# Run the spdx-to-osv tool, taking the information from the SPDX SBOM and mapping it to OSV vulnerabilities $ java -jar ./target/spdx-to-osv-0.0.4-SNAPSHOT-jar-with-dependencies.jar -I k8s-1.21.3-source.spdx -O out-k8s.1.21.3.json
# Show the output OSV vulnerabilities of the spdx-to-osv tool $ cat out-k8s.1.21.3.json … { "id": "GHSA-w73w-5m7g-f7qc", "published": "2021-05-18T21:08:21Z", "modified": "2021-06-28T21:32:34Z", "aliases": [ "CVE-2020-26160" ], "summary": "Authorization bypass in github.com/dgrijalva/jwt-go", "details": "jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to [golang-jwt](https://github.com/golang-jwt/jwt) at version 3.2.1", "affected": [ { "package": { "name": "github.com/dgrijalva/jwt-go", "ecosystem": "Go", "purl": "pkg:golang/github.com/dgrijalva/jwt-go" }, …
|