jx-6jgv", + "aliases": [ + "CVE-2024-45231" + ], + "weighted_severity": 5.7, + "exploitability": 0.5, + "risk_score": 2.8, + "summary": "Django allows enumeration of user e-mail addresses\nAn issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:35:34Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/45xxx/CVE-2024-45231.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:35:34Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/45xxx/CVE-2024-45231.json" } ], - "url": "https://docs.djangoproject.com/en/5.0/releases/security" - }, - { - "reference_url": "https://docs.djangoproject.com/en/5.0/releases/security/", - "reference_id": "", - "scores": [], - "url": "https://docs.djangoproject.com/en/5.0/releases/security/" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.9" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-rrqc-c2jx-6jgv" }, { - "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-47", + "aliases": [ + "BIT-django-2024-27351", + "CVE-2024-27351", + "GHSA-vm8q-m57g-pff3" + ], + "weighted_severity": 4.8, + "exploitability": 0.5, + "risk_score": 2.4, + "summary": "In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-20T19:41:21Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/27xxx/CVE-2024-27351.json" + }, { - "value": "2.1", - "scoring_system": "cvssv2", - "scoring_elements": "AV:N/AC:H/Au:S/C:N/I:P/A:N" + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-20T19:41:21Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/27xxx/CVE-2024-27351.json" }, { - "value": "4.4", - "scoring_system": "cvssv3", - "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L" + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-20T19:41:21Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/27xxx/CVE-2024-27351.json" }, { - "value": "4.7", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-20T19:41:21Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/27xxx/CVE-2024-27351.json" } ], - "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" + "fixed_by_packages": [ + "pkg:pypi/django@5.0.3", + "pkg:pypi/django@4.2.11", + "pkg:pypi/django@3.2.25" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-47" }, { - "reference_url": "https://github.com/django/django", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2025-14", + "aliases": [ + "BIT-django-2025-27556", + "CVE-2025-27556", + "GHSA-wqfg-m96j-85vm" + ], + "weighted_severity": 5.2, + "exploitability": 0.5, + "risk_score": 2.6, + "summary": "An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.", + "ssvc_trees": [ { - "value": "7.5", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-02T13:21:14Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/27xxx/CVE-2025-27556.json" }, { - "value": "HIGH", - "scoring_system": "generic_textual", - "scoring_elements": "" - } - ], - "url": "https://github.com/django/django" - }, - { - "reference_url": "https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521", - "reference_id": "", - "scores": [ + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-02T13:21:14Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/27xxx/CVE-2025-27556.json" + }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" - } - ], - "url": "https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521" - }, - { - "reference_url": "https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e", - "reference_id": "", - "scores": [ + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-02T13:21:14Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/27xxx/CVE-2025-27556.json" + }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-02T13:21:14Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/27xxx/CVE-2025-27556.json" } ], - "url": "https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e" + "fixed_by_packages": [ + "pkg:pypi/django@5.1.8", + "pkg:pypi/django@5.0.14" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2025-14" }, { - "reference_url": "https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-28", + "aliases": [ + "BIT-django-2024-24680", + "CVE-2024-24680", + "GHSA-xxj9-f6rv-m3x4" + ], + "weighted_severity": 7.4, + "exploitability": 0.5, + "risk_score": 3.7, + "summary": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.", + "ssvc_trees": [ + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:36Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/24xxx/CVE-2024-24680.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:36Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/24xxx/CVE-2024-24680.json" + }, + { + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:36Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/24xxx/CVE-2024-24680.json" + }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:36Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/24xxx/CVE-2024-24680.json" } ], - "url": "https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a" + "fixed_by_packages": [ + "pkg:pypi/django@4.2.10", + "pkg:pypi/django@3.2.24", + "pkg:pypi/django@5.0.2" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-28" }, { - "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-47.yaml", - "reference_id": "", - "scores": [ + "advisory_id": "CVE-2024-53907", + "aliases": [ + "GHSA-8498-2h75-472j" + ], + "weighted_severity": null, + "exploitability": 0.5, + "risk_score": null, + "summary": "Django denial-of-service in django.utils.html.strip_tags()\nAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.", + "ssvc_trees": [ { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-06T16:22:53Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/53xxx/CVE-2024-53907.json" } ], - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-47.yaml" + "fixed_by_packages": [ + "pkg:pypi/django@4.2.17", + "pkg:pypi/django@5.1.4", + "pkg:pypi/django@5.0.10" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/gitlab_importer_v2/pypi/Django/CVE-2024-53907" }, { - "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", - "reference_id": "", - "scores": [ - { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, + "advisory_id": "CVE-2024-53908", + "aliases": [ + "GHSA-m9g8-fxxm-xg86" + ], + "weighted_severity": null, + "exploitability": 0.5, + "risk_score": null, + "summary": "Django SQL injection in HasKey(lhs, rhs) on Oracle\nAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)", + "ssvc_trees": [ { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-06T16:19:13Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/53xxx/CVE-2024-53908.json" } ], - "url": "https://groups.google.com/forum/#%21forum/django-announce" + "fixed_by_packages": [ + "pkg:pypi/django@4.2.17", + "pkg:pypi/django@5.1.4", + "pkg:pypi/django@5.0.10" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/gitlab_importer_v2/pypi/Django/CVE-2024-53908" }, { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX", - "reference_id": "", - "scores": [ - { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, + "advisory_id": "CVE-2024-56374", + "aliases": [ + "GHSA-qcgg-j2x8-h9g8" + ], + "weighted_severity": null, + "exploitability": 0.5, + "risk_score": null, + "summary": "Django has a potential denial-of-service vulnerability in IPv6 validation\nAn issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions `clean_ipv6_address` and `is_valid_ipv6_address` are vulnerable, as is the `django.forms.GenericIPAddressField` form field. (The django.db.models.GenericIPAddressField model field is not affected.)", + "ssvc_trees": [ { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-15T19:40:35Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/56xxx/CVE-2024-56374.json" } ], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX" - }, - { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/", - "reference_id": "", - "scores": [], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/" + "fixed_by_packages": [], + "resource_url": "http://public2.vulnerablecode.io/advisories/gitlab_importer_v2/pypi/Django/CVE-2024-56374" }, { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-156", + "aliases": [ + "BIT-django-2024-53907", + "CVE-2024-53907", + "GHSA-8498-2h75-472j" + ], + "weighted_severity": null, + "exploitability": 0.5, + "risk_score": null, + "summary": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-06T16:22:53Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/53xxx/CVE-2024-53907.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-06T16:22:53Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/53xxx/CVE-2024-53907.json" } ], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6" - }, - { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/", - "reference_id": "", - "scores": [], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/" + "fixed_by_packages": [ + "pkg:pypi/django@4.2.17", + "pkg:pypi/django@5.1.4", + "pkg:pypi/django@5.0.10" + ], + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-156" }, { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2024-157", + "aliases": [ + "BIT-django-2024-53908", + "CVE-2024-53908", + "GHSA-m9g8-fxxm-xg86" + ], + "weighted_severity": null, + "exploitability": 0.5, + "risk_score": null, + "summary": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-06T16:19:13Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/53xxx/CVE-2024-53908.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-06T16:19:13Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "total" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/53xxx/CVE-2024-53908.json" } ], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D" - }, - { - "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/", - "reference_id": "", - "scores": [], - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/" - }, - { - "reference_url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases", - "reference_id": "", - "scores": [ - { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" - } + "fixed_by_packages": [ + "pkg:pypi/django@4.2.17", + "pkg:pypi/django@5.1.4", + "pkg:pypi/django@5.0.10" ], - "url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases" + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2024-157" }, { - "reference_url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases/", - "reference_id": "", - "scores": [], - "url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases/" - }, - { - "reference_url": "http://www.openwall.com/lists/oss-security/2024/03/04/1", - "reference_id": "", - "scores": [ + "advisory_id": "PYSEC-2025-1", + "aliases": [ + "BIT-django-2024-56374", + "CVE-2024-56374", + "GHSA-qcgg-j2x8-h9g8" + ], + "weighted_severity": null, + "exploitability": 0.5, + "risk_score": null, + "summary": "An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)", + "ssvc_trees": [ { - "value": "5.9", - "scoring_system": "cvssv3.1", - "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-15T19:40:35Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/56xxx/CVE-2024-56374.json" }, { - "value": "LOW", - "scoring_system": "generic_textual", - "scoring_elements": "" + "vector": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-15T19:40:35Z/", + "decision": "Track", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "yes" + }, + { + "Technical Impact": "partial" + }, + { + "Mission Prevalence": "minimal" + }, + { + "Public Well-being Impact": "material" + }, + { + "Mission & Well-being": "medium" + } + ], + "source_url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/56xxx/CVE-2024-56374.json" } ], - "url": "http://www.openwall.com/lists/oss-security/2024/03/04/1" - }, - { - "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266045", - "reference_id": "2266045", - "scores": [], - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266045" - }, - { - "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27351", - "reference_id": "CVE-2024-27351", - "scores": [], - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27351" - }, - { - "reference_url": "https://github.com/advisories/GHSA-vm8q-m57g-pff3", - "reference_id": "GHSA-vm8q-m57g-pff3", - "scores": [ - { - "value": "LOW", - "scoring_system": "cvssv3.1_qr", - "scoring_elements": "" - } + "fixed_by_packages": [ + "pkg:pypi/django@5.0.11", + "pkg:pypi/django@5.1.5", + "pkg:pypi/django@4.2.18" ], - "url": "https://github.com/advisories/GHSA-vm8q-m57g-pff3" - }, - { - "reference_url": "https://access.redhat.com/errata/RHSA-2024:1878", - "reference_id": "RHSA-2024:1878", - "scores": [], - "url": "https://access.redhat.com/errata/RHSA-2024:1878" - }, - { - "reference_url": "https://access.redhat.com/errata/RHSA-2024:3781", - "reference_id": "RHSA-2024:3781", - "scores": [], - "url": "https://access.redhat.com/errata/RHSA-2024:3781" - }, - { - "reference_url": "https://usn.ubuntu.com/6674-1/", - "reference_id": "USN-6674-1", - "scores": [], - "url": "https://usn.ubuntu.com/6674-1/" - }, - { - "reference_url": "https://usn.ubuntu.com/6674-2/", - "reference_id": "USN-6674-2", - "scores": [], - "url": "https://usn.ubuntu.com/6674-2/" + "resource_url": "http://public2.vulnerablecode.io/advisories/pypa_importer_v2/django/PYSEC-2025-1" } ], - "fixed_packages": [ - { - "url": "http://vulnerablecode/api/packages/810988", - "purl": "pkg:pypi/django@5.0.3", - "is_vulnerable": false, - "affected_by_vulnerabilities": [], - "resource_url": "http://vulnerablecode/packages/pkg:pypi/django@5.0.3" - } - ], - "aliases": [ - "CVE-2024-27351", - "GHSA-vm8q-m57g-pff3", - "PYSEC-2024-47" - ], - "resource_url": "http://vulnerablecode/vulnerabilities/VCID-q4q6-yfng-aaag" + "fixing_vulnerabilities": [], + "next_non_vulnerable_version": "5.1.15", + "latest_non_vulnerable_version": "6.0.4", + "risk_score": 10.0 } - ], - "fixing_vulnerabilities": [], - "resource_url": "http://vulnerablecode/packages/pkg:pypi/django@5.0" + ] } \ No newline at end of file diff --git a/scanpipe/tests/pipes/test_cyclonedx.py b/scanpipe/tests/pipes/test_cyclonedx.py index 0ffaae395d..7ce5937121 100644 --- a/scanpipe/tests/pipes/test_cyclonedx.py +++ b/scanpipe/tests/pipes/test_cyclonedx.py @@ -250,7 +250,7 @@ def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_vulnerabilities(self): self.assertEqual(1, len(packages)) affected_by = packages[0]["affected_by_vulnerabilities"] - self.assertEqual("CVE-2005-2541", affected_by[0]["vulnerability_id"]) + self.assertEqual("CVE-2005-2541", affected_by[0]["advisory_id"]) self.assertEqual( "Tar 1.15.1 does not properly warn the user when...", affected_by[0]["summary"], diff --git a/scanpipe/tests/pipes/test_vulnerablecode.py b/scanpipe/tests/pipes/test_vulnerablecode.py index f33a68cdca..643ce4dd59 100644 --- a/scanpipe/tests/pipes/test_vulnerablecode.py +++ b/scanpipe/tests/pipes/test_vulnerablecode.py @@ -46,14 +46,17 @@ def test_scanpipe_pipes_vulnerablecode_fetch_vulnerabilities( self, mock_search_by_purl ): django_5_0 = make_package(self.project1, "pkg:pypi/django@5.0") - data = self.data / "vulnerablecode/django-5.0_package_data.json" - package_data = json.loads(data.read_text()) - mock_search_by_purl.return_value = [package_data] + # POST /api/v3/packages with data: + # {"purls": ["pkg:pypi/django@5.0"], "details": true} + data = self.data / "vulnerablecode" / "django-5.0_package_data.json" + response_json = json.loads(data.read_text()) + mock_search_by_purl.return_value = response_json buffer = io.StringIO() + package_data = response_json.get("results")[0] fetch_vulnerabilities(packages=[django_5_0], logger=buffer.write) django_5_0.refresh_from_db() - self.assertEqual(2, len(package_data.get("affected_by_vulnerabilities"))) + self.assertEqual(27, len(package_data.get("affected_by_vulnerabilities"))) self.assertEqual( package_data.get("affected_by_vulnerabilities"), django_5_0.affected_by_vulnerabilities, @@ -62,27 +65,28 @@ def test_scanpipe_pipes_vulnerablecode_fetch_vulnerabilities( "1 discovered packages updated with vulnerability data.", buffer.getvalue() ) - fetch_vulnerabilities(packages=[django_5_0], ignore_set={"VCID-3gge-bre2-aaac"}) + fetch_vulnerabilities(packages=[django_5_0], ignore_set={"PYSEC-2024-28"}) django_5_0.refresh_from_db() - self.assertEqual(1, len(django_5_0.affected_by_vulnerabilities)) + self.assertEqual(26, len(django_5_0.affected_by_vulnerabilities)) def test_scanpipe_pipes_vulnerablecode_filter_vulnerabilities(self): data = self.data / "vulnerablecode/django-5.0_package_data.json" - package_data = json.loads(data.read_text()) + response_json = json.loads(data.read_text()) + package_data = response_json.get("results")[0] vulnerability_data = package_data["affected_by_vulnerabilities"] - self.assertEqual(2, len(vulnerability_data)) + self.assertEqual(27, len(vulnerability_data)) vulnerability1 = vulnerability_data[0] - self.assertEqual("VCID-3gge-bre2-aaac", vulnerability1.get("vulnerability_id")) - ignore_set = {vulnerability1.get("vulnerability_id")} - self.assertEqual(1, len(filter_vulnerabilities(vulnerability_data, ignore_set))) + self.assertEqual("PYSEC-2024-102", vulnerability1.get("advisory_id")) + ignore_set = {vulnerability1.get("advisory_id")} + self.assertEqual( + 26, len(filter_vulnerabilities(vulnerability_data, ignore_set)) + ) ignore_set = {vulnerability1.get("aliases")[0]} - self.assertEqual(1, len(filter_vulnerabilities(vulnerability_data, ignore_set))) - - vulnerability2 = vulnerability_data[1] - ignore_set.add(vulnerability2.get("aliases")[1]) - self.assertEqual([], filter_vulnerabilities(vulnerability_data, ignore_set)) + self.assertEqual( + 26, len(filter_vulnerabilities(vulnerability_data, ignore_set)) + ) def test_scanpipe_pipes_vulnerablecode_chunked(self): result = list(chunked([1, 2, 3, 4, 5], 2)) diff --git a/scanpipe/tests/test_commands.py b/scanpipe/tests/test_commands.py index e38619cd0c..cd416c6661 100644 --- a/scanpipe/tests/test_commands.py +++ b/scanpipe/tests/test_commands.py @@ -1390,7 +1390,7 @@ def test_scanpipe_management_command_check_compliance_vulnerabilities(self): out_value = out.getvalue().strip() self.assertEqual("No vulnerabilities found", out_value) - vulnerability_data = [{"vulnerability_id": "VCID-cah8-awtr-aaad"}] + vulnerability_data = [{"advisory_id": "VCID-cah8-awtr-aaad"}] package1.update(affected_by_vulnerabilities=vulnerability_data) make_dependency( project, diff --git a/scanpipe/tests/test_filters.py b/scanpipe/tests/test_filters.py index 7a8a098be7..7c8b4c4c21 100644 --- a/scanpipe/tests/test_filters.py +++ b/scanpipe/tests/test_filters.py @@ -194,9 +194,7 @@ def test_scanpipe_filters_params_for_search(self): def test_scanpipe_filters_package_filterset_is_vulnerable(self): p1 = DiscoveredPackage.create_from_data(self.project1, package_data1) p2 = DiscoveredPackage.create_from_data(self.project1, package_data2) - p2.update( - affected_by_vulnerabilities=[{"vulnerability_id": "VCID-cah8-awtr-aaad"}] - ) + p2.update(affected_by_vulnerabilities=[{"advisory_id": "VCID-cah8-awtr-aaad"}]) filterset = PackageFilterSet(data={"is_vulnerable": ""}) self.assertEqual(2, len(filterset.qs)) diff --git a/scanpipe/tests/test_models.py b/scanpipe/tests/test_models.py index 6c2252e55f..c5e32901d4 100644 --- a/scanpipe/tests/test_models.py +++ b/scanpipe/tests/test_models.py @@ -654,9 +654,9 @@ def test_scanpipe_project_related_model_clone(self): self.assertNotEqual(cloned_subscription.pk, subscription1.pk) def test_scanpipe_project_vulnerability_properties(self): - v1 = {"vulnerability_id": "VCID-1"} - v2 = {"vulnerability_id": "VCID-2"} - v3 = {"vulnerability_id": "VCID-3"} + v1 = {"advisory_id": "VCID-1"} + v2 = {"advisory_id": "VCID-2"} + v3 = {"advisory_id": "VCID-3"} project = make_project() make_package(project, "pkg:type/0") p1 = make_package(project, "pkg:type/a", affected_by_vulnerabilities=[v1, v2]) @@ -673,9 +673,9 @@ def test_scanpipe_project_vulnerability_properties(self): self.assertEqual([v1, v3], project.dependency_vulnerabilities) expected = { - "VCID-1": {"vulnerability_id": "VCID-1", "affects": [p1, d1]}, - "VCID-2": {"vulnerability_id": "VCID-2", "affects": [p1]}, - "VCID-3": {"vulnerability_id": "VCID-3", "affects": [p2, d2]}, + "VCID-1": {"advisory_id": "VCID-1", "affects": [p1, d1]}, + "VCID-2": {"advisory_id": "VCID-2", "affects": [p1]}, + "VCID-3": {"advisory_id": "VCID-3", "affects": [p2, d2]}, } self.assertEqual(expected, project.vulnerabilities) self.assertEqual(4, project.vulnerability_count) @@ -2084,7 +2084,7 @@ def test_scanpipe_discovered_package_queryset_for_package_url(self): def test_scanpipe_discovered_package_queryset_vulnerable(self): p1 = DiscoveredPackage.create_from_data(self.project1, package_data1) p2 = DiscoveredPackage.create_from_data(self.project1, package_data2) - p2.update(affected_by_vulnerabilities=[{"vulnerability_id": "VCID-1"}]) + p2.update(affected_by_vulnerabilities=[{"advisory_id": "VCID-1"}]) package_qs = self.project1.discoveredpackages self.assertNotIn(p1, DiscoveredPackage.objects.vulnerable()) @@ -2093,21 +2093,21 @@ def test_scanpipe_discovered_package_queryset_vulnerable(self): p1.update( affected_by_vulnerabilities=[ - {"vulnerability_id": "VCID-1"}, - {"vulnerability_id": "VCID-2"}, + {"advisory_id": "VCID-1"}, + {"advisory_id": "VCID-2"}, ] ) - expected = [{"vulnerability_id": "VCID-1"}, {"vulnerability_id": "VCID-2"}] + expected = [{"advisory_id": "VCID-1"}, {"advisory_id": "VCID-2"}] with self.assertNumQueries(1): self.assertEqual(expected, package_qs.get_vulnerabilities_list()) expected = { "VCID-1": { - "vulnerability_id": "VCID-1", + "advisory_id": "VCID-1", "affects": [p1, p2], }, "VCID-2": { - "vulnerability_id": "VCID-2", + "advisory_id": "VCID-2", "affects": [p1], }, } @@ -2699,7 +2699,7 @@ def test_scanpipe_discovered_package_model_is_vulnerable_property(self): package = DiscoveredPackage.create_from_data(self.project1, package_data1) self.assertFalse(package.is_vulnerable) package.update( - affected_by_vulnerabilities=[{"vulnerability_id": "VCID-cah8-awtr-aaad"}] + affected_by_vulnerabilities=[{"advisory_id": "VCID-cah8-awtr-aaad"}] ) self.assertTrue(package.is_vulnerable) diff --git a/scanpipe/tests/test_pipelines.py b/scanpipe/tests/test_pipelines.py index 7468bc4822..7ea6d8b2c0 100644 --- a/scanpipe/tests/test_pipelines.py +++ b/scanpipe/tests/test_pipelines.py @@ -1351,7 +1351,7 @@ def test_scanpipe_find_vulnerabilities_pipeline_integration( "purl": "pkg:deb/debian/adduser@3.118?arch=all", "affected_by_vulnerabilities": [ { - "vulnerability_id": "VCID-cah8-awtr-aaad", + "advisory_id": "ID-1", "summary": "An issue was discovered.", }, ], @@ -1360,13 +1360,14 @@ def test_scanpipe_find_vulnerabilities_pipeline_integration( "purl": "pkg:deb/debian/adduser@3.118?qualifiers=1", "affected_by_vulnerabilities": [ { - "vulnerability_id": "VCID-cah8-awtr-aaad", + "advisory_id": "ID-2", "summary": "An issue was discovered.", }, ], }, ] - mock_bulk_search_by_purl.return_value = vulnerability_data + response_json = {"results": vulnerability_data} + mock_bulk_search_by_purl.return_value = response_json exitcode, out = pipeline.execute() self.assertEqual(0, exitcode, msg=out) @@ -1651,7 +1652,7 @@ def test_scanpipe_load_sbom_pipeline_cyclonedx_with_vulnerabilities(self): affected_by = package.affected_by_vulnerabilities[0] cdx_vulnerability_data = affected_by.pop("cdx_vulnerability_data") expected = { - "vulnerability_id": "CVE-2005-2541", + "advisory_id": "CVE-2005-2541", "summary": "Tar 1.15.1 does not properly warn the user when...", } self.assertEqual(expected, affected_by) diff --git a/scanpipe/tests/test_views.py b/scanpipe/tests/test_views.py index 3664901648..65003a4b45 100644 --- a/scanpipe/tests/test_views.py +++ b/scanpipe/tests/test_views.py @@ -1200,7 +1200,7 @@ def test_scanpipe_views_discovered_package_details_view_tabset(self): package1.add_resources([make_resource_file(self.project1, "file1.ext")]) package1.update( - affected_by_vulnerabilities=[{"vulnerability_id": "VCID-cah8-awtr-aaad"}], + affected_by_vulnerabilities=[{"advisory_id": "VCID-cah8-awtr-aaad"}], extra_data={"extra": "data"}, ) dependency_data = dependency_data1.copy() @@ -1219,7 +1219,7 @@ def test_scanpipe_views_discovered_package_details_view_tabset(self): def test_scanpipe_views_discovered_package_details_view_tab_vulnerabilities(self): package1 = DiscoveredPackage.create_from_data(self.project1, package_data1) package1.update( - affected_by_vulnerabilities=[{"vulnerability_id": "VCID-cah8-awtr-aaad"}] + affected_by_vulnerabilities=[{"advisory_id": "VCID-cah8-awtr-aaad"}] ) response = self.client.get(package1.get_absolute_url()) self.assertContains(response, "tab-vulnerabilities") @@ -1299,7 +1299,6 @@ def test_scanpipe_views_project_message_views(self): with self.assertNumQueries(5): self.client.get(url) - @override_settings(VULNERABLECODE_URL="https://vcio/") def test_scanpipe_views_vulnerability_list_view(self): self.assertEqual(0, self.project1.vulnerability_count) url = reverse("project_vulnerabilities", args=[self.project1.slug]) @@ -1307,8 +1306,11 @@ def test_scanpipe_views_vulnerability_list_view(self): response = self.client.get(url) self.assertContains(response, "No Vulnerabilities found.") - v1 = {"vulnerability_id": "VCID-1"} - v2 = {"vulnerability_id": "VCID-2"} + v1 = {"advisory_id": "VCID-1"} + v2 = { + "advisory_id": "VCID-2", + "resource_url": "https://vcio/advisories/VCID-2", + } project = make_project() make_package(project, "pkg:type/a", affected_by_vulnerabilities=[v1]) make_dependency(project, affected_by_vulnerabilities=[v2]) @@ -1318,9 +1320,9 @@ def test_scanpipe_views_vulnerability_list_view(self): with self.assertNumQueries(5): response = self.client.get(url) - expected = '' - self.assertContains(response, expected) - expected = '' + expected = "VCID-1" + self.assertContains(response, expected, html=True) + expected = '' self.assertContains(response, expected) self.assertContains(response, "pkg:type/a") diff --git a/scanpipe/views.py b/scanpipe/views.py index 4270a5be78..af9f5dabf8 100644 --- a/scanpipe/views.py +++ b/scanpipe/views.py @@ -1965,8 +1965,20 @@ class VulnerabilityListView( ): template_name = "scanpipe/vulnerability_list.html" table_columns = [ - "vulnerability_id", + { + "field_name": "advisory_id", + "label": "Advisory ID", + }, "summary", + "exploitability", + { + "field_name": "weighted_severity", + "label": "Severity", + }, + { + "field_name": "risk_score", + "label": "Risk", + }, "affects", ] @@ -1976,7 +1988,6 @@ def get_queryset(self): def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) context["object_list"] = self.project.vulnerabilities - context["VULNERABLECODE_URL"] = settings.VULNERABLECODE_URL return context @@ -2341,7 +2352,6 @@ class DiscoveredPackageDetailsView( ], "icon_class": "fa-solid fa-bug", "template": "scanpipe/tabset/tab_vulnerabilities.html", - "tab_context": {"VULNERABLECODE_URL": settings.VULNERABLECODE_URL}, }, "extra_data": { "fields": ["extra_data"],