Il Lun 9 Mar 2026, 17:27 Patrick Hunt <[email protected]> ha scritto: > I noticed that there are GHSA reports which don't always have CVEs > assigned. We have the OWASP scanner scanning for CVEs as part of our > Jenkins infra, however not GHSA. Should we add this? > > There's a tool "osv-scanner" which I ran locally on my machine (not sure if > this is running right but ...), it reported the following for trunk.... >
Is it possible to run it on Github actions, instead of Jenkins? In any case I am +1 to add new popular scanners, because having their reports can help us see the problems as soon as they hit users Enrico > Regards, > > Patrick > > ..... <clip general logs> .... > End status: 536 dirs visited, 2308 inodes visited, 21 Extract calls, > 3.877381125s elapsed, 3.877341s wall time > Filtered 3 local/unscannable package/s from the scan. > Total 5 packages affected by 10 known vulnerabilities (0 Critical, 3 High, > 4 Medium, 3 Low, 0 Unknown) from 1 ecosystem. > 10 vulnerabilities can be fixed. > > > > ╭─────────────────────────────────────┬──────┬───────────┬───────────────────────────────────────┬─────────┬───────────────┬──────────────────────────────────────────────────────╮ > │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE > │ VERSION │ FIXED VERSION │ SOURCE > │ > > ├─────────────────────────────────────┼──────┼───────────┼───────────────────────────────────────┼─────────┼───────────────┼──────────────────────────────────────────────────────┤ > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > │ https://osv.dev/GHSA-cfxw-4h78-h7fw │ 8.9 │ Maven │ dnsjava:dnsjava > │ 3.5.1 │ 3.6.0 │ zookeeper-server/pom.xml > │ > │ https://osv.dev/GHSA-crjg-w57m-rqqf │ 7.7 │ Maven │ dnsjava:dnsjava > │ 3.5.1 │ 3.6.0 │ zookeeper-server/pom.xml > │ > │ https://osv.dev/GHSA-mmwx-rj87-vfgr │ 7.1 │ Maven │ dnsjava:dnsjava > │ 3.5.1 │ 3.6.0 │ zookeeper-server/pom.xml > │ > │ https://osv.dev/GHSA-4cx2-fc23-5wg6 │ 6.3 │ Maven │ > org.bouncycastle:bcpkix-jdk18on (dev) │ 1.78 │ 1.79 │ > zookeeper-server/pom.xml │ > > ╰─────────────────────────────────────┴──────┴───────────┴───────────────────────────────────────┴─────────┴───────────────┴──────────────────────────────────────────────────────╯ >
