From 3123c88f01a67abc3e18af68722880d63afc7dee Mon Sep 17 00:00:00 2001 From: "Jose I. Paris" Date: Mon, 16 Mar 2026 17:18:57 +0100 Subject: [PATCH] fix(ci): clean up grype scan files after attestation Remove leftover vuln-*.json files from the working directory after attestation so the create-pull-request action does not include them in the generated PR. Closes #2785 Signed-off-by: Jose I. Paris --- .github/workflows/release.yaml | 3 + vuln-artifact-cas-amd64.json | 16 -- vuln-artifact-cas-arm64.json | 16 -- vuln-artifact-cas-v1-82-0.json | 16 -- vuln-artifact-cas-v1-82-1.json | 16 -- vuln-cli-amd64.json | 16 -- vuln-cli-arm64.json | 16 -- vuln-cli-v1-82-0.json | 16 -- vuln-cli-v1-82-1.json | 16 -- vuln-control-plane-amd64.json | 16 -- vuln-control-plane-arm64.json | 16 -- vuln-control-plane-migrations-amd64.json | 227 --------------------- vuln-control-plane-migrations-arm64.json | 227 --------------------- vuln-control-plane-migrations-v1-82-0.json | 227 --------------------- vuln-control-plane-migrations-v1-82-1.json | 227 --------------------- vuln-control-plane-v1-82-0.json | 16 -- vuln-control-plane-v1-82-1.json | 16 -- 17 files changed, 3 insertions(+), 1100 deletions(-) delete mode 100644 vuln-artifact-cas-amd64.json delete mode 100644 vuln-artifact-cas-arm64.json delete mode 100644 vuln-artifact-cas-v1-82-0.json delete mode 100644 vuln-artifact-cas-v1-82-1.json delete mode 100644 vuln-cli-amd64.json delete mode 100644 vuln-cli-arm64.json delete mode 100644 vuln-cli-v1-82-0.json delete mode 100644 vuln-cli-v1-82-1.json delete mode 100644 vuln-control-plane-amd64.json delete mode 100644 vuln-control-plane-arm64.json delete mode 100644 vuln-control-plane-migrations-amd64.json delete mode 100644 vuln-control-plane-migrations-arm64.json delete mode 100644 vuln-control-plane-migrations-v1-82-0.json delete mode 100644 vuln-control-plane-migrations-v1-82-1.json delete mode 100644 vuln-control-plane-v1-82-0.json delete mode 100644 vuln-control-plane-v1-82-1.json diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a47211769..ed2e308f5 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -177,6 +177,9 @@ jobs: fi done + # Clean up vulnerability scan files so they don't get picked up by the create-pull-request action + rm -f ./vuln-*.json + # Attest the cli binaries binaries=$(cat dist/artifacts.json | jq -r '.[] | select(.type=="Binary" and .extra.ID!="binaries-cli") | select(.path | startswith("dist/cli")) | .path') echo "$binaries" | while IFS= read -r entry; do diff --git a/vuln-artifact-cas-amd64.json b/vuln-artifact-cas-amd64.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-artifact-cas-amd64.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-artifact-cas-arm64.json b/vuln-artifact-cas-arm64.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-artifact-cas-arm64.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-artifact-cas-v1-82-0.json b/vuln-artifact-cas-v1-82-0.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-artifact-cas-v1-82-0.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-artifact-cas-v1-82-1.json b/vuln-artifact-cas-v1-82-1.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-artifact-cas-v1-82-1.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-cli-amd64.json b/vuln-cli-amd64.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-cli-amd64.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-cli-arm64.json b/vuln-cli-arm64.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-cli-arm64.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-cli-v1-82-0.json b/vuln-cli-v1-82-0.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-cli-v1-82-0.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-cli-v1-82-1.json b/vuln-cli-v1-82-1.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-cli-v1-82-1.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-control-plane-amd64.json b/vuln-control-plane-amd64.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-control-plane-amd64.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-control-plane-arm64.json b/vuln-control-plane-arm64.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-control-plane-arm64.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-control-plane-migrations-amd64.json b/vuln-control-plane-migrations-amd64.json deleted file mode 100644 index 07df2d539..000000000 --- a/vuln-control-plane-migrations-amd64.json +++ /dev/null @@ -1,227 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype", - "rules": [ - { - "id": "CVE-2026-25679-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-25679 high vulnerability for stdlib package" - }, - "fullDescription": { - "text": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-25679\nSeverity: high\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)", - "markdown": "**Vulnerability CVE-2026-25679**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "7.5" - } - }, - { - "id": "CVE-2026-27142-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-27142 high vulnerability for stdlib package" - }, - "fullDescription": { - "text": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-27142\nSeverity: high\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142)", - "markdown": "**Vulnerability CVE-2026-27142**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "7.5" - } - }, - { - "id": "GHSA-fw7p-63qq-7hpr-filippo.io/edwards25519", - "name": "GoModuleMatcherExactDirectMatch", - "shortDescription": { - "text": "GHSA-fw7p-63qq-7hpr low vulnerability for filippo.io/edwards25519 package" - }, - "fullDescription": { - "text": "filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity" - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability GHSA-fw7p-63qq-7hpr\nSeverity: low\nPackage: filippo.io/edwards25519\nVersion: v1.1.0\nFix Version: 1.1.1\nType: go-module\nLocation: /atlas\nData Namespace: github:language:go\nLink: [GHSA-fw7p-63qq-7hpr](https://github.com/advisories/GHSA-fw7p-63qq-7hpr)", - "markdown": "**Vulnerability GHSA-fw7p-63qq-7hpr**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | filippo.io/edwards25519 | v1.1.0 | 1.1.1 | go-module | /atlas | github:language:go | [GHSA-fw7p-63qq-7hpr](https://github.com/advisories/GHSA-fw7p-63qq-7hpr) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/filippo.io/edwards25519@v1.1.0" - ], - "security-severity": "1.7" - } - }, - { - "id": "CVE-2026-27139-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-27139 low vulnerability for stdlib package" - }, - "fullDescription": { - "text": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-27139\nSeverity: low\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139)", - "markdown": "**Vulnerability CVE-2026-27139**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "2.5" - } - } - ] - } - }, - "results": [ - { - "ruleId": "CVE-2026-25679-stdlib", - "level": "error", - "message": { - "text": "A high vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-amd64 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-amd64@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - }, - { - "ruleId": "CVE-2026-27142-stdlib", - "level": "error", - "message": { - "text": "A high vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-amd64 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-amd64@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - }, - { - "ruleId": "GHSA-fw7p-63qq-7hpr-filippo.io/edwards25519", - "level": "note", - "message": { - "text": "A low vulnerability in go-module package: filippo.io/edwards25519, version v1.1.0 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-amd64 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-amd64@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "e8be0fc45c4ccad0bc2aa081b057f8a96a29ec9f2b6fa32f1ec7e35322d3eac4:1" - } - }, - { - "ruleId": "CVE-2026-27139-stdlib", - "level": "note", - "message": { - "text": "A low vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-amd64 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-amd64@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/vuln-control-plane-migrations-arm64.json b/vuln-control-plane-migrations-arm64.json deleted file mode 100644 index 0d20d1f07..000000000 --- a/vuln-control-plane-migrations-arm64.json +++ /dev/null @@ -1,227 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype", - "rules": [ - { - "id": "CVE-2026-25679-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-25679 high vulnerability for stdlib package" - }, - "fullDescription": { - "text": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-25679\nSeverity: high\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)", - "markdown": "**Vulnerability CVE-2026-25679**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "7.5" - } - }, - { - "id": "CVE-2026-27142-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-27142 high vulnerability for stdlib package" - }, - "fullDescription": { - "text": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-27142\nSeverity: high\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142)", - "markdown": "**Vulnerability CVE-2026-27142**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "7.5" - } - }, - { - "id": "GHSA-fw7p-63qq-7hpr-filippo.io/edwards25519", - "name": "GoModuleMatcherExactDirectMatch", - "shortDescription": { - "text": "GHSA-fw7p-63qq-7hpr low vulnerability for filippo.io/edwards25519 package" - }, - "fullDescription": { - "text": "filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity" - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability GHSA-fw7p-63qq-7hpr\nSeverity: low\nPackage: filippo.io/edwards25519\nVersion: v1.1.0\nFix Version: 1.1.1\nType: go-module\nLocation: /atlas\nData Namespace: github:language:go\nLink: [GHSA-fw7p-63qq-7hpr](https://github.com/advisories/GHSA-fw7p-63qq-7hpr)", - "markdown": "**Vulnerability GHSA-fw7p-63qq-7hpr**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | filippo.io/edwards25519 | v1.1.0 | 1.1.1 | go-module | /atlas | github:language:go | [GHSA-fw7p-63qq-7hpr](https://github.com/advisories/GHSA-fw7p-63qq-7hpr) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/filippo.io/edwards25519@v1.1.0" - ], - "security-severity": "1.7" - } - }, - { - "id": "CVE-2026-27139-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-27139 low vulnerability for stdlib package" - }, - "fullDescription": { - "text": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-27139\nSeverity: low\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139)", - "markdown": "**Vulnerability CVE-2026-27139**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "2.5" - } - } - ] - } - }, - "results": [ - { - "ruleId": "CVE-2026-25679-stdlib", - "level": "error", - "message": { - "text": "A high vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-arm64 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-arm64@sha256:964bd688c0e24d4c6fdef59623a9dfc2530c7f6fbda6ef393464d1c3056e82e7:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "89354f05e32cb9a36525d61fae4851de004cc0f19963fe409cf660e0ee4218d2:1" - } - }, - { - "ruleId": "CVE-2026-27142-stdlib", - "level": "error", - "message": { - "text": "A high vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-arm64 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-arm64@sha256:964bd688c0e24d4c6fdef59623a9dfc2530c7f6fbda6ef393464d1c3056e82e7:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "89354f05e32cb9a36525d61fae4851de004cc0f19963fe409cf660e0ee4218d2:1" - } - }, - { - "ruleId": "GHSA-fw7p-63qq-7hpr-filippo.io/edwards25519", - "level": "note", - "message": { - "text": "A low vulnerability in go-module package: filippo.io/edwards25519, version v1.1.0 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-arm64 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-arm64@sha256:964bd688c0e24d4c6fdef59623a9dfc2530c7f6fbda6ef393464d1c3056e82e7:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "390150c8d3e38551f59fa1e9cb0565df4199dc774312ea50b9b8f5ddc3b564c1:1" - } - }, - { - "ruleId": "CVE-2026-27139-stdlib", - "level": "note", - "message": { - "text": "A low vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-arm64 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1-arm64@sha256:964bd688c0e24d4c6fdef59623a9dfc2530c7f6fbda6ef393464d1c3056e82e7:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "89354f05e32cb9a36525d61fae4851de004cc0f19963fe409cf660e0ee4218d2:1" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/vuln-control-plane-migrations-v1-82-0.json b/vuln-control-plane-migrations-v1-82-0.json deleted file mode 100644 index 5c8866f7f..000000000 --- a/vuln-control-plane-migrations-v1-82-0.json +++ /dev/null @@ -1,227 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype", - "rules": [ - { - "id": "CVE-2026-25679-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-25679 high vulnerability for stdlib package" - }, - "fullDescription": { - "text": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-25679\nSeverity: high\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)", - "markdown": "**Vulnerability CVE-2026-25679**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "7.5" - } - }, - { - "id": "CVE-2026-27142-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-27142 high vulnerability for stdlib package" - }, - "fullDescription": { - "text": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-27142\nSeverity: high\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142)", - "markdown": "**Vulnerability CVE-2026-27142**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "7.5" - } - }, - { - "id": "GHSA-fw7p-63qq-7hpr-filippo.io/edwards25519", - "name": "GoModuleMatcherExactDirectMatch", - "shortDescription": { - "text": "GHSA-fw7p-63qq-7hpr low vulnerability for filippo.io/edwards25519 package" - }, - "fullDescription": { - "text": "filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity" - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability GHSA-fw7p-63qq-7hpr\nSeverity: low\nPackage: filippo.io/edwards25519\nVersion: v1.1.0\nFix Version: 1.1.1\nType: go-module\nLocation: /atlas\nData Namespace: github:language:go\nLink: [GHSA-fw7p-63qq-7hpr](https://github.com/advisories/GHSA-fw7p-63qq-7hpr)", - "markdown": "**Vulnerability GHSA-fw7p-63qq-7hpr**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | filippo.io/edwards25519 | v1.1.0 | 1.1.1 | go-module | /atlas | github:language:go | [GHSA-fw7p-63qq-7hpr](https://github.com/advisories/GHSA-fw7p-63qq-7hpr) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/filippo.io/edwards25519@v1.1.0" - ], - "security-severity": "1.7" - } - }, - { - "id": "CVE-2026-27139-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-27139 low vulnerability for stdlib package" - }, - "fullDescription": { - "text": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-27139\nSeverity: low\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139)", - "markdown": "**Vulnerability CVE-2026-27139**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "2.5" - } - } - ] - } - }, - "results": [ - { - "ruleId": "CVE-2026-25679-stdlib", - "level": "error", - "message": { - "text": "A high vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.0 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.0@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - }, - { - "ruleId": "CVE-2026-27142-stdlib", - "level": "error", - "message": { - "text": "A high vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.0 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.0@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - }, - { - "ruleId": "GHSA-fw7p-63qq-7hpr-filippo.io/edwards25519", - "level": "note", - "message": { - "text": "A low vulnerability in go-module package: filippo.io/edwards25519, version v1.1.0 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.0 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.0@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "e8be0fc45c4ccad0bc2aa081b057f8a96a29ec9f2b6fa32f1ec7e35322d3eac4:1" - } - }, - { - "ruleId": "CVE-2026-27139-stdlib", - "level": "note", - "message": { - "text": "A low vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.0 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.0@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/vuln-control-plane-migrations-v1-82-1.json b/vuln-control-plane-migrations-v1-82-1.json deleted file mode 100644 index 89c6dea96..000000000 --- a/vuln-control-plane-migrations-v1-82-1.json +++ /dev/null @@ -1,227 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype", - "rules": [ - { - "id": "CVE-2026-25679-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-25679 high vulnerability for stdlib package" - }, - "fullDescription": { - "text": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-25679\nSeverity: high\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)", - "markdown": "**Vulnerability CVE-2026-25679**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "7.5" - } - }, - { - "id": "CVE-2026-27142-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-27142 high vulnerability for stdlib package" - }, - "fullDescription": { - "text": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-27142\nSeverity: high\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142)", - "markdown": "**Vulnerability CVE-2026-27142**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-27142](https://nvd.nist.gov/vuln/detail/CVE-2026-27142) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "7.5" - } - }, - { - "id": "GHSA-fw7p-63qq-7hpr-filippo.io/edwards25519", - "name": "GoModuleMatcherExactDirectMatch", - "shortDescription": { - "text": "GHSA-fw7p-63qq-7hpr low vulnerability for filippo.io/edwards25519 package" - }, - "fullDescription": { - "text": "filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity" - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability GHSA-fw7p-63qq-7hpr\nSeverity: low\nPackage: filippo.io/edwards25519\nVersion: v1.1.0\nFix Version: 1.1.1\nType: go-module\nLocation: /atlas\nData Namespace: github:language:go\nLink: [GHSA-fw7p-63qq-7hpr](https://github.com/advisories/GHSA-fw7p-63qq-7hpr)", - "markdown": "**Vulnerability GHSA-fw7p-63qq-7hpr**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | filippo.io/edwards25519 | v1.1.0 | 1.1.1 | go-module | /atlas | github:language:go | [GHSA-fw7p-63qq-7hpr](https://github.com/advisories/GHSA-fw7p-63qq-7hpr) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/filippo.io/edwards25519@v1.1.0" - ], - "security-severity": "1.7" - } - }, - { - "id": "CVE-2026-27139-stdlib", - "name": "GoModuleMatcherCpeMatch", - "shortDescription": { - "text": "CVE-2026-27139 low vulnerability for stdlib package" - }, - "fullDescription": { - "text": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root." - }, - "helpUri": "https://github.com/anchore/grype", - "help": { - "text": "Vulnerability CVE-2026-27139\nSeverity: low\nPackage: stdlib\nVersion: go1.25.7\nFix Version: 1.25.8,1.26.1\nType: go-module\nLocation: /atlas\nData Namespace: nvd:cpe\nLink: [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139)", - "markdown": "**Vulnerability CVE-2026-27139**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | stdlib | go1.25.7 | 1.25.8,1.26.1 | go-module | /atlas | nvd:cpe | [CVE-2026-27139](https://nvd.nist.gov/vuln/detail/CVE-2026-27139) |\n" - }, - "properties": { - "purls": [ - "pkg:golang/stdlib@1.25.7" - ], - "security-severity": "2.5" - } - } - ] - } - }, - "results": [ - { - "ruleId": "CVE-2026-25679-stdlib", - "level": "error", - "message": { - "text": "A high vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - }, - { - "ruleId": "CVE-2026-27142-stdlib", - "level": "error", - "message": { - "text": "A high vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - }, - { - "ruleId": "GHSA-fw7p-63qq-7hpr-filippo.io/edwards25519", - "level": "note", - "message": { - "text": "A low vulnerability in go-module package: filippo.io/edwards25519, version v1.1.0 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "e8be0fc45c4ccad0bc2aa081b057f8a96a29ec9f2b6fa32f1ec7e35322d3eac4:1" - } - }, - { - "ruleId": "CVE-2026-27139-stdlib", - "level": "note", - "message": { - "text": "A low vulnerability in go-module package: stdlib, version go1.25.7 was found in image ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1 at: /atlas" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "control-plane-migrations//atlas" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "logicalLocations": [ - { - "name": "/atlas", - "fullyQualifiedName": "ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.82.1@sha256:f7033924300831ae1ddc7ce6b8de62020deea1474d12734a1bf0ac8ddc22e796:/atlas" - } - ] - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "cf90192787b4f6efeff028f5e5d10640b5cf27774ca2a89f0a8920a6d9f99ff7:1" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/vuln-control-plane-v1-82-0.json b/vuln-control-plane-v1-82-0.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-control-plane-v1-82-0.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file diff --git a/vuln-control-plane-v1-82-1.json b/vuln-control-plane-v1-82-1.json deleted file mode 100644 index f677fb425..000000000 --- a/vuln-control-plane-v1-82-1.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "name": "grype", - "version": "0.109.1", - "informationUri": "https://github.com/anchore/grype" - } - }, - "results": [] - } - ] -} \ No newline at end of file