From f2d5299d91cb7062d81a186ca6430b8d84d73cab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Tue, 21 Dec 2021 04:31:22 +0300 Subject: [PATCH] feat: vuln attest support (#1168) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın Co-authored-by: Furkan Türkal Signed-off-by: Batuhan Apaydın Co-authored-by: Furkan Türkal Signed-off-by: Batuhan Apaydın --- .github/workflows/build.yaml | 4 +- cmd/cosign/cli/options/predicate.go | 4 +- doc/cosign_attest.md | 2 +- doc/cosign_verify-attestation.md | 2 +- pkg/cosign/attestation/attestation.go | 50 +++ specs/COSIGN_VULN_ATTESTATION_SPEC.md | 435 ++++++++++++++++++++++++++ 6 files changed, 491 insertions(+), 6 deletions(-) create mode 100644 specs/COSIGN_VULN_ATTESTATION_SPEC.md diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d00e49f622ff..0f96b3c0b74c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -34,9 +34,7 @@ jobs: - uses: actions/setup-go@v2 with: go-version: '1.17.x' - - uses: imjasonh/setup-ko@v0.4 - with: - version: tip + - uses: imjasonh/setup-ko@main - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@master with: diff --git a/cmd/cosign/cli/options/predicate.go b/cmd/cosign/cli/options/predicate.go index ed682c630948..691de3d1e7f0 100644 --- a/cmd/cosign/cli/options/predicate.go +++ b/cmd/cosign/cli/options/predicate.go @@ -32,6 +32,7 @@ const ( PredicateSLSA = "slsaprovenance" PredicateSPDX = "spdx" PredicateLink = "link" + PredicateVuln = "vuln" ) // PredicateTypeMap is the mapping between the predicate `type` option to predicate URI. @@ -40,6 +41,7 @@ var PredicateTypeMap = map[string]string{ PredicateSLSA: slsa.PredicateSLSAProvenance, PredicateSPDX: in_toto.PredicateSPDX, PredicateLink: in_toto.PredicateLinkV1, + PredicateVuln: attestation.CosignVulnProvenanceV01, } // PredicateOptions is the wrapper for predicate related options. @@ -52,7 +54,7 @@ var _ Interface = (*PredicateOptions)(nil) // AddFlags implements Interface func (o *PredicateOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Type, "type", "custom", - "specify a predicate type (slsaprovenance|link|spdx|custom) or an URI") + "specify a predicate type (slsaprovenance|link|spdx|vuln|custom) or an URI") } // ParsePredicateType parses the predicate `type` flag passed into a predicate URI, or validates `type` is a valid URI. diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index d18f6111972d..ad66755526d4 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -57,7 +57,7 @@ cosign attest [flags] --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timeout duration HTTP Timeout defaults to 30 seconds (default 30s) - --type string specify a predicate type (slsaprovenance|link|spdx|custom) or an URI (default "custom") + --type string specify a predicate type (slsaprovenance|link|spdx|vuln|custom) or an URI (default "custom") ``` ### Options inherited from parent commands diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index dc36109fecad..1af6cf66cc5f 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -68,7 +68,7 @@ cosign verify-attestation [flags] --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) - --type string specify a predicate type (slsaprovenance|link|spdx|custom) or an URI (default "custom") + --type string specify a predicate type (slsaprovenance|link|spdx|vuln|custom) or an URI (default "custom") ``` ### Options inherited from parent commands diff --git a/pkg/cosign/attestation/attestation.go b/pkg/cosign/attestation/attestation.go index 8fee2cad5ae3..d26d11cd6b63 100644 --- a/pkg/cosign/attestation/attestation.go +++ b/pkg/cosign/attestation/attestation.go @@ -32,6 +32,9 @@ import ( const ( // CosignCustomProvenanceV01 specifies the type of the Predicate. CosignCustomProvenanceV01 = "cosign.sigstore.dev/attestation/v1" + + // CosignVulnProvenanceV01 specifies the type of VulnerabilityScan Predicate + CosignVulnProvenanceV01 = "cosign.sigstore.dev/attestation/vuln/v1" ) // CosignPredicate specifies the format of the Custom Predicate. @@ -40,6 +43,37 @@ type CosignPredicate struct { Timestamp string } +// VulnPredicate specifies the format of the Vulnerability Scan Predicate +type CosignVulnPredicate struct { + Invocation Invocation `json:"invocation"` + Scanners []Scanner `json:"scanners"` + Metadata Metadata `json:"metadata"` +} + +type Invocation struct { + Parameters interface{} `json:"parameters"` + URI string `json:"uri"` + EventID string `json:"event_id"` + BuilderID string `json:"builder.id"` +} + +type DB struct { + URI string `json:"uri"` + Version string `json:"version"` +} + +type Scanner struct { + URI string `json:"uri"` + Version string `json:"version"` + DB DB `json:"db"` + Result map[string]interface{} `json:"result"` +} + +type Metadata struct { + ScanStartedOn time.Time `json:"scanStartedOn"` + ScanFinishedOn time.Time `json:"scanFinishedOn"` +} + // GenerateOpts specifies the options of the Statement generator. type GenerateOpts struct { // Predicate is the source of bytes (e.g. a file) to use as the statement's predicate. @@ -71,6 +105,8 @@ func GenerateStatement(opts GenerateOpts) (interface{}, error) { return generateSPDXStatement(predicate, opts.Digest, opts.Repo) case "link": return generateLinkStatement(predicate, opts.Digest, opts.Repo) + case "vuln": + return generateVulnStatement(predicate, opts.Digest, opts.Repo) default: stamp := timestamp(opts) predicateType := customType(opts) @@ -78,6 +114,20 @@ func GenerateStatement(opts GenerateOpts) (interface{}, error) { } } +func generateVulnStatement(predicate []byte, digest string, repo string) (interface{}, error) { + var vuln CosignVulnPredicate + + err := json.Unmarshal(predicate, &vuln) + if err != nil { + return nil, err + } + + return in_toto.Statement{ + StatementHeader: generateStatementHeader(digest, repo, CosignVulnProvenanceV01), + Predicate: vuln, + }, nil +} + func timestamp(opts GenerateOpts) string { if opts.Time == nil { opts.Time = time.Now diff --git a/specs/COSIGN_VULN_ATTESTATION_SPEC.md b/specs/COSIGN_VULN_ATTESTATION_SPEC.md new file mode 100644 index 000000000000..eb6256e80c7d --- /dev/null +++ b/specs/COSIGN_VULN_ATTESTATION_SPEC.md @@ -0,0 +1,435 @@ +# Cosign Vulnerability Scan Record Attestation Specification + +`Cosign` is heavily using [In-toto Attestations](https://github.com/in-toto/attestation) predicate models in its own +codebase. But this is not the only option you have while working with predicates in cosign. `Cosign` already defines its +own predicates: [Generic Predicate Specification](COSIGN_PREDICATE_SPEC.md). This `Vulnerability Scan` +attestation is one of them. + +Let's talk a bit about the history of this specification. We first mentioned this idea +in [in-toto attestation](https://github.com/in-toto/attestation/issues/58) repository. So many people interested in this +issue, and shared ideas about which parts are necessary which parts are not to make that specification well-purposed. +There is an also cross [issue](https://github.com/sigstore/cosign/issues/442) on cosign side that we discussed on it. + +And the final format for this is defined as follows: + +```json +{ + "_type": "https://in-toto.io/Statement/v0.1", + "subject": [ + { + ... + } + ], + // Predicate: + "predicateType": "cosign.sigstore.dev/attestation/vuln/v1", + "predicate": { + "invocation": { + "parameters": [], + // [ "--format=json", "--skip-db-update" ] + "uri": "", + // https://github.com/developer-guy/alpine/actions/runs/1071875574 + "event_id": "", + // 1071875574 + "builder.id": "" + // GitHub Actions + }, + "scanners": [ + { + "uri": "", + // pkg:github/aquasecurity/trivy@244fd47e07d1004f0aed9 + "version": "", + // 0.19.2 + "db": { + "uri": "", + // pkg:github/aquasecurity/trivy-db/commit/4c76bb580b2736d67751410fa4ab66d2b6b9b27d + "version": "" + // "v1-2021080612" + }, + "result": {} + } + ], + "metadata": { + "scanStartedOn": "", + // 2021-08-06T17:45:50.52Z + "scanFinishedOn": "" + // 2021-08-06T17:50:50.52Z + } + } +} +``` + +## Fields + +**scanners** + +> There are lots of container image scanners such as Trivy, Grype, Clair, etc. +> This field describes about which one of them are used while scanning container image, +> and also give information about which Vulnerability DB is used while doing scan also with version informations attached. + +**scanners.uri** string (ResourceURI), optional + +> > URI indicating the identity of the source of the scanner. + +**scanners.version** string (ResourceURI), optional + +> The version of the scanner. + +**scanners.db.uri** string (ResourceURI), optional + +> URI indicating the identity of the source of the Vulnerability DB. + +**scanners.db.version** string, optional + +> The version of the Vulnerability DB. + +**scanners.result** object + +> This is the most important part of this field because it'll store the scan result as a whole. So, people might want +> to use this field to take decisions based on them by making use of Policy Engines tooling whether allow or deny these images. + +**metadata.buildStartedOn string (Timestamp), required** + +> The timestamp of when the build started. + +**metadata.buildFinishedOn string (Timestamp), required** + +> The timestamp of when the build completed. + +```shell +$ trivy image -f json alpine:3.12 +``` + +
+ +Scan Result + +```json +{ + "SchemaVersion": 2, + "ArtifactName": "alpine:3.12", + "ArtifactType": "container_image", + "Metadata": { + "OS": { + "Family": "alpine", + "Name": "3.12.9" + }, + "ImageID": "sha256:b0925e0819214cd29937af66dbaf0e6fe239997faea60922cc890f9984512507", + "DiffIDs": [ + "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7" + ], + "RepoTags": [ + "alpine:3.12" + ], + "RepoDigests": [ + "alpine@sha256:d9459083f962de6bd980ae6a05be2a4cf670df6a1d898157bceb420342bec280" + ], + "ImageConfig": { + "architecture": "amd64", + "container": "385e1cc96cc7482dfb6847e293bb24baecd3f48a49791b9b45e297204b160287", + "created": "2021-11-12T17:20:08.442217528Z", + "docker_version": "20.10.7", + "history": [ + { + "created": "2021-11-12T17:20:08.190319702Z", + "created_by": "/bin/sh -c #(nop) ADD file:8f5bc5ce64ef781adadca88e4004e17affc72e6f20dbd08b9c478def12fe1dd3 in / " + }, + { + "created": "2021-11-12T17:20:08.442217528Z", + "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7" + ] + }, + "config": { + "Cmd": [ + "/bin/sh" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Image": "sha256:7d1c1e4b291dc9519b43a2b9c9330655927f6dfde90d36ef5fd16b2ae0f28bbc" + } + } + }, + "Results": [ + { + "Target": "alpine:3.12 (alpine 3.12.9)", + "Class": "os-pkgs", + "Type": "alpine", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2021-28831", + "PkgName": "busybox", + "InstalledVersion": "1.31.1-r21", + "FixedVersion": "1.32.1-r4", + "Layer": { + "Digest": "sha256:8572bc8fb8a32061648dd183b2c0451c82be1bd053a4ea8fae991436b92faebb", + "DiffID": "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831", + "Title": "busybox: invalid free or segmentation fault via malformed gzip data", + "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-755" + ], + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://security.gentoo.org/glsa/202105-09", + "https://ubuntu.com/security/notices/USN-5179-1" + ], + "PublishedDate": "2021-03-19T05:15:00Z", + "LastModifiedDate": "2021-05-26T10:15:00Z" + }, + { + "VulnerabilityID": "CVE-2021-28831", + "PkgName": "ssl_client", + "InstalledVersion": "1.31.1-r21", + "FixedVersion": "1.32.1-r4", + "Layer": { + "Digest": "sha256:8572bc8fb8a32061648dd183b2c0451c82be1bd053a4ea8fae991436b92faebb", + "DiffID": "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831", + "Title": "busybox: invalid free or segmentation fault via malformed gzip data", + "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-755" + ], + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://security.gentoo.org/glsa/202105-09", + "https://ubuntu.com/security/notices/USN-5179-1" + ], + "PublishedDate": "2021-03-19T05:15:00Z", + "LastModifiedDate": "2021-05-26T10:15:00Z" + } + ] + } + ] +} +``` + +
+ +Here is an example predicate containing a vulnerability scan result above: + +```json +{ + "predicate": { + "invocation": { + "parameters": [ + "--format=json" + ], + "uri": "https://github.com/developer-guy/alpine/actions/runs/1071875574", + "event_id": "1071875574", + "builder.id": "github actions" + }, + "scanners": [ + { + "uri": "pkg:github/aquasecurity/trivy@244fd47e07d1004f0aed9", + "version": "0.19.2", + "db": { + "uri": "pkg:github/aquasecurity/trivy-db/commit/4c76bb580b2736d67751410fa4ab66d2b6b9b27d", + "version": "v1-2021080612" + }, + "result": { + "SchemaVersion": 2, + "ArtifactName": "alpine:3.12", + "ArtifactType": "container_image", + "Metadata": { + "OS": { + "Family": "alpine", + "Name": "3.12.9" + }, + "ImageID": "sha256:b0925e0819214cd29937af66dbaf0e6fe239997faea60922cc890f9984512507", + "DiffIDs": [ + "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7" + ], + "RepoTags": [ + "alpine:3.12" + ], + "RepoDigests": [ + "alpine@sha256:d9459083f962de6bd980ae6a05be2a4cf670df6a1d898157bceb420342bec280" + ], + "ImageConfig": { + "architecture": "amd64", + "container": "385e1cc96cc7482dfb6847e293bb24baecd3f48a49791b9b45e297204b160287", + "created": "2021-11-12T17:20:08.442217528Z", + "docker_version": "20.10.7", + "history": [ + { + "created": "2021-11-12T17:20:08.190319702Z", + "created_by": "/bin/sh -c #(nop) ADD file:8f5bc5ce64ef781adadca88e4004e17affc72e6f20dbd08b9c478def12fe1dd3 in / " + }, + { + "created": "2021-11-12T17:20:08.442217528Z", + "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7" + ] + }, + "config": { + "Cmd": [ + "/bin/sh" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Image": "sha256:7d1c1e4b291dc9519b43a2b9c9330655927f6dfde90d36ef5fd16b2ae0f28bbc" + } + } + }, + "Results": [ + { + "Target": "alpine:3.12 (alpine 3.12.9)", + "Class": "os-pkgs", + "Type": "alpine", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2021-28831", + "PkgName": "busybox", + "InstalledVersion": "1.31.1-r21", + "FixedVersion": "1.32.1-r4", + "Layer": { + "Digest": "sha256:8572bc8fb8a32061648dd183b2c0451c82be1bd053a4ea8fae991436b92faebb", + "DiffID": "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831", + "Title": "busybox: invalid free or segmentation fault via malformed gzip data", + "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-755" + ], + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://security.gentoo.org/glsa/202105-09", + "https://ubuntu.com/security/notices/USN-5179-1" + ], + "PublishedDate": "2021-03-19T05:15:00Z", + "LastModifiedDate": "2021-05-26T10:15:00Z" + }, + { + "VulnerabilityID": "CVE-2021-28831", + "PkgName": "ssl_client", + "InstalledVersion": "1.31.1-r21", + "FixedVersion": "1.32.1-r4", + "Layer": { + "Digest": "sha256:8572bc8fb8a32061648dd183b2c0451c82be1bd053a4ea8fae991436b92faebb", + "DiffID": "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831", + "Title": "busybox: invalid free or segmentation fault via malformed gzip data", + "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-755" + ], + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://security.gentoo.org/glsa/202105-09", + "https://ubuntu.com/security/notices/USN-5179-1" + ], + "PublishedDate": "2021-03-19T05:15:00Z", + "LastModifiedDate": "2021-05-26T10:15:00Z" + } + ] + } + ] + } + } + ], + "metadata": { + "scanStartedOn": "2021-08-06T17:45:50.52Z", + "scanFinishedOn": "2021-08-06T17:50:50.52Z" + } + } +} +``` +